[8500] in bugtraq
Re: FoolProof for PC Exploit
daemon@ATHENA.MIT.EDU (pcsupport@SMARTSTUFF.COM)
Wed Nov 11 13:39:42 1998
Date: Tue, 10 Nov 1998 22:31:43 GMT
Reply-To: pcsupport@smartstuff.com
From: pcsupport@SMARTSTUFF.COM
X-To: ballbach@lorien.ml.org
To: BUGTRAQ@NETSPACE.ORG
Michael,
We are prefectly aware that on older versions of FP the password is visible
with a hex editor. But since any school would be foolish to allow such
programs to run in the first place, the issue is a dead end 99.9% of the
time. This is not military style, espionage-level security - it is for public
workstations with restricted purposes and limited applications.
As you indicated, typical computers are exceedingly simple to understand and
horse around with. We agree, and appreciate that most high schoolers can
easily grasp what is required to operate and even program computers. This
should not be surprising to anyone.
That being said, the point of security for most schools is one of convenience
and very casual play with the machines by students. FoolProof can be
configured to be very hard to break indeed, but some schools simply do not
want to configure it in that fashion - and they may well be right if they
know thier students well.
Don't worry - more encryption and more features are always in the works. Take
care,
SmartStuff Software Technical Support
800-671-3999
Michael Ballbach,ballbach@lorien.ml.org writes:
[ I'm cc'ing smartstuff, maybe this time they'll hear us. Smartstuff, feel
free to contact me for more information on what I know. The following
refers to foolproof v1 - v3, on a mac. ]
Holding shift to bypass foolproof on a mac is ineffective if you enable
the disable foolproof bypass on extension bypass option or however it's
phrased in there.
The password is not base64 encoded, and depending on the version there are
various (very poor) methods of trying to obscure it, in the preference
files for versions prior to 3, the password sticks out like a sore thumb,
and with versions 3+ it's a tad more obscure, but the method of encryption
has not changed.
I broke the encryption my freshmen year in high school and it took about
an hour with a piece of paper and a hex editor, I didn't even use a
calculator. The base conversions took the most time. (ok ok two pieces of
paper)
Perhaps these issues coming into the public will force smartstuff to do
something about it, I've contacted them many times and they either ignore
me, or some guy that has no clue what's happening replies and blows me
off.
I'd publish the encryption details but doing so would compromise the
security of thousands of machines (including the ones I used to run), and
I don't think that's worth it... (I think smartstuff would agree) It's a
good program over all, but they really picked a very poor method of
encryption for a program that's supposed to protect machines at
educational institutions... christ I'm a high school drop out and it
wasn't a challenge for me.