Active Topics
-
Nokia Booklet 3G (RX-75) Drivers (60)
to Alternatives by Maemish - 2 days, 8 hrs ago -
Is there a section to talk about Java ME? Apps, etc. (7)
to General by teroyk - 5 days, 5 hrs ago - more...
lma |
2010-01-19
, 18:23
|
|
Posts: 2,802 |
Thanked: 4,491 times |
Joined on Nov 2007
|
#131
|
Originally Posted by joelus
That would be completely unusable for something like SIP over UDP (the most common case, and the bug does talk about RTCOM accounts after all) which needs the password whenever it REGISTERs (every few minutes), whenever you make a call or send a message etc.
| The Following User Says Thank You to lma For This Useful Post: | ||
|
|
2010-01-19
, 23:11
|
|
Posts: 98 |
Thanked: 31 times |
Joined on Nov 2009
|
#132
|
Originally Posted by daperl
Discussing security on a forum can get really dry, much better in a pub with lots of booze and a rubber hose to demonstrate the most cost effective cryptanalysis
@mahousaru
Again, we have people that understand security trying to explain it to people that don't understand it, and probably don't really care to. What people do care about is feeling secure. These are two different things, and I responded to the latter. And so did you.
I can't wait for the N900 to have some TPM mechanism, probably will have to buy a new unit, but I think it will be worth it, if it can really secure a device. For now I'll keep my sensitive conf files and documents on my FDE eeepc.
| The Following User Says Thank You to mahousaru For This Useful Post: | ||
 |
|
2010-01-20
, 12:08
|
|
Posts: 2,050 |
Thanked: 1,425 times |
Joined on Dec 2009
@ Bucharest
|
#133
|
Oh come now. Doesn't everyone see the difference between needing "cat" to see all passwords and needing to write a script?
No lock is 100% secure. Even safes and professional security is rated in time alone with an expert. I happen to have such experts as friends, since I work in IT and although I'm a Windows guru, not every friend I have is. Some are Unix admins with more than enough know-how to wonder around poking "oooh, is this your messenger config file? Does keep track of ... ooooh. Nice passwords, dork".
There's not much of a difference between a normal lock and an open door for a thief, it takes one 10 seconds to go through it. However, HAVING a lock is not only effective for 99% of the population, it is also the international sign of "stay the heck away".
And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.
I have the time to see him typing furiously in the terminal and look over the shoulder. Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.
I'm not asking for 100% security, or even 20% security. I'm asking you not to leave the door wide open.
The draft is killing me.
No lock is 100% secure. Even safes and professional security is rated in time alone with an expert. I happen to have such experts as friends, since I work in IT and although I'm a Windows guru, not every friend I have is. Some are Unix admins with more than enough know-how to wonder around poking "oooh, is this your messenger config file? Does keep track of ... ooooh. Nice passwords, dork".
There's not much of a difference between a normal lock and an open door for a thief, it takes one 10 seconds to go through it. However, HAVING a lock is not only effective for 99% of the population, it is also the international sign of "stay the heck away".
And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.
I have the time to see him typing furiously in the terminal and look over the shoulder. Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.
I'm not asking for 100% security, or even 20% security. I'm asking you not to leave the door wide open.
The draft is killing me.
__________________
N900 dead and Nokia no longer replaces them. Thanks for all the fish.
Keep the forums clean: use "Thanks" button instead of the thank you post.
N900 dead and Nokia no longer replaces them. Thanks for all the fish.
Keep the forums clean: use "Thanks" button instead of the thank you post.
 |
|
2010-01-20
, 13:17
|
|
Posts: 2,535 |
Thanked: 6,681 times |
Joined on Mar 2008
@ UK
|
#134
|
Originally Posted by ndi
Well, let's assume a 15-place rotation cypher; how about the following (proof-of-concept, only deals with capitals):
And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.
Encode ("ROT15"):
Code:
tr 'A-Z' 'P-ZA-O' .rtcom-accounts/accounts.cfg
Code:
tr 'P-ZA-O' 'A-Z' .rtcom-accounts/accounts.cfg
I have the time to see him typing furiously in the terminal and look over the shoulder.
Do you trust them not to ring up a premium rate sex line; which they could also do and cost you actual physical money.
Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
| The Following 3 Users Say Thank You to Jaffa For This Useful Post: | ||
 |
|
2010-01-20
, 14:05
|
|
Posts: 2,121 |
Thanked: 1,540 times |
Joined on Mar 2008
@ Oxford, UK
|
#135
|
This talk of how long it would take for an attacker to type in a script is misleading. All the attacker needs to do is to take a copy of the file (e.g. email it to themselves, or copy and paste it into pastebin), then they can decode the passwords at their leisure later on. So it doesn't matter how much you obfuscate the password, it might as well be plain text.
| The Following 4 Users Say Thank You to pelago For This Useful Post: | ||
 |
|
2010-01-25
, 22:01
|
|
Posts: 963 |
Thanked: 626 times |
Joined on Sep 2009
@ Connecticut, USA
|
#136
|
Originally Posted by pelago
I do have to disagree with your conclusion. Lets use an illustration. I used to live in NY, and one thing you notice there is that about 80% of parked cars have an anti-theft device on the steering wheel called "the club". Now, everyone that owns a club knows that a thief is able to defeat the club if they want to. So, why do they spend $30 or so it costs to buy it? Well, they do so in the hope that the thief chooses one of the 20% of cars that do not have a club and that would therefore be easier and more convenient to rob.
