Security from within Emplode

...I know that we've discussed having a minimum security setting while accessing Empeg in the past - just to keep those co-workers from deleting stuff... Any luck on this? Someone a*home at work actually deleted EVERY SINGLE ONE of my playlists. Luckily, they files were just thrown to unattached items, and looking through an old CVS backup that I had, I was able to brings things back to normal fairly quickly...

In the meantime, I'm restricting (through our firewall) access to this box for only me and a few other freinds - but this is not a good solution for newbies...

Any comments?

-mark

...proud to have owned an Empeg since 00287

Interesting... did they do it deliberately? I would think that they'd have to do it on pupose, wouldn't they? That's not the sort of thing one does accidentally. They have to run Emplode for starters, then select your player, etc...

I can see this will become more and more necessary as the products become more popular and hackers start finding them on networks.

In thinking about this, I can only see one way to do it that wouldn't be a support nightmare for lost passwords:

Allow free access to the empeg, and allow free setting of the login and password, whenever you are using serial and USB. Only when connecting via ethernet, emplode prompts for the password before allowing you in. The password could be simply stored in config.ini, perhaps hashed. This could mask the actual password, but allow you to erase the password by erasing the lines in config.ini if you've got a shell prompt.

In order to make it easy on Tech Support, you would have to allow them to change the password in serial/USB mode even if they don't know the old password. Since the password is only intended to protect against remote network access, this would be OK.

In emplode, the password setting box could be part of the TCP network setup box.

Of course, all of this is only useful if you think that passwords are secure. And this would only protect against emplode modifications to the player. If someone installed third-party stuff like Displayserver, all bets are off.

Anyone have a better scheme?

___________
Tony Fabris

If you can't trust them screw them don't put it on the network But i think that some sort of password selection would be nice

Other thoughts are could you make it so that if one computer is talking via emplode that locks out other computers so you just leave emplode connected but doing nothing.

Just a thought

I had a kernel with firewalling compiled in, which would let you allow/deny certain IP-address ranges. If you always use the same IP-addresses for client machines, this could be a solution.

Frank van Gestel

Unless, of course, the hacker spoofs his IP.

___________
Tony Fabris

IP-spoofing is only effective for one way communication. When the destination wants to communicate back to the sender, all IP-packets are sent to the spoofed IP-address,which should get routed to the right recipient.
In theory you could do it in unsecure broadcast networks, but I think nowadays most companies use switched networks, and it wouldn't be an easy task

Frank van Gestel

I definitly would like to see this as well. I was a bit frightened how many systems I could see on my future @home service with just normal things, like Network Neighboorhood. Lucially I have a Linux firewall box to isolate my network, but for unknowing owners, this could be a big issue. I'm sure empeg has at least thought about this, with all the talk about wireless syncing the CEO talked about. Just drive through a rich neighboorhood in a few years with a wireless card, and zap unsuspecting embedded empeg owners music. Not a good thing.