Active Topics

 


Page 8 of 15 « First 67 8 910 Last »
Reply
Thread Tools
Jaffa's Avatar
Jaffa is offline Jaffa
2010-01-18 , 13:41
Posts: 2,535 | Thanked: 6,681 times | Joined on Mar 2008 @ UK
#71
Originally Posted by zwer View Post
So, a guy that knows how to write an app, or inject his malicious code into some other app, and convince you to download and install it, will have more trouble getting your obfuscated passwords than those written in plain text? Come on...
And if said app can be downloaded through App Manager? Or a file can be uploaded through the browser to a remote machine? Or someone can copy & paste a single command to ROT13 a file, or Base-64 decode it.
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
 
ewan's Avatar
ewan is offline ewan
2010-01-18 , 13:42
Posts: 445 | Thanked: 572 times | Joined on Oct 2009 @ Oxford
#72
It's pretty obvious that the correct solution here is an encrypted store for the passwords on the filesystem, and an keyring process that keeps the unencrypted ones only in memory and hands them out to authorised applications. In other words, the exact same solution as everyone else already uses for this on other platforms (e.g. Gnome keyring, KDE's Wallet, Firefox's password/certificate store).

What seems to be lacking is any will to actually implement that.
 
zwer's Avatar
zwer is offline zwer
2010-01-18 , 13:42
Posts: 455 | Thanked: 782 times | Joined on Nov 2009 @ Netherlands
#73
Asterisks on password entry (or even unixesque blind password entry) exists purely because someone might be looking over your shoulder - on my home PC I'd pretty much like an option to remove them... On a mobile device those are useful because you cannot control your environment and you never know who is looking over your shoulder.

Password storage is a whole different thing - it exists because of convenience (not having to type passwords whenever you want to connect to some service). If you want to implement some security measures there - you have to give up on the convenience, as simple as that.
 

The Following 3 Users Say Thank You to zwer For This Useful Post:
frals is offline frals
2010-01-18 , 13:44
Posts: 547 | Thanked: 1,383 times | Joined on Sep 2009 @ Stockholm, Sweden
#74
Originally Posted by Venomrush View Post
For example:
ATM it's difficult to know thats apps on Extras got anything harmful in them...I believe it is reasonably easy to slip in a code to send accounts.cfg with passwords in plain text back
Which is why we have... http://wiki.maemo.org/Extras-testing/QA_Checklist

Security risks

The main security risks are financial damage, access to private data and harm to device components. If you find such risk in an application then you need to report it and the app can't be uploaded to Extras until a deeper analysis has been done with favourable results.
__________________

Problem with fMMS? Run in x-terminal: cp /tmp/fmms.log /home/user/MyDocs/
After that you'll see fmms.log in filemanager or when you connect the device to your desktop as a mass storage device.
E-mail the log to me, if you don't have the email address, drop me a PM. Thanks!

fMMS - MMS for your N900
fAPN - GUI for adding a new GPRS APN
If you like this post, don't be shy to thank me -->
 

The Following User Says Thank You to frals For This Useful Post:
hqh is offline hqh
2010-01-18 , 13:48
Posts: 388 | Thanked: 842 times | Joined on Sep 2009 @ Finland
#75
Originally Posted by twaelti View Post
I can't believe the sheer arrogance of the ideologic "security folks", preaching supersecurity or none at all.
In practice, having weak security IS better than no security.
Which is worse?
a) Thinking your passwords are safe while in reality they are not
b) Knowing your passwords are not safe (if your device is in wrong hands)

Yes there is always the "passwords are safe from your mom and little brother but not someone who knows what he's doing" option, but it will lead many users to "a".
 

The Following 4 Users Say Thank You to hqh For This Useful Post:
Matan is offline Matan
2010-01-18 , 13:49
Posts: 1,224 | Thanked: 1,763 times | Joined on Jul 2007
#76
Originally Posted by PhilE View Post
You're a firefox user? Try running one of your stored passwords through this:
Unfortunately for you, your example proves the opposite of your point. Firefox has the option to encrypt all your saved passwords using a master password.
 
Venomrush is offline Venomrush
2010-01-18 , 13:49
Posts: 891 | Thanked: 499 times | Joined on Nov 2009 @ UK
#77
Bug has been marked as INVALID

Oh well, a major fail for N900/Maemo
__________________
Follow me on Twitter
 

The Following User Says Thank You to Venomrush For This Useful Post:
NvyUs's Avatar
NvyUs is offline NvyUs
2010-01-18 , 13:50
Posts: 1,885 | Thanked: 2,008 times | Joined on Aug 2009 @ OVI MAPS
#78
Originally Posted by hqh View Post
Which is worse?
a) Thinking your passwords are safe while in reality they are not
b) Knowing your passwords are not safe (if your device is in wrong hands)

Yes there is always the "passwords are safe from your mom and little brother but not someone who knows what he's doing" option, but it will lead many users to "a".
well most off us until today have been duped already by option A. thinking they was safe
I'm sure if many people knew was told option B before they hit submit to purchase they would not of got the device at all
Last edited by NvyUs; 2010-01-18 at 13:53.
 
zwer's Avatar
zwer is offline zwer
2010-01-18 , 13:52
Posts: 455 | Thanked: 782 times | Joined on Nov 2009 @ Netherlands
#79
The `mom` argument is even more ludicrous (specially for grownups that don't live in their moms basement :P) - your mom wouldn't know where to look for the said file. If she would, chances are that she knows how to base64/whatever-fully-reversible-algorithm-is-used decode it. And yes, she might find a site on the internet that shows where the said file is, but then again, if it were obfuscated there would be instructions how to deobfuscate it.
 
Rob1n is offline Rob1n
2010-01-18 , 13:52
Posts: 3,617 | Thanked: 2,412 times | Joined on Nov 2009 @ Cambridge, UK
#80
Originally Posted by Venomrush View Post
Bug has been marked as INVALID
As it no longer appears to be happening in PR1.1, I'm not surprised.
 
Reply
Page 8 of 15 « First 67 8 910 Last »

Tags
conversations, debate, email, fremantle, instant message, instant messaging, maemo, maemo 5, modest, password, passwords, plain text, security, telepathy

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 10:47.

Contact Us - Home - Archive - Top