Maximum PC

Regarding Tom's latest piece, "The Fix is In":

Apparantly Tom actually called the cops because he found evidence of a password-cracking program being downloaded on his Mac after being left at a repair shop. The cops of course found no evidence of any evil-doing, but Tom decided to write about it anyway in his column, in an apparent effort to raise general awareness about possible satanic repairmen.

This was a joke, right Tom? Did you actually call the cops?

I am a computer repairman, and let me enlighten you. Password crackers are an essential part of any repairman's toolkit, not only because of the numerous computer idiots we help, but also because even some very savvy users manage to misplace or forget passwords once in a while. Sometimes we've simply forgotten to ask for a password and the user isn't available at the time. Whatever the case, if one of us does manage to get around to some evil-doing with stolen passwords, it certainly won't take much investigative time for the cops to come knocking on our door.

Now that I think about it, wasn't there a recent article in the magazine about how to recover lost Windows passwords? Hey Maximum PC, why on earth would you even be interested in publishing a lame column like this? The repairman hadn't even done anything!

However you look at it, this is definitely some unnecessary paranoia in an already overly fearful society. Get a grip, Tom.

Sincerely,
Brian
Computer Repairman who Frequently Uses Password Cracking Tools for Non-Evil Purposes

If I found such software on my PC, I'd sue your ass and own your business.

You need an adminstrative pw for the system and you should get that from your customer. If, during the course of your repairs, you find that you need another pw, you get that from your customer as well. If there is a delay, that's life.

If the customer has lost their password, you ask for their permission to crack their box and retrieve them.

I can't believe that you equate a user trying to recover their own data / passwords with a lazy repairman who can't be bothered contacting their customer.

It is illegal and immoral and your sanctimonious post is just silly.

And the guilty will throw the first stone.

Your purposes may be "non evil" in your mind, but there sure as hell are in mine.

I should point out this piece of obvious - the PC's you're working on aren't yours! So you can't do to them what you please and use whatever you want.

Doing things on a user's computer that they didn't ask you to is just wrong, and it'll end up with you in hot water sooner or later.

It's a good thing too you refer to your customers as "computer idiots" - treating them with that kind of contempt ought to ensure you have a long running, prosperous business.

Illegal? Immoral? Lawsuit? Cops? Are you guys sure?

I really can't believe what I'm hearing here. Did you guys have the same feelings when reading the Maximum PC article about retrieving lost Windows passwords? Did you guys want to sue the magazine? Did you tremble with fear?

And yes, I usually have my customers' express permission beforehand when retrieving their passwords, but when I have to do it myself and tell them later, they don't want to sue me. They certainly don't get their panties in a bunch like this. They have always been understanding that password issues are simply a part of computer troubleshooting. Heck, some of them laugh at me when I'm unable to crack their passwords.

Of course in your defense, now that I know that people like you exist, I'm going to have to be more careful. I'm glad to find out this way instead of suddenly being sued one day by another similarly nervous person.

I apologize for being sanctimonious; it's really just coming from a sense of utter shock.

The word you are missing here is 'context'.

If I lose my password, that article helps me get back into my box.

If I can't do that, I can come to you and pay for the service.

That article does NOT, in any way, say that you can arbitrarily hack my PC without my permission. You need access to a password protected section of a PC, you'd damn well better have explicit permission.



You write very well for someone in shock.

Quite well said Jip, as usual. The "context" is often overlooked when someone is assuming things.

What you say is absolutely right, Jipstyle. I thought a lot today about what people have said here and I realized that "context" was exactly what I was missing. I am by nature kind of a laid-back person I suppose, and I realized that in certain circumstances even I could feel uneasy if I found out after the fact of a repair guy "hacking" my computer. Mind you, I would never call the cops, but maybe that's just me.

I am, perhaps naively, just always so surprised (and sometimes as outraged as a laid-back guy can get) at the level of fear and distrust I hear from people. It causes in me what amounts to a knee-jerk reaction, and apparently, as in this case, a possible lapse in judgement.

I really am going to be more cautious now about the password thing too. God knows there's lots of nervous people out there, and when it comes down to it, I've just never personally had any trouble with someone stealing my identity or anything. Maybe I take that for granted. (I might become considerably less laid-back.)

