SecureIt 1.05 FAQ
Below is a list of quesions I recieved about SecureIt and my responces to them.

1. Why don't you just use the root password?
Answer: I wanted to give people the choice. They can use their root password or an entirely different password, it's up to them!

2. Why don't you store you password file in the usual place, i.e. /etc?
Answer: Because I wanted to separate it. Where is the first place you look for that stuff, /etc! Hiding it in a different place makes it that much more unlikely someone will get access to it.

3. Why don't you just use the netinfo database?
Answer: Because I would have to have the script start netinfo, as it is not running in singleuser mode! Why start the service that would possibly give someone access to all your passwords. I don't know about you, but I want to make this as hard as possible for the hacker, not make it easier ;)

4. What is the point of having this when someone could just come in and boot off a CD?
Answer: This is a valid point, but almost all Mac security is bypassed by booting off another device. The purpose of the script is to deter the person trying to gain access, not work miracles!

5. Why do you call the singleuser mode a security hole when it is there on purpose?
Answer: You are right, it is technically called a backdoor, but lets face it, whether it is there by design or not, it IS a security hole. Unix systems have been insecure when access to the box is gained. They are that way for several reasons:
1. Unix systems up till now have been primarily a server OS. They are kept in secure server rooms.So security when you have access to the box was never that important.
2. Sysadmins use this "backdoor" to gain access to a box where a previous sysadmin left the company and didn't tell anyone the password.

6. Why did you write it in perl? Aren't you taking a chance with it working in singleuser mode?
Answer: I chose perl because of its simplicity, yet it has the ability to perform complex actions. Perl does not rely on system libraries, so yes it will work just fine in singleuser mode.

7. Why do you import your own rc.boot?
Answer: I no longer import my own, but patch the existing rc.boot. The installer does make a backup copy before doing this. Also the new uninstall script removes the lines the patch added, leaving your computer as it was before you installed.

8. Is there any benefit to having a binary(program) versus perl script for this?
Answer: No. The only advantage to a binary is you cant open it to look at the code. The way my script encrypts the password is with the crypt command (the same as the systems encryption method). You can not decrypt this information. The only way to tell if the password typed matched the stored password is to encrypt the attempted pasword and compare it to the stored one.

9. How safe is the password file?
Answer: VERY safe! Not only would you have to know where it is (the reason I DON'T have it in the /etc directory) but you have to be root just to be able to read the file. This is NOT true for the passwd file in the etc directory! Now we'll assume they are able by some means to view the file after finding it, the password inside is encrypted using the same methods the system itself uses for storing passwords.