Difference between revisions of "DyKnow"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Cov
(Security)
imported>Cov
(Security)
Line 12: Line 12:
  
 
=Security=
 
=Security=
In the spring of 2009, the [http://www.security.vt.edu/ IT Security Office] and DyKnow were alerted that the login process was unsafe. Passwords were being sent over the wire as an [[w:MD5|MD5 hash]] with a static [[w:Salt (cryptography)|salt]] and symmetrically encrypted with [[w:Advanced Encryption Standar|AES]], while the salted MD5 hash is invulnerable to [[w:Rainbow table|precomputation attacks]], the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic could be intercepted. Within a month the issue was worked around. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off.
+
In the spring of 2009, the [http://www.security.vt.edu/ IT Security Office] and DyKnow were alerted that the login process was unsafe. Passwords were being sent over the wire as an [[w:MD5|MD5 hash]] with a static [[w:Salt (cryptography)|salt]] and symmetrically encrypted with [[w:Advanced Encryption Standar|AES]], while the salted MD5 hash is invulnerable to [[w:Rainbow table|precomputation attacks]], the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic could be intercepted. Within a month the issue was worked around. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off. No response from DyKnow is known of.
  
 
If it is preferable for the traffic to remain unencrypted for some time, using [[socat]] as a [[Socat#Cleartext_to_SSL_Tunnel_for_DyKnow|plaintext-to-SSL proxy]] allows the final end of the connection to be encrypted but the initial segment to remain unencrypted.
 
If it is preferable for the traffic to remain unencrypted for some time, using [[socat]] as a [[Socat#Cleartext_to_SSL_Tunnel_for_DyKnow|plaintext-to-SSL proxy]] allows the final end of the connection to be encrypted but the initial segment to remain unencrypted.

Revision as of 01:50, 29 November 2009

DyKnow Vision is proprietary classroom software made by Dynamic Knowledge Transfer, LLC and used by the College of Engineering at Virginia Tech. It is mostly written in C# but has many native components and cannot be run with Mono. Attempts to run it under Wine have been unsuccessful. DyKnow Monitor, which comes bundled with DyKnow Vision, includes malware-style features such as application and URL blocking, remote opening and closing of programs and displays of student screens.

Malware Features

Occasionally, professors have enabled the malware features of DyKnow products in class, forcing full-screen mode and spying on students. More specific information regarding this would be informative. In earlier versions of DyKnow, certain key combinations could easily break the forced full-screen mode. Unless students give consent to have their privacy invaded by merely showing up to class and running required software, the malware functionality breaks the Virginia Tech Acceptable Use Policy, but to date, this hasn't seem to have garnered any attention.

Running the Proprietary Software

Virtual Machines

DyKnow runs fine in virtualized environments such as VirtualBox. Using a virtual machine is a nice way to soften the effects of its malware capabilities.

Making the Installer Skip Dependencies

The web installer is broken, but if you trick it into skipping dependencies, you can at least get DyKnow installed under Wine. To do so you'll need to run the DyKnow installer with Wine then delete the dependency entries from a temporary folder in c:\windows.

Security

In the spring of 2009, the IT Security Office and DyKnow were alerted that the login process was unsafe. Passwords were being sent over the wire as an MD5 hash with a static salt and symmetrically encrypted with AES, while the salted MD5 hash is invulnerable to precomputation attacks, the symmetric encryption was performed with key information shared between all clients, allowing for simple decryption if the traffic could be intercepted. Within a month the issue was worked around. Users were instructed to enable SSL for transactions and unencrypted access to the server was shut off. No response from DyKnow is known of.

If it is preferable for the traffic to remain unencrypted for some time, using socat as a plaintext-to-SSL proxy allows the final end of the connection to be encrypted but the initial segment to remain unencrypted.

Patents

DyKnow has been granted three software patents.