Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

i have the PR1.1 fw installed and i had plain password in that file too

but i removed all the IM services and added them again and took a backup and the password does not show up anymore in that file... hmm

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

there's too many stupid excuses coming up in this thread, if it was apple iphone it would already be on the lunch time news about it.
there is no other device in my possession what allows the exploit of passwords via a simple type of few words in a web browser and saying dont let it out your hands is not a solution. How is easy would it be for family and friends to spy on each other and yes it does happens amongst insecure people..
lastly how easy would it be for someone to code something to feed that data to a server?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Storing passwords in plaintext EVER =

http://skepticalteacher.files.wordpr...8/facepalm.jpg

Seriously, it's about 3 more lines of code to encrypt it!

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Like already mentioned, providing a false sense of security through obscuring the passwords would do no good either. They would still be easily accessible by determined "friends"/family members and malicious programs.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Funny thing is we probably wouldn't even be having this conversation if Nokia had done ROT-13 on those.

On the other hand somebody might now be thinking their passwords are safe.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Bring it on, show us :) I'm willing to bet that we will be able to dissect anything you come up with due to the physical access to device.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

but why leave the door open to even make it easy for non tech minded people

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

you know, if you go to "file:///home/user/.ssh/id_rsa", you can see the PRIVATE key file of the N900's user! omg! :)

seriously, i bet the iPhone and android do the same basically, the exact location might be a bit more obscure, but it certainly isn't "encrypted" there, either.

saving as a hashed string might be enough to soothe concerns here, and should be fairly easy to implement.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

You are aware that the private key is usually encrypted as well ;)

And it can be any other name :) Hell it could be anywhere else at that :)
A salted md5 hash would probably more or less avoid many of the concerns.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

A salted MD5 hash won't help you autologin to your favourite IM.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

But the app needs to decode the encryption so it can send it to the IM service (hopefully over an SSL connection). If the app can decode it, then the app has access to the encrpytion key. If the app has access to it, so does the user. If the user has access so does the bad guy with physical access to the device. It's obfuscation, not encryption, and all soothing concerns does is engender a false sense of security which can lead to less overall security.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Yes, but in my case at least it is encrypted... that's why I have to type a passphrase to log in to servers from my phone ;-)

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I agree, any password storage method short of a software that accesses a TPM module will still be breakable on an open OS...but it wouldn't be as trivial as looking at the contents of just one file. And yes the iPhone and Android phones probably use plain text storage as well, but that's hardly an excuse.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Except the concern of actually working. The issue with these passwords is that the N900 has to actually submit them to the relevant servers. A non-reversible encryption process will break this.

As has been pointed out, with PR1.1 these passwords do not appear to be being saved to the accounts file (for new accounts), so this may already have been "solved".

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Sigh....

I should be working, but I simply can't let that pass... :)

Firstly, I don't care about iPhones.

Secondly, there are several devices potentially in your possesion where I could retrieve your stored passwords if I physically had that device in my hands or on a desk in front of me.

Your Windows machine? Boot it up with any Linux distro on a USB stick, run the right program and I have all your local user logins and passwords.

You're a firefox user? Try running one of your stored passwords through this:

As I already pointed out, as soon as you no longer have physical access to your data, it doesn't matter what security measures you have in place, your data will be compromised eventually, given a sufficiently determined crook and a sufficiently valuable set of data.

Presumably if you lost you car keys and your car got stolen as a result, you'd be blaming the manufacturer for that, too?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

The only solution here is to have a keyring setuped correctly, but if it uses a 5 chars numerical-only key, there is not much gained either.

Not news, move along, nothing to see...

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Just in case you still have not noticed: That does not have to do *ANYTHING* with or with not backing up the device.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

as I mentioned before, having a keyring type solution would definately be more secure for this. i.e. encrypting the password file and opening it for logging in with a password. but then you'd have to type in the password every time you want to log in to anything. that done right would protect the passwords to a certain degree.

I guess hashing the password is a simple way to make people feel secure, and it does give some protection against opportunist laymen.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

the thing is you need to use software to get my passwords off me on my other devices in the form of jailbreaking my iphone and symbian devices to get to relevent files or install some unsigned software.
on the n900 zero effort as to be put in to get them.
my mom could do it by reading this thread and needing no software at all lol

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

It's maybe 1 line of code to encrypt it, but where do you keep the encryption/decryption key? If it is also sitting unencrypted on the device, you might as well leave the whole thing in plain text as it makes 0 difference in terms of real security. Encryption is not some kind of magic that only lets good guys access stuff.

