LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   General (http://www.linuxquestions.org/questions/general-10/)
-   -   Junior hacker strikes again! (http://www.linuxquestions.org/questions/general-10/junior-hacker-strikes-again-4175435823/)

jlinkels 11-05-2012 07:46 PM

Junior hacker strikes again!
 
You might have read before that my home network is far from safe due to the presence and the curiosity of my 9-year old son Grep:
http://www.linuxquestions.org/questi...martass-942264

Today I was called by a friend and colleague system administrator who regularly skypes with my son. He asked if I knew that my son knew my password on the home network. WTF? I keep that secret from him to avoid him logging in as me on the network and use sudo commands to circumvent the restriction I set for him. And of course keep from peeking in really confidential files I keep on the home server. I have installed NIS on the network, so he can login using my password from any workstation.

My son was quickly to admit that he held the password indeed, and also he told me how he discovered it. He also said he used it from his own computer and not mine so I would discover it in auth.log. He had no desire as to keep it secret.

When I installed his mother's netbook at the time I booted into Windows 7 once to see if it was functional. I did not remove Windows 7, because if the netbook would ever need warranty repair, I wanted to show Asus I was running Windows, not Linux. I know service centers don't understand Linux and blame any defect on Linux.

When I started Windows for the first time I entered my user name and regular password. (Not smart!). Windows helps users with unsafe behavior. So I had to enter a hint for the password. OK, no problem to come up with some password, but it is a problem to remember it after 6 months. Therefor I used my regular password and also entered the correct hint.

One day my son was using (illegally) his mom's netbook and inadvertently started Windows. There was only one user (me) and when he didn't know the password he was hinted. The hint was My favorite candy.

This didn't help him enough, but numerous times he has been looking over my shoulder when I was logging in on one of the workstations. They are routinely locked so I have to enter the password often.

I can type quite fast, but not so fast he could not intercept the first 5 characters at some time. This combined with the Windows hint was enough for him.

Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.

sag47 11-05-2012 09:52 PM

Quote:

Originally Posted by jlinkels (Post 4823059)
Sigh.

jlinkels

PS: this message is about my son's hacking capabilities. Not about network security. It is OK to tell me that I should change the password regularly, not using the same password in multiple places, and not a dictionary word. Great. In that case please tell me how to memorize it. This I can't memorize: fl(*&CNkH097&--. Not even: "IlmwsmIwnbh" (I love my wife so much I will never betray her). Believe me. Last month I forgot the root password of my home server, which I have been using for 8 years. It consists of upper case, lower case, punctuation and numerics. It took me two days before enough synapses had been reconnected in my brain to restore it. Scary.

Funny stories; I read both :D. One thing I'd like to add that passwords are only "dictionary" passwords if they're single words. The password "IamCrazy!" is not a dictionary word so therefore is a decently strong password since it is 8 characters, contains upper and lowercase letters, and a symbol. You could even add the numbers 123 and then it would be even more secure with the added base of characters like "123IamCrazy!". Sentences make for strong passwords (and spaces count as characters on Linux).

Hopefully, that hint will help you to create and remember stronger passwords. "123IamCrazy!" has a password strength of 92^12 while "IlmwsmIwnbh" only has a password strength of 52^11. The latter being easily cracked in a few hours of brute force of hashes (i.e. alpha rainbow tables) while the former can't be cracked by todays modern computers through brute force. I can get into the math of it if you want but I doubt you'll really care to know.

SAM

exvor 11-05-2012 10:17 PM

Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.

I read your other post and saw some of the other comments on sudo. Sudo really can be an evil thing when it comes to security but few users actually take the time to configure it to not allow everything to be run with it. You can limit sudo so that only one or two commands on the system are able to be executed by it, you just have to edit the sudoers config file. I have actually gotten into arguments on this site with people who swear that you cannot do this, but its something I always do when I setup a system so that I can shutdown the system from X windows. Sudo on my box is only allowed to run shutdown and reboot. Many distributions are also guilty of abusing sudo and leaving it open to everyone...

salasi 11-06-2012 01:29 AM

I am following your son's progress with interest, and, to be frank, admiration (although I have also mentally filed it in the category "breeding, potential dangers of").

In terms of password strength, I tend, these days, to use memorable word fragments combined. These words are not necessarily from a single language and not necessarily correctly spelled and I usually throw in a command sequence from a command line program, just to top up the entropy a bit. I find this easy enough to work with as far as, eg, encryption for my router is concerned (which I need to recall moderately frequently), but the hundreds of passwords and account names that exist on the internet would defeat me without some kind of password manager.

chrism01 11-06-2012 05:52 AM

As sag47 said, the maths shows that longer relatively plain passwds are actually more secure than short complex ones.
Of course a passwd mgr (secured by a really secure master passwd) is handy.
On MS I recommend KeePass. I believe there's a Linux version KeepassX, but haven't tried it yet.
Quote:

The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key.
http://keepass.info/index.html
https://www.keepassx.org/

tangle 11-06-2012 12:20 PM

Quote:

Wow I wish my son had this sorta skill. He also loves to play minecraft but doesn't have any interest in figuring out how to do advanced things on the computer.
You have on of those also? I thought mine was unique.

To the OP, maybe a good punishment would make him a little more mindful of you.


All times are GMT -5. The time now is 07:55 AM.