Active Topics
-
Sailfish OS for the Motorola Moto G7 Power (XT1955-5) - (ocean) (3)
to SailfishOS by edp17 - 12 hrs, 58 mins ago -
The N900 is now 15 years old! (6)
to Nokia N900 by Macros - 1 day, 16 hrs ago -
F(x)tec Pro1x (QWERTY) for sale (0)
to Buy & Sell by aln00000 - 2 days, 5 hrs ago -
n770 youtube video (0)
to General by nmdv - 6 days, 4 hrs ago - more...
scudderfish |
2010-01-18
, 13:04
|
|
Posts: 61 |
Thanked: 36 times |
Joined on Feb 2006
@ Harpenden
|
#51
|
Originally Posted by SubCore
But the app needs to decode the encryption so it can send it to the IM service (hopefully over an SSL connection). If the app can decode it, then the app has access to the encrpytion key. If the app has access to it, so does the user. If the user has access so does the bad guy with physical access to the device. It's obfuscation, not encryption, and all soothing concerns does is engender a false sense of security which can lead to less overall security.
|
|
2010-01-18
, 13:04
|
|
Posts: 68 |
Thanked: 36 times |
Joined on Dec 2009
|
#52
|
Originally Posted by SubCore
Yes, but in my case at least it is encrypted... that's why I have to type a passphrase to log in to servers from my phone ;-)
you know, if you go to "file:///home/user/.ssh/id_rsa", you can see the PRIVATE key file of the N900's user! omg!
|
|
2010-01-18
, 13:04
|
|
Posts: 692 |
Thanked: 264 times |
Joined on Dec 2009
|
#53
|
Originally Posted by Stskeeps
I agree, any password storage method short of a software that accesses a TPM module will still be breakable on an open OS...but it wouldn't be as trivial as looking at the contents of just one file. And yes the iPhone and Android phones probably use plain text storage as well, but that's hardly an excuse.
Bring it on, show usI'm willing to bet that we will be able to dissect anything you come up with due to the physical access to device.
|
|
2010-01-18
, 13:05
|
|
Posts: 3,617 |
Thanked: 2,412 times |
Joined on Nov 2009
@ Cambridge, UK
|
#54
|
Originally Posted by ruskie
Except the concern of actually working. The issue with these passwords is that the N900 has to actually submit them to the relevant servers. A non-reversible encryption process will break this.
A salted md5 hash would probably more or less avoid many of the concerns.
As has been pointed out, with PR1.1 these passwords do not appear to be being saved to the accounts file (for new accounts), so this may already have been "solved".
| The Following User Says Thank You to Rob1n For This Useful Post: | ||
 |
|
2010-01-18
, 13:06
|
|
Posts: 71 |
Thanked: 65 times |
Joined on Oct 2009
@ Brighton, UK
|
#55
|
there's too many stupid excuses coming up in this thread, if it was apple iphone it would already be on the lunch time news about it.
there is no other device in my possession what allows the exploit of passwords via a simple type of few words in a web browser and saying dont let it out your hands is not a solution. How is easy would it be for family and friends to spy on each other and yes it does happens amongst insecure people..
lastly how easy would it be for someone to code something to feed that data to a server?
I should be working, but I simply can't let that pass...
Firstly, I don't care about iPhones.
Secondly, there are several devices potentially in your possesion where I could retrieve your stored passwords if I physically had that device in my hands or on a desk in front of me.
Your Windows machine? Boot it up with any Linux distro on a USB stick, run the right program and I have all your local user logins and passwords.
You're a firefox user? Try running one of your stored passwords through this:
Code:
#!/usr/bin/perl -w
use strict;
use MIME::Base64;
if ( !defined(@ARGV->[0]) ) {
print "usage: $0 base64_password\n";
} else {
my $test = decode_base64(@ARGV->[0]);
print $test . "\n";
}
Presumably if you lost you car keys and your car got stolen as a result, you'd be blaming the manufacturer for that, too?
__________________
Phil Edwards
Brighton, UK
Phil Edwards
Brighton, UK
| The Following 11 Users Say Thank You to PhilE For This Useful Post: | ||
 |
|
2010-01-18
, 13:07
|
|
Posts: 739 |
Thanked: 242 times |
Joined on Sep 2007
@ Montreal
|
#56
|
The only solution here is to have a keyring setuped correctly, but if it uses a 5 chars numerical-only key, there is not much gained either.