I still suspect at least a pinch of paranoia here, and maybe I'm just of a mind that if the repair guy's got it, it's more or less "assumed" that he's gotta have access to passwords. This assumption may very well be wrong on my part, so I must concede on all points.

All but one, that is, as I still believe Tom Halfhill to be a bit of a douchebag. (Just kidding, Tom; if you ever see this, I apologize for calling you a douchebag.) But seriously, the original piece did say something about "learning from his experience," as if something horrible had happened. Does anyone at all think calling the cops was at least a slight overreaction?

That said, I apologize for my arrogance as I stand corrected.

Holy ballz dood! I think you are the first person in the history of MaxPC to do what you just did. There is hope for this world after all.

Glad to hear you've had a change of opinion as well.

Tom Halfhill was not made aware that the tool was used, and was obviously not disclosed to him since it was a surprise. The moral thing to do as soon as the tech sees he needs the owner's password is ask for it. If that's not available, ask permission to crack it, or return it as the task can't be done.

Ideally, I'd think it'd be recommended to the owner to disable or change the PW to something generic for the tech to use and then just reset it upon return. If it's lost, that's one thing...if it's not, it's a complete other.

General users aren't idiots really, but ignorant for the most part. They may not have a glancing thought that the tech needs a PW if it's in place, so I'd think it'd be explained in some generic disclaimer before even accepting any box for work. Maybe even adding an Admin Level account just for this trip to the doctor.

It's kind of scary really. If I sent my box for repair, just fire up my browser and my cookies could grant you access to far too much info than anyone needs their hands on. I'd feel much better not having my account's PW cracked and just work in your own sandbox in the box. Really, no one needs into a specific user's account, and should be disclosed if and when it's needed.

I'd be pissed off...highly...if I found a PW cracker after it was returned. Many probably don't know it's there, so they're not mad either.

I'm almost afraid to say it, but 90% of what we do is troubleshoot problems from within a user's account, but that aside....

I think in the beginning of my career as a tech, I may have had a bit of this trepidation about user passwords in general. But as I worked more (and believe me, I'm not making this up), I found users and customers to have a very open attitude with me about passwords and getting into their accounts and such, even for online resources (like webmail) that they may have been struggling with. Maybe it's just my sparkling personality, or maybe it's because I live in a kind of small town rural area, but I'm pretty sure none of my customers would ever call the cops on me, even if I did use a cracking tool without their knowledge. I would absolutely never use it for shady purposes, and maybe that comes through to them somehow. For whatever reason (at least until now perhaps), I've always gotten the distinct sense that most people didn't really worry about stuff like that when it comes to tech help. Obviously Tom and others here have demonstrated otherwise. Maybe I'm just a little sad that all this distrust is the apparent status quo.

But again I apologize. The way I handle sensitive info like passwords will change because of what I've learned in this forum about what people really think.

I wouldn't call the cops on you but there will be violence and it will be final, want to know why?

My mom runs a daycare and I have set up her computers for account automation, she has very important data on her computers, things like names, ages, address, phone numbers and identification pictures for children ranging the ages of 4 mo to 12 yo.

Every weekend I archive her data and bring it home and save it to multiple formats since it must be kept for so many years, if I ever brought my computer to you and found a password cracker on my system I would hunt you down.

Even if I wasn't in possession of sensitive data I would probably still smash your knees with a 16 lb sledge hammer, I would do the same if you were going through my car or sneaking a peak in my fridge.

Good Lord! I swear I take it all back! Plus I regret not considering the possible daycare situation!

Great conversation ... kudos to himini for being open-minded and level-headed .. as has been pointed out, that can be rare in online conversations.

Himini, you asked about calling the cops. Again, context is important. If the repairperson used a tool to get administrative access to fix something, he and I would have a little talk about asking for keys before forcing a door .. but that is it.

On the other hand, if I found that my encrypted FS had been touched, I'd bring the laptop straight to the police without touching anything. That drive has banking information, passwords and RDCs setup to go to my work, and very valuable IP (source code and technical documentation) for products worth millions. Would I be worried? Fuck yes. Is it paranoia? No .. because my job and possibly my financial future are on the line.

