Linked by Eugenia Loli on Wed 23rd May 2007 00:46 UTC
Privacy, Security, Encryption Today, while I was trying to create a SIP Presence account for VoIPBuster, Pidgin kept crashing. I had to find its settings in my personal folder in order to manually edit the accounts.xml file and remove the entry (so Pidgin could start up again normally instead of keep crashing on load). When I opened the accounts.xml file with a plain text editor, all the passwords of all my accounts were listed out in the open in plain text. This is not a new issue, it was discussed many times before, but it can still be a surprise for most users.
Permalink for comment 242764
To read all comments associated with this story, please click here.
by izomiac on Wed 23rd May 2007 20:59 UTC
Member since:

I've never quite understood why people simply give-up when a theoretical attacker has physical access. It's not even an uncommon scenario, since all external physical security measures can be defeated (door locks for example). Taken to the logical extremes that defeatists will go to, even encryption (with an unknown key) is worthless since every algorithm other than an OTP can be brute-forced given enough time. Sure, there is no (possible?) method of completely securing a computer from a physical attacker, but the point of security isn't to make something impregnable given infinite resources, it's to make the cost of gaining access prohibitive.

Encrypting the stored passwords with some random password stored in plaintext elsewhere won't stop a determined attacker with detailed knowledge of Gaim's security measures. But it will almost definitely stop a nosy college roommate. Full disk encryption and a screensaver might not stop the NSA, but it'll probably stop just about everybody else from gaining access to the data on a stolen (or seized) computer. "Everything or nothing" is a false ultimatum. After all, show me a security measure that you claim can never be defeated under any circumstances and I'll just point at you and laugh. (That's not to say one shouldn't strive for the best possible security, but no security is effectively the worst possbile security.)

Reply Score: 4