Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Topic Options
#62290 - 23/01/2002 10:22 Data Security
TedP
member

Registered: 11/01/2002
Posts: 171
Loc: South Bay, CA: USA
Just wondering, when plugged into a network: is there any way to protect the data on the Rio. I just thought of this after installing Hijack, and being able to FTP into the box from anywhere!

is there a way to enable logons, or to set file permissions?

not that im paranoid or anything...
-ted

Top
#62291 - 23/01/2002 10:26 Re: Data Security [Re: TedP]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Not right now. Even prior to Hijack and it's FTP/HTTP server, you could, and can, connect from anywhere to the empeg via Emplode, even, conceivably, over the Internet, with no auth.

Oh -- and file permissions don't make sense even beyond that, because there are no users other than root.
_________________________
Bitt Faulk

Top
#62292 - 23/01/2002 10:31 Re: Data Security [Re: TedP]
ClownBurner
member

Registered: 05/09/2000
Posts: 174
Loc: Irvine, CA USA
A good recommendation is to set the Empeg address to something unroutable and limit access that way. Not setting a default gateway on the player goes some way towards limiting remote access too.

See "accessing the player on a different subnet than the PC" here in the FAQ.
_________________________
_____________ James Mancini

Top
#62293 - 23/01/2002 11:11 Re: Data Security [Re: wfaulk]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
I could have sworn they were implementing password security in Emplode with version 2.0.

Wait, maybe that was only for the Jupiter... Now I'm confused!
_________________________
Tony Fabris

Top
#62294 - 23/01/2002 11:22 Re: Data Security [Re: tfabris]
peter
carpal tunnel

Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
Wait, maybe that was only for the Jupiter

It was only for the Jupiter. I think that you alpha mateys once accidentally got a car release with it enabled, but that was a bug.

Peter

Top
#62295 - 23/01/2002 12:14 Re: Data Security [Re: tfabris]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Umm what's the Jupiter? Is that the super 31337 code word for the HSX?
_________________________
- Tony C
my empeg stuff

Top
#62296 - 23/01/2002 12:45 Re: Data Security [Re: tonyc]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
Umm what's the Jupiter? Is that the super 31337 code word for the HSX?

Yes. See here.
_________________________
Tony Fabris

Top
#62297 - 23/01/2002 12:57 Re: Data Security [Re: tfabris]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Okay then I guess the follow-up question would be why would Emplode have a nice password protection/security feature only for the one product and not the other?
_________________________
- Tony C
my empeg stuff

Top
#62298 - 23/01/2002 13:02 Re: Data Security [Re: tonyc]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
why would Emplode have a nice password protection/security feature only for the one product and not the other?

Because the feature needs to work at both ends of the connection. In both emplode and the in the player software. The car player software doesn't have it working yet.
_________________________
Tony Fabris

Top
#62299 - 23/01/2002 13:04 Re: Data Security [Re: tfabris]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Gotcha. I kinda thought since there was reuse between the player software on the two platforms, that the security component might be included. Guess not.
_________________________
- Tony C
my empeg stuff

Top
#62300 - 23/01/2002 13:07 Re: Data Security [Re: tonyc]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
I kinda thought since there was reuse between the player software on the two platforms, that the security component might be included.

There is, to a certain degree. But not every feature is duplicated across platforms, as there are significant differences between them.
_________________________
Tony Fabris

Top
#62301 - 23/01/2002 13:15 Re: Data Security [Re: tfabris]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
I know not everything can be reused, but as someone who writes netcentric security software, I don't see why the authentication scheme needs to be tied to the specific platform. It's best to abstract session/security layer activities from any presentation logic. It doesn't always happen that way but most of the UI stuff would be on the Emplode side (entering the password to connect, setting the password, etc) and the player would just be responsible for comparing what the user enters (or an encrypted/hashed version of it) to what it has in its config file. Why would that different between them?
_________________________
- Tony C
my empeg stuff

Top
#62302 - 23/01/2002 13:26 Re: Data Security [Re: tonyc]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Because if it's done that way, the player is still accessable via Jemplode/emptool unless similar locks are put there. Putting a mandatory password block on the player to access the database would seem to be a solution, but then it has to be implemented in JEmplode and emptool.

I'm guessing empeg would want to implement a secure solution, instead of one that simply looks secure from one program. Building the HSX from the ground up made that much more possible, compaired to the empeg code base starting on a device that couldn't speak ethernet. Plus the fact that the HSX will most likely be connected all the time...

Top
#62303 - 23/01/2002 13:35 Re: Data Security [Re: drakino]
tonyc
carpal tunnel

Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
Putting a mandatory access block on the player to access the database is exactly what I was talking about. I don't think anyone was suggesting that only Emplode needs to present a password, and other clients (Jemplod etc) would get carte blanche. Obviously the player would have to be the gatekeeper and, if so configured, reject all clients that don't present a password.

I dunno. It's not as much of a concern as the machines I work with here at work. I'd much rather see cool new visualizations and such than password protection.
_________________________
- Tony C
my empeg stuff

Top