Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Read But surely something is better than nothing, right?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I'm running PR1.1
Still seeing the 'issue'

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

It IS invalid. It's been explained a hundred times why.

Now, if you file a feature request for something like "ability to set a master password to be introduced every time before logging in to any service", then it may make sense to encrypt the passwords with that master password.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

The bug is not invalid. It may be closed as WONTFIX because it's too hard, but the complaint is entirely true.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Have you deleted and recreated the accounts since upgrading to PR1.1?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

FWIW:

i have 2 IM accounts on my N900: MSN (using butterfly) and the built-in skype.

i created the skype account only 2 days ago (with PR 1.1), the MSN account is older, created with PR1.0.
the MSN password is stored in plaintext in accounts.cfg, but skype's password is NOT stored there at all.

i'm gonna recreate the MSN account in the evening when i get home, maybe someone else can try sooner :)

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I know where to find it and i have no idea how to encrypt that kind of encyption. You probably have too high expections about fellow citzens or I´m just below you standard of average man. Prepare for dissapointmens with people and living in a world where all the other people seem to be a bit stupid :) Hey I just described world view of normal Linux "guru" :P

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I don't think it's invalid at all. I would at least like the option of being asked for my password every time I log into a service rather than having it stored in plain text.
I mean once I'm logged in, I won't need to type it again until I disconnect or log out?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

And I think that's a valid feature request (in fact, it seems like the bug report mentioned on this thread has been converted to that).

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

How you measure "false feeling of security"?

Do people behave carelessly when passwords are encrypted? Any studies about this?

I would be offended if someone said to me that I´m careless because I falsely think that I´m safe because of some non trivial encryption. Actually I would be really offended because that´s basically saying "You are a bit stupid ain´t you?"

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

This very thread!

If instead of his plain text password, Rushmore found a base64'd password, he would not have opened this thread! So you'd give your N900 to anyone, thinking your passwords are safely "encrypted", when it would have been trivial to "decrypt" them.

Since they're saved as plain text, Rushmore has panicked and deduced correctly that he does not have to give that file to anyone.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

As has been said, most were not calling for a non-trivial form of encryption but a trivial form that is better called obfuscation.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

How do you know where to find it?

I'm going to bet it's because of the bug report or a thread like this one. Now, what if it said:

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Just FYI: E-mail passwords are also stored as plain text in gconf.

gconftool-2 -R /apps/modest/server_accounts

... And now you know to be more careful with your device :)

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Do you know that there is different levels of security. I do know that these levels are unmeasurable`and subjective but if you really want to be safe I would probably not use computer and I would be living in small aluminium foil box in same place where air frances black box is.

If they were encrypted I would give device to SOME people. Btw. Why this file can't be read only for root user?

Actually did you know that firefoxs password safe gui was "plain text" for awhile but they changed it so that you have press button before it shows passwords behind usernames. Is this completely stupid thing to do?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I think it should be encrypted. Because, its easy to run a single command to get all account information now, so even idiots can get your pw. Making it more confusing would be better, yes it wont get any advantages, if attacker knows what is he doing, but mostly they dont. Mostly, they just google it, find some command (like "cat /home/user/.westorepasswordshere" ) and will try to get your pw that way, which is really easy, even your mom can do it.

Anyway, making it much more confusing is easy to do and theres no downside, if someone is careless enough to give their devices away, they will already dont know/care about encrypting, security, maybe even GNU/Linux.

To @slender: If I understood you correctly: You can assign a master password to protect your account information for Firefox. You cannot do same thing for N900.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Hmm. First I should know something about xterminal. We are now talking about copy pasting text to BROWSER and you are talking about xterm which just scares **** out of most of population.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Encrypting can be an option in Settings. So if you want to protect your passwords with a master password(which is shorter than your 20~ characters IM password?) you can enter it once-when connecting to IM first time, or when booting, im not sure- and it'll not ask you again, and your password is safe. If your device gets stolen/or if you give them to someone, they can connect to your IM accounts-b/c its not asking for password, if you dont reboot it- but they cant get your password, they dont know your master pw. This method is already in use for KWallet and Kopete, which is a part of K Desktop Environment, on GNU/Linux.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I deleted skype and one of my gtalk accounts, then re-added them, and they are correctly and openly written @ ~/.rtcom-accounts/accounts.cfg

I see no change in that behavior between PR1.0 and PR1.1. Haven't tried backing it up, tho, but I guess the result would be the same.

