Linked by Eugenia Loli on Wed 23rd May 2007 00:46 UTC
Privacy, Security, Encryption Today, while I was trying to create a SIP Presence account for VoIPBuster, Pidgin kept crashing. I had to find its settings in my personal folder in order to manually edit the accounts.xml file and remove the entry (so Pidgin could start up again normally instead of keep crashing on load). When I opened the accounts.xml file with a plain text editor, all the passwords of all my accounts were listed out in the open in plain text. This is not a new issue, it was discussed many times before, but it can still be a surprise for most users.
Thread beginning with comment 242764
To read all comments associated with this story, please click here.
by izomiac on Wed 23rd May 2007 20:59 UTC
Member since:

I've never quite understood why people simply give-up when a theoretical attacker has physical access. It's not even an uncommon scenario, since all external physical security measures can be defeated (door locks for example). Taken to the logical extremes that defeatists will go to, even encryption (with an unknown key) is worthless since every algorithm other than an OTP can be brute-forced given enough time. Sure, there is no (possible?) method of completely securing a computer from a physical attacker, but the point of security isn't to make something impregnable given infinite resources, it's to make the cost of gaining access prohibitive.

Encrypting the stored passwords with some random password stored in plaintext elsewhere won't stop a determined attacker with detailed knowledge of Gaim's security measures. But it will almost definitely stop a nosy college roommate. Full disk encryption and a screensaver might not stop the NSA, but it'll probably stop just about everybody else from gaining access to the data on a stolen (or seized) computer. "Everything or nothing" is a false ultimatum. After all, show me a security measure that you claim can never be defeated under any circumstances and I'll just point at you and laugh. (That's not to say one shouldn't strive for the best possible security, but no security is effectively the worst possbile security.)

Reply Score: 4

RE: Defeatism
by rajj on Wed 23rd May 2007 21:42 in reply to "Defeatism"
rajj Member since:

Straw man.

The argument isn't that no security is better than having security. The argument is that _false_ security is worse than no security. A trivial encryption scheme will only lull you into believing you're safe when in fact you are not.

If you were to ride a motorcycle, would you put a bucket over your head in place of a proper helmet under the guise that something is better than nothing? I wouldn't. I just wouldn't ride.

The recommendation is to _not_ save your password on disk unless you're sure that the file that contains it is secure.

Reply Parent Score: 3

RE[2]: Defeatism
by izomiac on Thu 24th May 2007 06:20 in reply to "RE: Defeatism"
izomiac Member since:

Oops, I wasn't intending to use a straw man, but since I don't see the merit in the opposing position I'm willing to assume that I've misinterpreted it. So I will address the argument that false security is worst than no security, as it applies to storing plaintext passwords in Gaim. As I understand it you are arguing that because pseudo-encryption can be easily defeated it provides no real protection, and encourages the user to naively engage in unsafe activities while believing themselves to be protected. If that is an incorrect assessment then feel free to ignore the rest of this post, and point out that I apparently have no idea of what I'm talking about. BTW, I'm also sorry to have responded to your short post with a long one, but I got bored waiting for a download to complete and as such became very verbose.

I see two falsehoods in your argument as I've interpreted it. The first is that pseudo-encryption (real encryption but with a key that is contained in plaintext elsewhere) offers no "real" security. As I tried to argue in my original post, all security can be eventually defeated, whether by bruteforce, physically breaking into someone's house to gain physical access, or by social engineering. The purpose of security is not to make cracking impossible, because such a security measure is impossible to create. The purpose of security is to make cracking too costly to be worthwhile, or impossible given the relevant timeframe. Plaintext does not slow down an attacker at all. Pseudo-encryption requires that an attacker learn how Gaim encrypts passwords, learn where the key is stored, and then decrypt the passwords. So, in other words, it adds a layer of obfuscation. This adds a fixed amount of time to the first attack (for learning), and an ignorably trivial amount of time to successive attacks. Essentially a speed-bump. Now, this won't stop a dedicated attacker, but it will probably stop a casual one (a roommate for example). Even if it only added 15 minutes to the required attack time, that might save you if you forget to lock your computer before leaving for lunch. Since this is an optional measure for a relatively unimportant service (which is very common on personal computers) then this should be enough, and serve in lieu of an impossible "real security" mechanism.

The second component of that argument which I disagree with is that it lulls the user into believing that they are secure. In this case I don't think that it would. First of all, this type of encryption is completely transparent to the user. Secondly, if the user is having Gaim "remember" passwords then they probably aren't trying to fend off a dedicated attacker. Thirdly, I would assume that Gaim warns you about the insecurity of "remembering" passwords. Since there isn't a claim of being secure, and the user wouldn't normally notice such a security measure, I don't think that it would affect behavior. I.e. I can't see how the average user (that wouldn't know better) would even know that this is happening. Also, as I mentioned before, if they cared greatly for strong security then they wouldn't have Gaim "remember" their passwords in the first place.

I agree that this would be worthless against a skilled and determined attacker, but I think that it would help in certain situations. I also don't think that all attacker are both skilled and determined. If there isn't a downside to implementing it (a false sense of security or a non-trivial CPU cycle requirement), then why not? It's not like such scenarios are unlikely or there isn't a demand. Thus the reason that I attribute to it is the false ultimatum caused by defeatism. There is no ultimatum because a measure such as this does not preclude superior security measures, and I do not think it would cause changes in user behavior, so in a worst case scenario it does nothing. You probably can't make a system impervious to a physically attacker, but that doesn't mean that you should make their job easy with plaintext passwords and such.

Reply Parent Score: 2