Chucks Blog

The most secure you can get a box from a login point of view involves three authentication methods: Something you have, something you know, and something about you.

So to secure my laptop a little more I decided to implement the “something you have” method. The “something you know” method is obviously the password. Currently I don’t see the need or have the ability to easily add the “something about you” method, but maybe in the future.

Obviously I always have a USB flash drive on me, being a computer geek. Thus I decided to use pam-usb, which allows me to use a USB flash drive as an authentication method.

First, install the following two packages:

apt-get install pamusb-tools libpam-usb pmount

Then plug in your flash drive and run:

pamusb-conf --add-device <name>

Where <name> is whatever you like. You will then be asked to select your storage device. Select the desired drive and afterward:

pamusb-conf --add-user <account>

Account is whatever account you want to use the flash drive for. When asked for a device just select the one you previously configured. If you only configured one device than it will be selected by default.

Finally confirm you can authenticate properly. The flash drive must be plugged in for this step!

pamusb-check <account>

If you are told that the authentication succeeded congrats! Else, check your configuration again.

The final step to complete is to change everything in /etc/pam.d/gdm so that it now says:

#%PAM-1.0
auth    requisite       pam_nologin.so
auth    required        pam_env.so readenv=1
auth    required        pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth    optional        pam_gnome_keyring.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
session required        pam_limits.so
@include common-session
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
session optional        pam_gnome_keyring.so auto_start
@include common-password
auth required pam_usb.so fs=fat check_device=-1 check_if_mounted=-1

Then just restart GDM or restart your computer. After that try to login without your flash drive inserted. It should simply fail. Afterwards try plugging in the flash drive, waiting a few seconds, and trying again. This time the login should succeed. Note the above setup is for using both a password and flash drive, not just a flash drive.

Gotta love secondary school administration.. often they think they’re top of the world. Heres a case that doesn’t have a chance of making it to the supreme court. Blake J Robbins v Lower Merion School District (link to Boing-Boing article)

Essentially this brings the key fact people forget often back to light: If you did not install the operating system from ground up, the box ain’t secure.

Though it is very sad that someone in the administration thought they could get away with this. School districts shouldn’t police kids outside of school — thats a parents job. This is not a new issue in the news though, there are many other examples of schools overstepping their bounds and trying to police kids for things they do on Facebook outside of school. Using the argument that the school owns the laptops and thus can monitor what is done on them should be null and voided too. I can’t put a keylogger on my machine, lend it to a neighbor, and sue them for viewing child porn sites with evidence from the keylogger.

I don’t care what the government says – if they do it outside of school, than it isn’t the schools business, even if it will distract kids the next day in class.

One time passwords are a very effective way to connect to an SSH server from an untrusted computer. Consider the following scenario I deal with almost daily.

The computers where I take classes are owned by a governmental organization. Sounds secure, right? Not really. Quite often other students will mess with the computers as they see fit. Plus, installing a keylogger is trivial, since the computers are Mac Minis running Windows Vista laid out on top of a desk, right next to their respective monitor.

Usually I would simply steal the network cable from a Mac Mini for my session on my secured laptop and plug it back in after, but unfortunately this behavior is forbidden by the administration. The biggest problem is not this, but that I need to get access to my remote server to copy a file off. And it cannot wait.

So, I simply fixed the problem by following this how-to and installing putty onto a removable medium, and using my laptop to generate the one time passwords. The linked guide isn’t to hard to follow, so I won’t bother creating my own version of it. However, I did notice some interesting things that could be done with the opie-client and opie-server packages that I plan to blog about later.

If you have any problems with following the how-to I linked to just post a comment here with your problem. I’ll do my best to help.

I recently had to play with LogMeIn.com’s services for a class, and began thinking about the service’s security. Yes, they state they use encryption. Yes, they provide the ability to use one time passwords. But are they really secure? I guess I am reluctant to trust third parties with access to my computers, but hey, better safe than sorry.

If anyone does have any experiences with them I wouldn’t mind hearing them. Curiosity may have killed the cat, but the cat had nine lives anyway.

We’ve all done it. Plug in a password, think we’ll remember it a month from now, and have our memory betray us. With most Linux distros you can just pop in a livecd and change the password, providing you did not use some sort of full disk encryption, but for Windows Vista and Windows 7 things can get more complicated.

You can purchase the Microsoft solutions to this problem, but if you’re like me you would prefer a free solution. SystemRescueCd is this solution.

Just burn the cd, boot from it (type rescuecd at the boot prompt) and wait. When you get a shell prompt just follow its instructions to mount your windows partition, and enter the system32 directoryand look for a file named “SAM”. Once you’ve found it just type chntpw -u <user> /path/to/SAM and follow its instructions. Reboot cleanly, and voila.

One thing I have noticed though is that sometimes chntpw cannot change Vista passwords. If this is the case for you just set the password blank, log in under windows, and change it there.

As of the time indicated on this post, all content on this blog, excluding content owned by third parties and content otherwise specified, is now licensed under the Creative Commons Attribution 3.0 United States license.

I’m not doing this to discourage derivative works or such, just to protect me. The only requirements I have for redistributing and modifying my content is that it must somehow credit me, either by name or a link back to the original page the content was found in. So feel free to “steal” my content, just give me credit when you do.

Anyway, the link provided in this post shows what restrictions are put on the license. To sum it up you basically just have to give me credit, but if you are unsure just check the linked page.

Interesting little tidbit I found on the net last night while looking for what carriers the enV2 is compatible with. Simply dial the following while the phone is flipped open and hit send:

##lgservicemenu

And when the next dialog pops up, just enter zero’s. Once you do this a menu will pop up. With this menu you can perform phone self tests, monkey with some special settings, etc. Be warned though that you could mess up your phone if you’re not careful.

Successful holiday’s this year, actually managed to pick up a nice and powerful WiFi adapter with a wonderful antenna to wardrive (NOT piggyback) with. Only been out for one session so far, but still some of these access point names amused me.

• belkin54g_not_yours (Weirdly not encrypted)
• unknown_virus
• donthackme
• Hidden

And some disappointed me. Like honestly, >5 unencrypted linksys routers in a 3 mile radius? Not good folks!