Linked by Eugenia Loli on Wed 23rd May 2007 00:46 UTC
Privacy, Security, Encryption Today, while I was trying to create a SIP Presence account for VoIPBuster, Pidgin kept crashing. I had to find its settings in my personal folder in order to manually edit the accounts.xml file and remove the entry (so Pidgin could start up again normally instead of keep crashing on load). When I opened the accounts.xml file with a plain text editor, all the passwords of all my accounts were listed out in the open in plain text. This is not a new issue, it was discussed many times before, but it can still be a surprise for most users.
Permalink for comment 242861
To read all comments associated with this story, please click here.
RE[2]: Defeatism
by izomiac on Thu 24th May 2007 06:20 UTC in reply to "RE: Defeatism"
Member since:

Oops, I wasn't intending to use a straw man, but since I don't see the merit in the opposing position I'm willing to assume that I've misinterpreted it. So I will address the argument that false security is worst than no security, as it applies to storing plaintext passwords in Gaim. As I understand it you are arguing that because pseudo-encryption can be easily defeated it provides no real protection, and encourages the user to naively engage in unsafe activities while believing themselves to be protected. If that is an incorrect assessment then feel free to ignore the rest of this post, and point out that I apparently have no idea of what I'm talking about. BTW, I'm also sorry to have responded to your short post with a long one, but I got bored waiting for a download to complete and as such became very verbose.

I see two falsehoods in your argument as I've interpreted it. The first is that pseudo-encryption (real encryption but with a key that is contained in plaintext elsewhere) offers no "real" security. As I tried to argue in my original post, all security can be eventually defeated, whether by bruteforce, physically breaking into someone's house to gain physical access, or by social engineering. The purpose of security is not to make cracking impossible, because such a security measure is impossible to create. The purpose of security is to make cracking too costly to be worthwhile, or impossible given the relevant timeframe. Plaintext does not slow down an attacker at all. Pseudo-encryption requires that an attacker learn how Gaim encrypts passwords, learn where the key is stored, and then decrypt the passwords. So, in other words, it adds a layer of obfuscation. This adds a fixed amount of time to the first attack (for learning), and an ignorably trivial amount of time to successive attacks. Essentially a speed-bump. Now, this won't stop a dedicated attacker, but it will probably stop a casual one (a roommate for example). Even if it only added 15 minutes to the required attack time, that might save you if you forget to lock your computer before leaving for lunch. Since this is an optional measure for a relatively unimportant service (which is very common on personal computers) then this should be enough, and serve in lieu of an impossible "real security" mechanism.

The second component of that argument which I disagree with is that it lulls the user into believing that they are secure. In this case I don't think that it would. First of all, this type of encryption is completely transparent to the user. Secondly, if the user is having Gaim "remember" passwords then they probably aren't trying to fend off a dedicated attacker. Thirdly, I would assume that Gaim warns you about the insecurity of "remembering" passwords. Since there isn't a claim of being secure, and the user wouldn't normally notice such a security measure, I don't think that it would affect behavior. I.e. I can't see how the average user (that wouldn't know better) would even know that this is happening. Also, as I mentioned before, if they cared greatly for strong security then they wouldn't have Gaim "remember" their passwords in the first place.

I agree that this would be worthless against a skilled and determined attacker, but I think that it would help in certain situations. I also don't think that all attacker are both skilled and determined. If there isn't a downside to implementing it (a false sense of security or a non-trivial CPU cycle requirement), then why not? It's not like such scenarios are unlikely or there isn't a demand. Thus the reason that I attribute to it is the false ultimatum caused by defeatism. There is no ultimatum because a measure such as this does not preclude superior security measures, and I do not think it would cause changes in user behavior, so in a worst case scenario it does nothing. You probably can't make a system impervious to a physically attacker, but that doesn't mean that you should make their job easy with plaintext passwords and such.

Reply Parent Score: 2