It has nothing to do with high expectations, I'm perfectly aware that an average Joe barely knows what a computer is, let alone how and where it stores files. However, as many people have noted, providing a base64 encoding or something equally trivial would not give anyone anymore security - what's the difference if the file containing passwords instead of `password` have `cGFzc3dvcmQ=`? It's the same f. thing!

If you know where to find the file, you've probably found out that on one of the following ways:
1) You are a tech-savy and you know where some application stores its files. In that case, you already know how it stores it, and how to decode possibly encoded passwords.
2) You found it on the internet (for example on this thread). If the files were encoded using base64 (or something as trivial as b64) instead of plain text, this thread would already have a step-by-step instructions on how to deobfuscate those passwords, so you'd still get the passwords with one additional step.
3) You were browsing through someone's device long enough and checking each file and suddenly you came across a file that stored accounts data. If passwords were plain text, you'd know them immediately, if they weren't, chances are that with simple google search for that file you'll find a thread/blog/whatever that explains how to extract the passwords.

In all three possible cases, passwords are not any more safe stored with a trivial, reversible encoding, than in a plain text. But knowing that your passwords are not safely stored is actually better thing than having a false sense of security - this way you won't be giving your device to anyone that easily and you'll know the risks involved.

That is a perfectly good solution for paranoids. And that should be set as an enhancement requirement. The whole argument here is that stored passwords in trivial encoding are not any more safe than those in plain text. If someone wants real encryption, that's a perfectly valid request, but they should be prepared to give up on the convenience of password-less auto login.

And how would that be any different than, as Jaffa already noted, having a slightly different copy/paste command if the file was base64 encoded:

:rolleyes:

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Interesting - I wonder why they're saved for some and not for others then (and where it is putting them otherwise).

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

How about killing this whole thread. Event the subject is plain wrong. Its not even an exploit.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Again, back to the "and do you think anybody knowing where that file is wouldn't know how to 'decrypt' it?"

They did it because of people glancing at them on the monitor, and also because then it can prompt for your master password. Nothing else.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I agree that topic name is highly exaggerated.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

guys the only way to fix this if unlocking the a locked phone (device lock of the settings) would use that lock code as a password to get the private key where everything can be decrypted with.

So how many that are now complaining do have enabled the device lock?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I believe the point is that if seeing the file you know it's an unsecure yet sensitive file if it's plaintext and will therefore treat it right. Were it obscured the regular user wouldn't realize the file had to be treated with care since he or she wouldn't know it wasn't secure and wouldn't know what it contained.

Now the reverse would also be true, a criminal might not know what it contained right away if it were obscured, but it's a safe bet he would steal the obscured files anyway and go play.

This doesn't mean there's no point having any kind of security system but the very best though. Awareness of how secure you truly are is what's important, what/who you are protected against. Obscurity/weak security really doesn't help this in most cases.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

Well, no point in making it idiot capable.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

OK; but what's the counter-argument to the people that are actually calling for a proper solution using real encryption?

Using base64 or ROT13 is clearly stupid, but using the approach that Kwallet, Firefox (with a master password) etc. use is a bad idea because?......

Re: IM, Email Passwords Are Stored as Plain Text
 

I have never backed up. I have never updated. my passwds are stored very nice and clear.

Re: IM, Email Passwords Are Stored as Plain Text
 

I was always taught that security is implemented in multiple layers like an onion... Lots of little things add up to a more secure system. I guess some people know much better and that security is either on or off :p

Re: IM, Email Passwords Are Stored as Plain Text
 

My password was showing but I added the MSN account again, after the 1.1 upgrade, and the password isn't there. My n900 locks after 5 mins anyway.

On my Linux PC there are services with plain text passwords in /etc. I just never leave my user logged in when I'm not there, same goes for the phone, but its not really a phone and I guess some people just don't get that.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

That is of course based on the idea that you will never be able to access that lock code which, by being 5 numerical chars, is very easy to recover...
(see this thread/post)

Re: IM, Email Passwords Are Stored as Plain Text
 

if you're gonna go through the trouble of getting through the phone lock code, it'll be hundred times easier to break through shitty security that's there as an illusion of safety.

