Active Topics
-
The N900 is now 15 years old! (7)
to Nokia N900 by Danct12 - 1 day, 2 hrs ago -
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (4)
to SailfishOS by Maemish - 1 day, 21 hrs ago -
F(x)tec Pro1x (QWERTY) for sale (0)
to Buy & Sell by aln00000 - 4 days, 6 hrs ago - more...
|
2010-01-18
, 14:20
|
|
Posts: 68 |
Thanked: 24 times |
Joined on Jan 2010
|
#92
|
Originally Posted by slender
As has been said, most were not calling for a non-trivial form of encryption but a trivial form that is better called obfuscation.
How you measure "false feeling of security"?
Do people behave carelessly when passwords are encrypted? Any studies about this?
I would be offended if someone said to me that I´m careless because I falsely think that I´m safe because of some non trivial encryption. Actually I would be really offended because that´s basically saying "You are a bit stupid ain´t you?"
 |
|
2010-01-18
, 14:28
|
|
Posts: 2,535 |
Thanked: 6,681 times |
Joined on Mar 2008
@ UK
|
#93
|
Originally Posted by slender
How do you know where to find it?
I know where to find it and i have no idea how to encrypt that kind of encyption?
I'm going to bet it's because of the bug report or a thread like this one. Now, what if it said:
OMG! Copy & paste the following code into X Terminal and you can get the IM passwords for ANYONE's N900!!!!111!!!
Code:perl -MMIME::Base64 -pe '$_ = decode_base64($_)' .rt-accounts/accounts.cfg
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
| The Following User Says Thank You to Jaffa For This Useful Post: | ||
|
|
2010-01-18
, 14:29
|
|
Posts: 388 |
Thanked: 842 times |
Joined on Sep 2009
@ Finland
|
#94
|
Just FYI: E-mail passwords are also stored as plain text in gconf.
gconftool-2 -R /apps/modest/server_accounts
... And now you know to be more careful with your device
Last edited by hqh; 2010-01-18 at 14:35.
gconftool-2 -R /apps/modest/server_accounts
... And now you know to be more careful with your device
Last edited by hqh; 2010-01-18 at 14:35.
|
|
2010-01-18
, 14:29
|
|
Posts: 2,829 |
Thanked: 1,459 times |
Joined on Dec 2009
@ Finland
|
#95
|
Originally Posted by javispedro
Do you know that there is different levels of security. I do know that these levels are unmeasurable`and subjective but if you really want to be safe I would probably not use computer and I would be living in small aluminium foil box in same place where air frances black box is.
This very thread!
If instead of his plain text password, Rushmore found a base64'd password, he would not have opened this thread! So you'd give your N900 to anyone, thinking your passwords are safely "encrypted", when it would have been trivial to "decrypt" them.
Since they're saved as plain text, Rushmore has panicked and deduced correctly that he does not have to give that file to anyone.
If they were encrypted I would give device to SOME people. Btw. Why this file can't be read only for root user?
Actually did you know that firefoxs password safe gui was "plain text" for awhile but they changed it so that you have press button before it shows passwords behind usernames. Is this completely stupid thing to do?
 |
|
2010-01-18
, 14:32
|
|
Posts: 301 |
Thanked: 227 times |
Joined on Nov 2009
@ Turkey
|
#96
|
I think it should be encrypted. Because, its easy to run a single command to get all account information now, so even idiots can get your pw. Making it more confusing would be better, yes it wont get any advantages, if attacker knows what is he doing, but mostly they dont. Mostly, they just google it, find some command (like "cat /home/user/.westorepasswordshere" ) and will try to get your pw that way, which is really easy, even your mom can do it.
Anyway, making it much more confusing is easy to do and theres no downside, if someone is careless enough to give their devices away, they will already dont know/care about encrypting, security, maybe even GNU/Linux.
To @slender: If I understood you correctly: You can assign a master password to protect your account information for Firefox. You cannot do same thing for N900.
Anyway, making it much more confusing is easy to do and theres no downside, if someone is careless enough to give their devices away, they will already dont know/care about encrypting, security, maybe even GNU/Linux.
To @slender: If I understood you correctly: You can assign a master password to protect your account information for Firefox. You cannot do same thing for N900.
|
|
2010-01-18
, 14:33
|
|
Posts: 2,829 |
Thanked: 1,459 times |
Joined on Dec 2009
@ Finland
|
#97
|
Originally Posted by Jaffa
Hmm. First I should know something about xterminal. We are now talking about copy pasting text to BROWSER and you are talking about xterm which just scares **** out of most of population.
How do you know where to find it?