If I was freaking out about family pictures, I could certainly call that paranoia. But the data on my drive is worth more money than I can afford to lose.

OTOH, I'd probably get fired for bringing it to repairperson outside of work, so the point is somewhat moot.

okay... I'm a computer tech as well, and where I have access to special tools that let us into user accounts by either bypassing the password or removing it all together (they don't actually crack the passwords, just remove them by using admin level control from a boot disk). But the fact is, we ALWAYS disclose that it's a possibility that we may have to resort to such measures to the customer when first bringing in a unit. And I'd say that 98% of people don't have a problem with that whether they have sensitive data on their machines or not (we deal with A LOT of businesses in our area). The one's that do have issues with it normally take it home, make a secondary admin account for us to use, then bring it back. But lots of things just can't be solved without access to a specific user account. Having been a tech for over 5 years now, the only time the police have asked to see us is if we called them up because of suspected child porn on a computer, or they're bringing in their own computers. And if we DO need a password we don't have, we ALWAYS both call the customer and email using the information first given to us when we originally signed the unit in.

well, that's my 2 cents worth anyways.

Very reasonable of course, and there won't be any exceptions to this kind of policy for me anymore. Sounds like I use the same tool you do usually, a boot disk that blanks out the password. As an aside, there's also the "Ophcrack" boot disk (I believe Max PC ran an article about it at some point as well), which loads dictionary tables and does in fact reveal account passwords rather than blanking them out. It's one of the tools I carry, but in my experience it doesn't work as well.

Again the purpose for even having these tools is for when the customer has locked him or herself out, so they are of course aware of their use. But I've got to be honest again; the few times I've used the tools without them knowing beforehand didn't seem to phase the customers one bit. It's definitely possible that this has been a mistaken perception, but what's more apparent to me is an attitude something like, "I don't care what you had to do; thank God my computer's fixed."

It sounds like the big difference here is when the customer finds out about the cracking tool on their own, having never been told by the repair guy at all, before or after. I overlooked this key point in Tom's article, leading to my misinterpretation. I can see now how this could lead to a certain "creepy" factor, although in and of itself it would not bother me personally. I still think it's slightly hilarious that he called the cops, but it sounds like my attitude is the exception rather than the rule.

I also have to say that my initial reaction still holds in one small way, in that I felt somewhat insulted by the original article. I got the distinct feeling that Halfhill's message was basically, "Computer repairmen are not to be trusted." If you're going to say this, at the very least you should back it up with a story that supports it. In Tom's story, nothing bad ever even happened (except in his own mind), thus my claim of undue paranoia.

This idea, though perhaps in only a minor way, goes a bit toward my initial attitude. If the customer has this much at stake (especially if there are millions of dollars involved), then taking it to the local computer repair shop is obviously not the best idea. And even when regular folks have "trust" issues, maybe using computer repairmen just can't be an option. As has been pointed out, we almost invariably need access to user accounts, which therefore gives us possible access to personal data.

Whether he tells you or not, your repairman has the tools to crack your passwords. Whether or not you trust him is completely up to you, but I suggest that calling the cops should only be an option once a crime has been committed. Simply finding evidence of the tool itself just isn't enough, and I don't think Halfhill's repairman story is too far off from this.

Heck, as a guy who worked as a tech for a year and a half, I had all those tools at my disposal.

I call for every single password I needed unless it was forgotten or had been locked by the owner's kid (and that required paperwork).

Cracking on the fly is immoral. 'nuff said.

So the consensus seems to be that the key issue is not the use of the tool itself, but the non-disclosure to the owner of its (possible) use.

Let me ask you guys this (simply as a curious intellectual exercise): Is cracking copyright protections (such as CSS on DVDs) always immoral, in the "'nuff said" way? Does "context" come into play for your answer?

Cracking copy prevention mechanisms on content you've purchased a legal license for (ie, bought the DVD) for a legal purpose (converting to iPod format, streaming, etc) is morally fine in my eyes. If you're ripping netflix discs or posting your rips online, you're in the wrong.