This talk of how long it would take for an attacker to type in a script is misleading. All the attacker needs to do is to take a copy of the file (e.g. email it to themselves, or copy and paste it into pastebin), then they can decode the passwords at their leisure later on. So it doesn't matter how much you obfuscate the password, it might as well be plain text.
I think something like that is what many of us would like to have on our devices. Sure, a determined hacker can break our encryption and other safeguards if they really are determined. But, lets make it a bit harder for them to do so. Maybe they won't bother with ours and just go for the easy pickings.
__________________
-- Worse than not knowing is not wanting to know! --
http://temporaryland.wordpress.com/
-- Worse than not knowing is not wanting to know! --
http://temporaryland.wordpress.com/
Last edited by rm42; 2010-01-25 at 22:08.
|
|
2010-01-25
, 23:20
|
|
Posts: 98 |
Thanked: 31 times |
Joined on Nov 2009
|
#137
|
Originally Posted by pelago
All they need to do is encrypt with a master passphrase (aka the already well used keyring) and then cracking time depends on the quality of the password and implementation of the encryption. Of course if the attacker has access to a HPC and rainbow tables it might make the job a lot quicker!
This talk of how long it would take for an attacker to type in a script is misleading. All the attacker needs to do is to take a copy of the file (e.g. email it to themselves, or copy and paste it into pastebin), then they can decode the passwords at their leisure later on. So it doesn't matter how much you obfuscate the password, it might as well be plain text.
Personally I just don't get why applying good practice from initial design is so hard.
|
|
2010-03-22
, 18:29
|
|
Posts: 53 |
Thanked: 12 times |
Joined on Mar 2010
|
#138
|
So PR1.1 "fixed" the issue. The passwords are no longer stored in accounts.cfg. Hurray!
Where are they stored now?
Where are they stored now?
 |
|
2010-06-02
, 09:56
|
|
Administrator |
Posts: 1,036 |
Thanked: 2,019 times |
Joined on Sep 2009
@ Germany
|
#139
|
To revive this thread from the dead.
Some passwords are stored in gconf like WPA EMail et... not good!
The serious thing here is not passwords but everything else. If I loose my device or forget about it somewhere and someone else picks it up, if it is on he can do anything with it, if its off he can do anything but cell actions... some kind of scary.
At least a device lock code should keep people of using it without flashing both images / and eMMC1. I have overdone it but I like to be on the safe side when it comes to private data. My desktop's drives are secured with proper crypt tools my netbook got a drive lock plus crypts and anything on my phone is just opened up to the beloved people touching it. MicroB has no master password to set, Email and Wifi passwords are stored plain text in gconf and so on!
My online life is meant to be available from N900 as "always Online" device but under the current setup all things but passwords for wifi and email are available without further interaction after a reflash and everything without so even a device lock wont help that much.
Control over what is exported as mass-storage would also be nice so the turned off device does export SD only or nothing.
Some passwords are stored in gconf like WPA EMail et... not good!
The serious thing here is not passwords but everything else. If I loose my device or forget about it somewhere and someone else picks it up, if it is on he can do anything with it, if its off he can do anything but cell actions... some kind of scary.
At least a device lock code should keep people of using it without flashing both images / and eMMC1. I have overdone it but I like to be on the safe side when it comes to private data. My desktop's drives are secured with proper crypt tools my netbook got a drive lock plus crypts and anything on my phone is just opened up to the beloved people touching it. MicroB has no master password to set, Email and Wifi passwords are stored plain text in gconf and so on!
My online life is meant to be available from N900 as "always Online" device but under the current setup all things but passwords for wifi and email are available without further interaction after a reflash and everything without so even a device lock wont help that much.
Control over what is exported as mass-storage would also be nice so the turned off device does export SD only or nothing.
__________________
useful links for newcomers: New members say hello, New users start here, Community subforum, Beginners' wiki page, Maemo5 101, FAQ
useful links for newcomers: New members say hello, New users start here, Community subforum, Beginners' wiki page, Maemo5 101, FAQ
 |
|
2010-06-02
, 11:45
|
|
Posts: 2,355 |
Thanked: 5,249 times |
Joined on Jan 2009
@ Barcelona
|
#140
|
Originally Posted by chemist
Hum... a reflash disables the device lock?
under the current setup all things but passwords for wifi and email are available without further interaction after a reflash and everything without so even a device lock wont help that much
 |
| Tags |
| conversations, debate, email, fremantle, instant message, instant messaging, maemo, maemo 5, modest, password, passwords, plain text, security, telepathy |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 17:48.