General Musing

blaze your trail

Archive for the ‘access’ Category

Mac Screen Saver Issue #security

with one comment

Apple Logo

Sometimes I need to use my computer to read things, as somebody who considers himself security conscious it means I need to have my finger at the ready as my computer turns on the screen saver after 3 minutes (180 seconds) and password locks it. However I do need to be able to read something without needing to be sure to interact with my HIDs. My old solution was to set my screensaver to lock after 15 minutes (900 seconds), however this poses a security risk as I can forget to lock my screen using the hot corner (see image) if I were distracted by something.

System Preferences - Screen Saver

So I needed a way to automatically reset the screensaver back to the 3 minutes after a grace period. OSX has a tool called default which allows changes to be made to the system settings, and it allows you to change the screensaver like this:


defaults -currentHost write com.apple.screensaver idleTime -int 180

Now the only time I really do this is at home, so I need my computer to be secure before I leave for work in the morning. I decided that 8:30 would certainly be a time that I would still be in the house and my Macbook would be open should I have forgotten to reset the timeout. So I first added this following line using crontab:


30 8 * * * defaults -currentHost write com.apple.screensaver idleTime -int 180

Naturally this is still not very secure, sure the effort is half way there, and it should really reset it more often. Perhaps I would want to set it every 15 minutes, which should give me a maximum grace period of 15 minutes. This would be unhandy in the evening when at home.


0,15,30,45 * * * * defaults -currentHost write com.apple.screensaver idleTime -int 180

Or every 15 minutes only for the period of time you are in an environment where you may not entirely control who has physical access to your machine. This could be on a customer site, at a conference or in a shared office space. Or at home while the kids are still awake.


0,15,30,45 8-21 * * * defaults -currentHost write com.apple.screensaver idleTime -int 180

This says between the hours of 8:00 and 21:45 I want you to set my screen saver to 3 minutes every 15 minutes.

Image source: me, Brian Solis

Advertisements

Written by Daniël W. Crompton (webhat)

September 22, 2012 at 8:25 pm

Posted in access, lifehacks, OSX, security

Proof of Concept: Overloading file operations with LD_PRELOAD

with 2 comments

Viaduct and sky 2, Scottish borders, 2010 - Viaduct and sky close to Melrose

In a discussion on Full Disclosure I added a reply which I would like to expand on here:

What I did for a project I was working on was I create a LD_PRELOAD library which overloaded the i/o operations and used gz and bz2. This could easily be adapted to overload with encryption library functions rather than compression libraries. You can also use this to keep the bash history in memory using a shared memory location.

What I did which inspired the message above was to replace a number of functions – including read, write and lseek – with custom functions. What the underlying custom code did was fingerprint – using the magic file – the file to discover which compression mechanism was being used for an existing file, and when creating a new file it would use the compression based on the value set in an environment variable. The file was never extracted to and only held in memory as these were mostly streamed to and from disk compressed, which means that with a little tweaking that these could include a stream cipher, provided the key is long enough to avoid stream cipher attacks.

For completeness I’ll add here that the code supported the formats listed below, and a number of other historic formats and others that I don’t recall:

  • gzip
  • bzip2
  • pkzip (deflate)
  • compress
  • lz

Somebody else’s LD_PRELOAD examples can be found here: LD_PRELOAD fun

Image source: John Davey

Written by Daniël W. Crompton (webhat)

February 8, 2011 at 12:39 pm

OpenID Implementations

with 2 comments

I have always loved Identity Management, and like Access Management. I’m a little funny, I like to be identified and want my identity to be linked on different sites. Which is why I like as an identity management system, I also like the possibility of limiting the exchange of personal information to the site to are identifying yourself too. Some may require a mail address, others may only need to verify that you are authenticated to the other site. allows commentary to be added when using an external authentication source, but does not allow blogging without your identity.

My personal favourites are VeriSign Personal Identity Provider – it has a Firefox add-on “VeriSign’s OpenID SeatBelt” – and – it allows attaching external links to your identity. You can examine many more of the implementations on the official site.

Technorati technorati tags: , , , , , ,

Written by Daniël W. Crompton (webhat)

July 5, 2008 at 10:21 am

%d bloggers like this: