net.wars: Death doth make hackers of us all
by Wendy M Grossman | posted on 22 February 2010
"I didn't like to ask him what his passwords were just as he was going in for surgery," said my abruptly widowed friend.
Now, of course, she wishes she had.
Death exposes one of the most significant mismatches between security experts' ideas of how things should be done and the reality for home users. Every piece of advice they give is exactly the opposite of what you'd tell someone trying to create a disaster recovery plan to cover themselves in the event of the death of the family computer expert, finance manager, and media archivist. If this were a business, we'd be talking about losing the CTO, CIO, CSO, and COO in the same plane crash.
Fortunately, while he was alive (and unfortunately, now) my friend was a systems programmer of many decades of expertise. He was acutely aware of the importance of good security. And so he gave his Windows desktop, financial files, and email software fine passwords. Too fine: the desktop one is completely resistant to educated guesses based on our detailed knowledge of his entire life and partial knowledge of some of his other PINs and passwords.
All is not locked away. We think we have the password to the financial files, so getting access to those is a mere matter of putting the hard drive in another machine, finding the files, copying them, installing the financial software on a different machine, and loading them up. But it would be nice to have direct "as-him" access to his archive of back (and new) email, the iTunes library he painstakingly built and digitized, his Web site accounts, and so on. Because he did so much himself, and because his illness was an 11-day chase to the finish, our knowledge of how he did things is incomplete.
Everyone thought there was time.
With backups secured and the financial files copied, we set to the task of trying to gain desktop access.
Attempt 1: ophcrack. This is a fine piece of software that's easy to use as long as you don't look at any of the detail. Put it on a CD, boot from said CD, run it on automatic, and you're fine. The manual instructions I'm sure are fine, too, for anyone who has studied Windows SAM files.
Ophcrack took a happy 4 minutes and 39 seconds to disclose that the computer has three accounts: administrator, my friend's user account, and guest. Administrator and guest have empty passwords;
But that's OK, said the security expert I consulted, because you can log in as administrator using the empty password and change the user account. Here is a helpful command. Sure. No problem.
Except, of course, that this is Vista, and Vista hides the administrator account to make sure that no brainless idiot accidentally gets into the administrator account and runs around the system creating havoc and corrupted files. By "brainless idiot" I mean: the user - the owner of the computer. Naturally, my friend had left it hidden.
In order to unhide the administrator account so you can run the commands to reset
Attempt 2: Password Changer. Now, this is a really nifty thing: you download the software, use it to create a bootable CD, and boot the computer. Which would be fine, except that the computer doesn't like it because apparently command.com is missing…
We will draw a veil over the rest. But my point is that no one would advise a business to operate in this way – and now that computers are in (almost) every home, homes are businesses, too. No one likes to think they're going to die, still less without notice. But if you run your family on your computer you need a disaster recovery plan – fire, flood, earthquake, theft, computer failure, stroke, and yes, unexpected death,
Meanwhile, I think my friend knew all this. I think this is his way of taking revenge on me for never letting him touch my computer...
Technorati tags: security
"What do you mean, dead man's handle? - You can discuss this article on our discussion board.
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).