To provide real security you would have to ask the user for a passphrase to decrypt the password file... either every time the password needs to be used (highly impractical) or the first time, and then cache it for a certain amount of time or until reboot. This is what ssh-agent does for ssh key decryption passphrases.

A general solution offering a compromise between security and practicality would be to store this type of information in plain text, but inside an encrypted partition that is mounted at startup (after the user provides a passphrase). This is what I do on my Ubuntu pc, using ecryptfs. Not sure how easy it would be to port something like this to maemo. My guess: not so easy ;-)

Paolo

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

... and about 3 seconds more to decrypt it, so nothing is gained security-wise...

Unless you implement strong encryption and a master password that you will always need to enter when some of the services need to read a password from that file.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Ummm. Who talked about obscuring them? Clearly something like a keyring is needed for passwords - that's encrypting, and not obscuring.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

You cannot hash the password. How would you use the hash to log in?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

sorry I meant some reversable type of encoding.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Quite a many people in this thread :)

Yes, agreed. That would mean no more autologin though, and require such changes that I guess it's safe to bet that this won't be seen in maemo 5.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

So I see a lot of comments here leading to one fact that: as long as you have physical access to the device you shouldn't worry

But, remotely steal your data is a possibility without the need to have access to the device.

For example:
ATM it's difficult to know thats apps on Extras got anything harmful in them...I believe it is reasonably easy to slip in a code to send accounts.cfg with passwords in plain text back :)

Encrypted is better than nothing, if can't encrypted can't be done then don't store them at all.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

So, a guy that knows how to write an app, or inject his malicious code into some other app, and convince you to download and install it, will have more trouble getting your obfuscated passwords than those written in plain text? Come on...

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

The threat vectors for the Internet have changed significantly in the last 16 months? Wow.

Do you not see the irony of linking increased usage of Twitter & Facebook with a growing concern about people's privacy? If anything, people's concern with their privacy is decreasing (apart from short-lived, largely hyped, mis-understood bubbles... kinda like this one).

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I can't believe the sheer arrogance of the ideologic "security folks", preaching supersecurity or none at all.
In practice, having weak security IS better than no security. In this case, at least having encoded passwords is still better than having plaintext. Becaus it at least prevents random/accidental password exposure. Otherwise we could pretty much also stop **** the password entry fields.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

+1

If having access to the device is the only way to get the passwords, then might as well unhide the asterisks so we (the real owners) know what we mistyped.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

And if said app can be downloaded through App Manager? Or a file can be uploaded through the browser to a remote machine? Or someone can copy & paste a single command to ROT13 a file, or Base-64 decode it.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

It's pretty obvious that the correct solution here is an encrypted store for the passwords on the filesystem, and an keyring process that keeps the unencrypted ones only in memory and hands them out to authorised applications. In other words, the exact same solution as everyone else already uses for this on other platforms (e.g. Gnome keyring, KDE's Wallet, Firefox's password/certificate store).

What seems to be lacking is any will to actually implement that.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Asterisks on password entry (or even unixesque blind password entry) exists purely because someone might be looking over your shoulder - on my home PC I'd pretty much like an option to remove them... On a mobile device those are useful because you cannot control your environment and you never know who is looking over your shoulder.

Password storage is a whole different thing - it exists because of convenience (not having to type passwords whenever you want to connect to some service). If you want to implement some security measures there - you have to give up on the convenience, as simple as that.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Which is why we have... http://wiki.maemo.org/Extras-testing/QA_Checklist ;)

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Which is worse?
a) Thinking your passwords are safe while in reality they are not
b) Knowing your passwords are not safe (if your device is in wrong hands)

Yes there is always the "passwords are safe from your mom and little brother but not someone who knows what he's doing" option, but it will lead many users to "a".

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Unfortunately for you, your example proves the opposite of your point. Firefox has the option to encrypt all your saved passwords using a master password.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Bug has been marked as INVALID :(

Oh well, a major fail for N900/Maemo

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

well most off us until today have been duped already by option A. thinking they was safe
I'm sure if many people knew was told option B before they hit submit to purchase they would not of got the device at all

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

The `mom` argument is even more ludicrous (specially for grownups that don't live in their moms basement :P) - your mom wouldn't know where to look for the said file. If she would, chances are that she knows how to base64/whatever-fully-reversible-algorithm-is-used decode it. And yes, she might find a site on the internet that shows where the said file is, but then again, if it were obfuscated there would be instructions how to deobfuscate it.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

As it no longer appears to be happening in PR1.1, I'm not surprised.