Re: IM, Email Passwords Are Stored as Plain Text
 

Venomrush i realise you are bringing something you feel strongly about to the forum however this is no different to all IM accounts on PCs.
Would you mind altering your first post to prevent confusion for other users and add a link this Pidgin link that clearly explains the reasons for being in clear text.

http://developer.pidgin.im/wiki/PlainTextPasswords

Re: IM, Email Passwords Are Stored as Plain Text
 

I understand the arguments both camps are making, but surely some security is better than no security? The more complex a system is to crack (and even base64 encoding is more complex than plaintext), the smaller the pool is of people able to do it.

Take WEP for example. Someone with aircrack and a wifi card can steal a WEP key, but because it's more technically difficult to do that to simply connect to an unsecured access point, less people can do it, therefore it happens less frequently. Wireless access points with no key will be compromised far more often than those with even WEP.

I don't believe that all-or-nothing is the correct approach, it's akin to saying "why lock your front door when a determined thief could break a window to get in?". I know that for my house to be truely secure it would have to be a bunker with a reinforced door, but I'm definitely glad the front door locks, and wouldn't live here if it didn't!

Does this mean the browser also stores usernames/passwords in plaintext? If not, what security technique does it use?

Re: IM, Email Passwords Are Stored as Plain Text
 

Yes, but within an SQLite datbase ( ~/.mozilla/microb/signons.sqlite ) which is only slightly harder to read. It still is plain-text (well, base64, but it's as good as plain text)...

Re: IM, Email Passwords Are Stored as Plain Text
 

People that understand security are trying to explain things to people that don't understand security, and it doesn't seem to be helping.

So let's get to the real problem: If you're worried about someone seeing and remembering your passwords in plain text, your passwords probably suck.

One simple solution: Choose passwords that use abbreviations for meaningful personal phrases

The quick brown fox jumps over the lazy dog ->

tqbfjotld

Sure looks like some sort of a hash to me. Why don't you ask your mom.

Stop choosing passwords that suck.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

It isn't a bad idea at all and I have not noticed anybody argue that it is. Apparently that kind of an enhancement request would either be better received or is already filed.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

It seems to be WONTFIX for Fremantle, though.

Re: IM, Email Passwords Are Stored as Plain Text
 

The Base64 encoding (yes, obfuscation) that others have suggested may at the very least protect from an attacker that only has the time or inclination for an accidental or not screen glancing and who wouldn't go further if he encountered a garbled looking string.

Now whether this is a valid or simply common enough attack vector to bother with could be something to debate.

As a sidenote, re-adding in PR1.1 accounts (skype, msn, gtalk) that I had added beforehand hid their passwords from that file.

Re: IM, Email Passwords Are Stored as Plain Text
 

Actually it seems to me that you are making one of the biggest mistakes of security and focusing on a single element.

Of course decent password/phrases are very important, but the actual system that the password is being used is very important too. Identifying _all_ the areas where there is a vulnerability and the level of risk it exposes VS the difficulty of securing can become very difficult. Especially when u factor in the human element. What use is a long passphrase if the device you are using doesn't have a decent method of entering it. Lucky for us the N900 does have a nice KB!

Lets focus on the idea of a strong passphrase.... That is as strong as the mechanism used for authentication. For example GMail via a https interface can be considered pretty safe, (as long as the client hasn't been compromised). But if the user decides to use Pidgin the level of security provided by that strong passphrase drops to the level of what Pidgin provides. Basically storing that passphrase in a known location and the way it handles the auth process.

Of course the easiest solution would be to have 2 accounts, a secure one for emailing via more secure methods and one for IM, but this takes understanding by the user.

Now the Pidgin FAQ goes on about the most secure method is to not store the password, which is set by default. If the user decides to save the password does it warn them that it will be stored in a plain text file? I've dropped Pidgin in favor of Empathy, so I don't know if it does prompt the user or not, or does it rely on the user being telepathic....

Personally I believe that developers (and sys admins) should build systems secure from initial design and make their systems as transparent to the users as possible. Too many times security is added as an after thought, or so complex and cumbersome that the users bypass it.