I'm going to bet it's because of the bug report or a thread like this one. Now, what if it said:
|
|
2010-01-18
, 14:36
|
|
Posts: 301 |
Thanked: 227 times |
Joined on Nov 2009
@ Turkey
|
#98
|
Encrypting can be an option in Settings. So if you want to protect your passwords with a master password(which is shorter than your 20~ characters IM password?) you can enter it once-when connecting to IM first time, or when booting, im not sure- and it'll not ask you again, and your password is safe. If your device gets stolen/or if you give them to someone, they can connect to your IM accounts-b/c its not asking for password, if you dont reboot it- but they cant get your password, they dont know your master pw. This method is already in use for KWallet and Kopete, which is a part of K Desktop Environment, on GNU/Linux.
| The Following User Says Thank You to Aranel For This Useful Post: | ||
 |
|
2010-01-18
, 14:37
|
|
Posts: 455 |
Thanked: 782 times |
Joined on Nov 2009
@ Netherlands
|
#99
|
Originally Posted by SubCore
I deleted skype and one of my gtalk accounts, then re-added them, and they are correctly and openly written @ ~/.rtcom-accounts/accounts.cfg
i created the skype account only 2 days ago (with PR 1.1), the MSN account is older, created with PR1.0.
the MSN password is stored in plaintext in accounts.cfg, but skype's password is NOT stored there at all.
i'm gonna recreate the MSN account in the evening when i get home, maybe someone else can try sooner
I see no change in that behavior between PR1.0 and PR1.1. Haven't tried backing it up, tho, but I guess the result would be the same.
Originally Posted by slender
It has nothing to do with high expectations, I'm perfectly aware that an average Joe barely knows what a computer is, let alone how and where it stores files. However, as many people have noted, providing a base64 encoding or something equally trivial would not give anyone anymore security - what's the difference if the file containing passwords instead of `password` have `cGFzc3dvcmQ=`? It's the same f. thing!
I know where to find it and i have no idea how to encrypt that kind of encyption. You probably have too high expections about fellow citzens or I´m just below you standard of average man. Prepare for dissapointmens with people and living in a world where all the other people seem to be a bit stupid
If you know where to find the file, you've probably found out that on one of the following ways:
1) You are a tech-savy and you know where some application stores its files. In that case, you already know how it stores it, and how to decode possibly encoded passwords.
2) You found it on the internet (for example on this thread). If the files were encoded using base64 (or something as trivial as b64) instead of plain text, this thread would already have a step-by-step instructions on how to deobfuscate those passwords, so you'd still get the passwords with one additional step.
3) You were browsing through someone's device long enough and checking each file and suddenly you came across a file that stored accounts data. If passwords were plain text, you'd know them immediately, if they weren't, chances are that with simple google search for that file you'll find a thread/blog/whatever that explains how to extract the passwords.
In all three possible cases, passwords are not any more safe stored with a trivial, reversible encoding, than in a plain text. But knowing that your passwords are not safely stored is actually better thing than having a false sense of security - this way you won't be giving your device to anyone that easily and you'll know the risks involved.
Originally Posted by joelus
That is a perfectly good solution for paranoids. And that should be set as an enhancement requirement. The whole argument here is that stored passwords in trivial encoding are not any more safe than those in plain text. If someone wants real encryption, that's a perfectly valid request, but they should be prepared to give up on the convenience of password-less auto login.
I don't think it's invalid at all. I would at least like the option of being asked for my password every time I log into a service rather than having it stored in plain text.
I mean once I'm logged in, I won't need to type it again until I disconnect or log out?
Originally Posted by Aranel
And how would that be any different than, as Jaffa already noted, having a slightly different copy/paste command if the file was base64 encoded:
Mostly, they just google it, find some command (like "cat /home/user/.westorepasswordshere" ) and will try to get your pw that way, which is really easy, even your mom can do it.
Code:
perl -MMIME::Base64 -pe '$_ = decode_base64($_)' .rt-accounts/accounts.cfg
Last edited by zwer; 2010-01-18 at 14:42.
|
|
2010-01-18
, 14:39
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#100
|
Originally Posted by zwer
Interesting - I wonder why they're saved for some and not for others then (and where it is putting them otherwise).
I deleted skype and one of my gtalk accounts, then re-added them, and they are correctly and openly written @ ~/.rtcom-accounts/accounts.cfg
I see no change in that behavior between PR1.0 and PR1.1. Haven't tried backing it up, tho, but I guess the result would be the same.
 |
| Tags |
| conversations, debate, email, fremantle, instant message, instant messaging, maemo, maemo 5, modest, password, passwords, plain text, security, telepathy |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 02:45.
If instead of his plain text password, Rushmore found a base64'd password, he would not have opened this thread! So you'd give your N900 to anyone, thinking your passwords are safely "encrypted", when it would have been trivial to "decrypt" them.
Since they're saved as plain text, Rushmore has panicked and deduced correctly that he does not have to give that file to anyone.