Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

That would be completely unusable for something like SIP over UDP (the most common case, and the bug does talk about RTCOM accounts after all) which needs the password whenever it REGISTERs (every few minutes), whenever you make a call or send a message etc.

Re: IM, Email Passwords Are Stored as Plain Text
 

Discussing security on a forum can get really dry, much better in a pub with lots of booze and a rubber hose to demonstrate the most cost effective cryptanalysis :D

I can't wait for the N900 to have some TPM mechanism, probably will have to buy a new unit, but I think it will be worth it, if it can really secure a device. For now I'll keep my sensitive conf files and documents on my FDE eeepc.

Re: IM, Email Passwords Are Stored as Plain Text
 

Oh come now. Doesn't everyone see the difference between needing "cat" to see all passwords and needing to write a script?

No lock is 100% secure. Even safes and professional security is rated in time alone with an expert. I happen to have such experts as friends, since I work in IT and although I'm a Windows guru, not every friend I have is. Some are Unix admins with more than enough know-how to wonder around poking "oooh, is this your messenger config file? Does keep track of ... ooooh. Nice passwords, dork".

There's not much of a difference between a normal lock and an open door for a thief, it takes one 10 seconds to go through it. However, HAVING a lock is not only effective for 99% of the population, it is also the international sign of "stay the heck away".

And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.

I have the time to see him typing furiously in the terminal and look over the shoulder. Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.

I'm not asking for 100% security, or even 20% security. I'm asking you not to leave the door wide open.

The draft is killing me.

Re: IM, Email Passwords Are Stored as Plain Text
 

Well, let's assume a 15-place rotation cypher; how about the following (proof-of-concept, only deals with capitals):

Encode ("ROT15"):
Decode ("ROT-15"):
But you won't notice him Googling "maemo 5 im password decrypt" and copy & pasting the result? Or are you expecting whomever you lend your device to have memorised the file:// URL?

Do you trust them not to ring up a premium rate sex line; which they could also do and cost you actual physical money.

The point is that "no-one" knew the name of the file until it was posted here and on the bug report. Why do you think ROTx security-by-obscurity is any better than putting-the-file-somewhere-obscure security-by-obscurity?

Re: IM, Email Passwords Are Stored as Plain Text
 

This talk of how long it would take for an attacker to type in a script is misleading. All the attacker needs to do is to take a copy of the file (e.g. email it to themselves, or copy and paste it into pastebin), then they can decode the passwords at their leisure later on. So it doesn't matter how much you obfuscate the password, it might as well be plain text.

Re: IM, Email Passwords Are Stored as Plain Text
 

I do have to disagree with your conclusion. Lets use an illustration. I used to live in NY, and one thing you notice there is that about 80% of parked cars have an anti-theft device on the steering wheel called "the club". Now, everyone that owns a club knows that a thief is able to defeat the club if they want to. So, why do they spend $30 or so it costs to buy it? Well, they do so in the hope that the thief chooses one of the 20% of cars that do not have a club and that would therefore be easier and more convenient to rob.

I think something like that is what many of us would like to have on our devices. Sure, a determined hacker can break our encryption and other safeguards if they really are determined. But, lets make it a bit harder for them to do so. Maybe they won't bother with ours and just go for the easy pickings.

Re: IM, Email Passwords Are Stored as Plain Text
 

All they need to do is encrypt with a master passphrase (aka the already well used keyring) and then cracking time depends on the quality of the password and implementation of the encryption. Of course if the attacker has access to a HPC and rainbow tables it might make the job a lot quicker!

Personally I just don't get why applying good practice from initial design is so hard.

Re: IM, Email Passwords Are Stored as Plain Text
 

So PR1.1 "fixed" the issue. The passwords are no longer stored in accounts.cfg. Hurray!

Where are they stored now?

Re: IM, Email Passwords Are Stored as Plain Text
 

To revive this thread from the dead.
Some passwords are stored in gconf like WPA EMail et... not good!

The serious thing here is not passwords but everything else. If I loose my device or forget about it somewhere and someone else picks it up, if it is on he can do anything with it, if its off he can do anything but cell actions... some kind of scary.
At least a device lock code should keep people of using it without flashing both images / and eMMC1. I have overdone it but I like to be on the safe side when it comes to private data. My desktop's drives are secured with proper crypt tools my netbook got a drive lock plus crypts and anything on my phone is just opened up to the beloved people touching it. MicroB has no master password to set, Email and Wifi passwords are stored plain text in gconf and so on!

My online life is meant to be available from N900 as "always Online" device but under the current setup all things but passwords for wifi and email are available without further interaction after a reflash and everything without so even a device lock wont help that much.

Control over what is exported as mass-storage would also be nice so the turned off device does export SD only or nothing.

Re: IM, Email Passwords Are Stored as Plain Text
 

Hum... a reflash disables the device lock?