Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

This very thread!

If instead of his plain text password, Rushmore found a base64'd password, he would not have opened this thread! So you'd give your N900 to anyone, thinking your passwords are safely "encrypted", when it would have been trivial to "decrypt" them.

Since they're saved as plain text, Rushmore has panicked and deduced correctly that he does not have to give that file to anyone.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

As has been said, most were not calling for a non-trivial form of encryption but a trivial form that is better called obfuscation.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

How do you know where to find it?

I'm going to bet it's because of the bug report or a thread like this one. Now, what if it said:

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Just FYI: E-mail passwords are also stored as plain text in gconf.

gconftool-2 -R /apps/modest/server_accounts

... And now you know to be more careful with your device :)

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Do you know that there is different levels of security. I do know that these levels are unmeasurable`and subjective but if you really want to be safe I would probably not use computer and I would be living in small aluminium foil box in same place where air frances black box is.

If they were encrypted I would give device to SOME people. Btw. Why this file can't be read only for root user?

Actually did you know that firefoxs password safe gui was "plain text" for awhile but they changed it so that you have press button before it shows passwords behind usernames. Is this completely stupid thing to do?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I think it should be encrypted. Because, its easy to run a single command to get all account information now, so even idiots can get your pw. Making it more confusing would be better, yes it wont get any advantages, if attacker knows what is he doing, but mostly they dont. Mostly, they just google it, find some command (like "cat /home/user/.westorepasswordshere" ) and will try to get your pw that way, which is really easy, even your mom can do it.

Anyway, making it much more confusing is easy to do and theres no downside, if someone is careless enough to give their devices away, they will already dont know/care about encrypting, security, maybe even GNU/Linux.

To @slender: If I understood you correctly: You can assign a master password to protect your account information for Firefox. You cannot do same thing for N900.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Hmm. First I should know something about xterminal. We are now talking about copy pasting text to BROWSER and you are talking about xterm which just scares **** out of most of population.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Encrypting can be an option in Settings. So if you want to protect your passwords with a master password(which is shorter than your 20~ characters IM password?) you can enter it once-when connecting to IM first time, or when booting, im not sure- and it'll not ask you again, and your password is safe. If your device gets stolen/or if you give them to someone, they can connect to your IM accounts-b/c its not asking for password, if you dont reboot it- but they cant get your password, they dont know your master pw. This method is already in use for KWallet and Kopete, which is a part of K Desktop Environment, on GNU/Linux.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I deleted skype and one of my gtalk accounts, then re-added them, and they are correctly and openly written @ ~/.rtcom-accounts/accounts.cfg

I see no change in that behavior between PR1.0 and PR1.1. Haven't tried backing it up, tho, but I guess the result would be the same.

It has nothing to do with high expectations, I'm perfectly aware that an average Joe barely knows what a computer is, let alone how and where it stores files. However, as many people have noted, providing a base64 encoding or something equally trivial would not give anyone anymore security - what's the difference if the file containing passwords instead of `password` have `cGFzc3dvcmQ=`? It's the same f. thing!

If you know where to find the file, you've probably found out that on one of the following ways:
1) You are a tech-savy and you know where some application stores its files. In that case, you already know how it stores it, and how to decode possibly encoded passwords.
2) You found it on the internet (for example on this thread). If the files were encoded using base64 (or something as trivial as b64) instead of plain text, this thread would already have a step-by-step instructions on how to deobfuscate those passwords, so you'd still get the passwords with one additional step.
3) You were browsing through someone's device long enough and checking each file and suddenly you came across a file that stored accounts data. If passwords were plain text, you'd know them immediately, if they weren't, chances are that with simple google search for that file you'll find a thread/blog/whatever that explains how to extract the passwords.

In all three possible cases, passwords are not any more safe stored with a trivial, reversible encoding, than in a plain text. But knowing that your passwords are not safely stored is actually better thing than having a false sense of security - this way you won't be giving your device to anyone that easily and you'll know the risks involved.

That is a perfectly good solution for paranoids. And that should be set as an enhancement requirement. The whole argument here is that stored passwords in trivial encoding are not any more safe than those in plain text. If someone wants real encryption, that's a perfectly valid request, but they should be prepared to give up on the convenience of password-less auto login.

And how would that be any different than, as Jaffa already noted, having a slightly different copy/paste command if the file was base64 encoded:

:rolleyes:

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Interesting - I wonder why they're saved for some and not for others then (and where it is putting them otherwise).