Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#33733 - 01/07/2001 06:45 Security from within Emplode
dionysus
veteran

Registered: 16/06/1999
Posts: 1222
Loc: San Francisco, CA
...I know that we've discussed having a minimum security setting while accessing Empeg in the past - just to keep those co-workers from deleting stuff... Any luck on this? Someone a*home at work actually deleted EVERY SINGLE ONE of my playlists. Luckily, they files were just thrown to unattached items, and looking through an old CVS backup that I had, I was able to brings things back to normal fairly quickly...

In the meantime, I'm restricting (through our firewall) access to this box for only me and a few other freinds - but this is not a good solution for newbies...

Any comments?

-mark

...proud to have owned an Empeg since 00287
_________________________
http://mvgals.net - clublife, revisited.

Top
#33734 - 01/07/2001 07:36 Re: Security from within Emplode [Re: dionysus]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Interesting... did they do it deliberately? I would think that they'd have to do it on pupose, wouldn't they? That's not the sort of thing one does accidentally. They have to run Emplode for starters, then select your player, etc...

I can see this will become more and more necessary as the products become more popular and hackers start finding them on networks.

In thinking about this, I can only see one way to do it that wouldn't be a support nightmare for lost passwords:

Allow free access to the empeg, and allow free setting of the login and password, whenever you are using serial and USB. Only when connecting via ethernet, emplode prompts for the password before allowing you in. The password could be simply stored in config.ini, perhaps hashed. This could mask the actual password, but allow you to erase the password by erasing the lines in config.ini if you've got a shell prompt.

In order to make it easy on Tech Support, you would have to allow them to change the password in serial/USB mode even if they don't know the old password. Since the password is only intended to protect against remote network access, this would be OK.

In emplode, the password setting box could be part of the TCP network setup box.

Of course, all of this is only useful if you think that passwords are secure. And this would only protect against emplode modifications to the player. If someone installed third-party stuff like Displayserver, all bets are off.

Anyone have a better scheme?

___________
Tony Fabris
_________________________
Tony Fabris

Top
#33735 - 01/07/2001 10:34 Re: Security from within Emplode [Re: tfabris]
thinfourth2
Pooh-Bah

Registered: 13/04/2001
Posts: 1742
Loc: The land of the pale blue peop...
If you can't trust them screw them don't put it on the network But i think that some sort of password selection would be nice

Other thoughts are could you make it so that if one computer is talking via emplode that locks out other computers so you just leave emplode connected but doing nothing.

Just a thought

_________________________
P.Allison fixer of big engines Mk2+Mk2a signed by God / Hacked by the Lord Aberdeen Scotland

Top
#33736 - 01/07/2001 11:23 Re: Security from within Emplode [Re: dionysus]
fvgestel
old hand

Registered: 12/08/2000
Posts: 702
Loc: Netherlands
I had a kernel with firewalling compiled in, which would let you allow/deny certain IP-address ranges. If you always use the same IP-addresses for client machines, this could be a solution.

Frank van Gestel
_________________________
Frank van Gestel

Top
#33737 - 01/07/2001 11:57 Re: Security from within Emplode [Re: fvgestel]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31600
Loc: Seattle, WA
Unless, of course, the hacker spoofs his IP.

___________
Tony Fabris
_________________________
Tony Fabris

Top
#33738 - 01/07/2001 12:30 Re: Security from within Emplode [Re: tfabris]
fvgestel
old hand

Registered: 12/08/2000
Posts: 702
Loc: Netherlands
IP-spoofing is only effective for one way communication. When the destination wants to communicate back to the sender, all IP-packets are sent to the spoofed IP-address,which should get routed to the right recipient.
In theory you could do it in unsecure broadcast networks, but I think nowadays most companies use switched networks, and it wouldn't be an easy task

Frank van Gestel
_________________________
Frank van Gestel

Top
#33739 - 01/07/2001 21:32 Re: Security from within Emplode [Re: dionysus]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
I definitly would like to see this as well. I was a bit frightened how many systems I could see on my future @home service with just normal things, like Network Neighboorhood. Lucially I have a Linux firewall box to isolate my network, but for unknowing owners, this could be a big issue. I'm sure empeg has at least thought about this, with all the talk about wireless syncing the CEO talked about. Just drive through a rich neighboorhood in a few years with a wireless card, and zap unsuspecting embedded empeg owners music. Not a good thing.


Top