Not news, move along, nothing to see...
Not news, move along, nothing to see...
__________________
Please vote for the following Bugs:
Please vote for the following Bugs:
| The Following 2 Users Say Thank You to R-R For This Useful Post: | ||
|
|
2010-01-18
, 13:07
|
|
Posts: 337 |
Thanked: 160 times |
Joined on Aug 2009
@ München, DE
|
#57
|
Originally Posted by Venomrush
Just in case you still have not noticed: That does not have to do *ANYTHING* with or with not backing up the device.
My question now is where does .rtcom-accounts\accounts.cfg get its data from to the backup and whether or not that's protected as well?
 |
|
2010-01-18
, 13:09
|
|
Posts: 1,111 |
Thanked: 1,985 times |
Joined on Aug 2009
@ Ċbo, Finland
|
#58
|
as I mentioned before, having a keyring type solution would definately be more secure for this. i.e. encrypting the password file and opening it for logging in with a password. but then you'd have to type in the password every time you want to log in to anything. that done right would protect the passwords to a certain degree.
I guess hashing the password is a simple way to make people feel secure, and it does give some protection against opportunist laymen.
I guess hashing the password is a simple way to make people feel secure, and it does give some protection against opportunist laymen.
__________________
Class .. : Meddler, Thread watcher, Developer, Helper
Humor .. : [********--] Alignment: Pacifist
Patience : [*****-----] Weapon(s): N900, N950, Metal music
Agro ... : [----------] Relic(s) : N95, NGage, Tamyia Wild One
Try Tweed Suit for your hardcore twittering needs
http://twitter.com/mece66
I like my coffee black, like my metal.
Class .. : Meddler, Thread watcher, Developer, Helper
Humor .. : [********--] Alignment: Pacifist
Patience : [*****-----] Weapon(s): N900, N950, Metal music
Agro ... : [----------] Relic(s) : N95, NGage, Tamyia Wild One
Try Tweed Suit for your hardcore twittering needs
http://twitter.com/mece66
I like my coffee black, like my metal.
 |
|
2010-01-18
, 13:11
|
|
Posts: 1,885 |
Thanked: 2,008 times |
Joined on Aug 2009
@ OVI MAPS
|
#59
|
Originally Posted by PhilE
the thing is you need to use software to get my passwords off me on my other devices in the form of jailbreaking my iphone and symbian devices to get to relevent files or install some unsigned software.
Sigh....
I should be working, but I simply can't let that pass...
Firstly, I don't care about iPhones.
Secondly, there are several devices potentially in your possesion where I could retrieve your stored passwords if I physically had that device in my hands or on a desk in front of me.
on the n900 zero effort as to be put in to get them.
my mom could do it by reading this thread and needing no software at all lol
|
|
2010-01-18
, 13:11
|
|
Posts: 68 |
Thanked: 36 times |
Joined on Dec 2009
|
#60
|
Originally Posted by GameboyRMH
It's maybe 1 line of code to encrypt it, but where do you keep the encryption/decryption key? If it is also sitting unencrypted on the device, you might as well leave the whole thing in plain text as it makes 0 difference in terms of real security. Encryption is not some kind of magic that only lets good guys access stuff.
Seriously, it's about 3 more lines of code to encrypt it!
To provide real security you would have to ask the user for a passphrase to decrypt the password file... either every time the password needs to be used (highly impractical) or the first time, and then cache it for a certain amount of time or until reboot. This is what ssh-agent does for ssh key decryption passphrases.
A general solution offering a compromise between security and practicality would be to store this type of information in plain text, but inside an encrypted partition that is mounted at startup (after the user provides a passphrase). This is what I do on my Ubuntu pc, using ecryptfs. Not sure how easy it would be to port something like this to maemo. My guess: not so easy ;-)
Paolo
 |
| Tags |
| conversations, debate, email, fremantle, instant message, instant messaging, maemo, maemo 5, modest, password, passwords, plain text, security, telepathy |
«
Previous Thread
|
Next Thread
»
|
All times are GMT. The time now is 01:59.