maemo.org - Talk
Page 3 of 3 12 3
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Maemo 5 / Fremantle (https://talk.maemo.org/forumdisplay.php?f=40)
-   -   Why Cached mail is not encrypted on the N900 device??? (https://talk.maemo.org/showthread.php?t=64619)

smoothc 2010-10-29 09:36
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by lma (Post 856302)
the (really weak) device lock code
What? Why do you say so? I thought if you wanted to reset the lock code all the data would be erased.

dchky 2010-10-29 09:45
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by lma (Post 856212)
If you think root privileges can bypass everything, then

Code:
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)

hIwDAAAAAAAAAAABA/0Qt/YgWTEfXfB3hwNc5IqiL3lIaDU0Iqw5tWG9M4/b59Sp
d+cO8c4COL18+xSPjvp7mVJ4/wsZWPq0B3ujmvm2hMPpX4DeUWR1klB3+kBqyKyg
Hb9GcDhqdiu+eEKH95zr8rc/NxuVAPtc5x1/3h5p5/o0w6aFz+DXgBVNelnedYUC
DgMAAAAAAAAAABAH/07UepgQKfPVsMeJfxRTDfdkxKHmuCP8j9dDBOjhNQTteiiN
XB+lhLoYjjeXM/EYMlpzuGSWdQ54TIfz6Q3Gh9Wqs0TU6R9eSsl9RjeLeSELkXp1
r+fXu0xpVHJdRciVJ9zn+a0s3LZosxXT9Ub8TaNORJ1hF813ncHT/NxuQM259ao6
SRgPXDKv2L0Qzv6Tdvi/caa47cpNxVNYUbfPtCQW15yAVfofKcsn3Kweq8wIvNzg
PJ3s6mIbPuo09SeVS3SFwf37wuSElqdtrciu0aSDpR3IyTOjR4+Ak2ifpK4TFhVP
H8Cz7rMfg3actFpEip2UUi7JgkOXfD3qNefCcE8H/1WlqzOmVE945H+EzhrZS6iQ
B1vkdcNsgUKcI+JSM6arswm8MNcBeBOq34Yx0G7qiEMA8gLQx2qi5aKb4+foPd7X
39fuJ4mVhSKc1v7mtciGfdwbwjySayFXWFT7+T2b5jrX0WSir1kx1128QCDGkJNn
KTfoQiCB8BSUWXUhtGuPJY6YOnlOQaOnw8GyEPV1+kOrtsd5NNS9xQKrHUzI+dnj
eMDVZTJCmK/7NLtwiiB22TuMGqr7sLVUC0Jo5vRMpWk7nDbpiuerWwMlyQC6yf0/
zy2OxlzUjhmi6UmNaozEFH2DiLL5Jt4hv5iJXSk5kQacPF6BfWyMzyFKGKiYwqnS
UgHM9pwP3BO0hLyYCPZS5AC6VoWoguZYdGcnJycNveFkvT0mmdpZDD5uxA+7Tfyl
Ow4sNv0QqAb0OtX83A9bzZ7IOSAFCY9wCqvvsk/o/xKnE5s=
=ECnd
-----END PGP MESSAGE-----
If you were an interesting target any half decent 3 letter agency is going to be monitoring the message recipients along with traffic analysis that soaks up your contact associations many levels deep - as well as all their chatter. If you were a really interesting target, then someone will pick through your trash and watch everything you do, everything your associates do, their trash as well.

You might be great at keeping secrets, but trust me when I say the vast majority of humans are terrible at it.

I'm an ex military scope goat and secret 3 letter agency drone, even when people are trained to keep compartmented TS stuff secret, we are still human on the inside and have the same failings.

Encryption is only a tiny part of the bigger picture - if you haven't secured the rest of the jigsaw you might as well not encrypt anything.

lma 2010-10-29 09:55
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by smoothc (Post 856319)
What? Why do you say so?
As an encryption passphrase, a 5-8 digit long numeric-only string is useless (it can be brute-forced easily).

Quote:
I thought if you wanted to reset the lock code all the data would be erased.
That's a different discussion, but no. There are many threads here describing how to discover/reset the lock code, just search for them.

lma 2010-10-29 09:59
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by dchky (Post 856332)
If you were an interesting target any half decent 3 letter agency [...]
Sure, but the threat model we are discussing here is rather more modest. Most people just want to keep their private data private when they lose their device, leave it unattended for 5 minutes etc. People who worry about 3 letter agencies probably shouldn't be using a phone to store sensitive data in the first place ;-)

juise- 2010-10-29 10:14
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by dchky (Post 856308)
so ask yourself, are you really going to type in 64+ characters or whatever your pass phrase happens to be, every time you want email?
Here's some entropy counts for different password lengths, assuming [0-9A-Za-z] 62 character alphabet, and brute force times (assuming 1ns/attempt, which is quite fast unless you go distributed):

8 characters: 47 bits, 1 day
10 characters: 59 bits, 4857 days
12 characters: 71 bits, 18670525 days =~ 50000 years.
14 characters: 83 bits, ~20 million years.

So, strong passwords don't have to be inpractically long, provided that the password is not guessable.

Quote:
Originally Posted by dchky (Post 856308)
Alternatively you could just go web based and keep your mail server locked in a concrete box in your basement...
This still faces the same issue of having to type your password in every time. Unless you store the password on the device...

Quote:
Originally Posted by dchky (Post 856332)
I'm an ex military scope goat and secret 3 letter agency drone, even when people are trained to keep compartmented TS stuff secret, we are still human on the inside and have the same failings.
Yes, most passwords start to fail when the secret keeper is pointed with a weapon.

dchky 2010-10-29 11:08
Re: Why Cached mail is not encrypted on the N900 device???
 
Quote:
Originally Posted by lma (Post 856346)
Sure, but the threat model we are discussing here is rather more modest. Most people just want to keep their private data private when they lose their device, leave it unattended for 5 minutes etc. People who worry about 3 letter agencies probably shouldn't be using a phone to store sensitive data in the first place ;-)
Right you are :-)

From a more modest perspective I think a better option would be SMSCON - as soon as you notice your phone is lost, send it a kill signal - have the kill signal also trigger on things a thief is likely to do - swapping sim card, opening up certain applications and so on.

Pluto 2010-10-29 18:58
Re: Why Cached mail is not encrypted on the N900 device???
 
I think we might be straying away from the real issue. The issue is not whether the N900 is a secure device or not, the issue is with applications themselves. It doesn’t matter whether you run the app on a mobile computer, a smart phone, a laptop or a PC, what matters is the app shouldn’t be storing or caching such sensitive information in plain text, specially without the user knowledge or any control to disable/enable.

I am not talking here about a hacker getting a hold of the device and try to break any sort of encryption, that’s a different story all together, I am talking about ordinary users who can simply use any text viewer and instantly have access to sensitive info without any computer savvy experience. It doesn’t matter what device this stuff is on.

Bottom line is apps should not be storing sensitive info in plain text. It is a no no, plain and simple and is a security guideline in any development framework.

michaelxy 2010-10-29 19:10
Re: Why Cached mail is not encrypted on the N900 device???
 
The N900 does not have the security Level of a symbian s60 device - without "hacks" like truecrypt etc. Plaint Text Passwords are a bad joke in every way. Of you want security, you have it to make it yourself - on your n900 :p

But allmost every Mail-Client will store Mails in 0815-Text files - this is normal: NORMAL.

javispedro 2010-10-30 03:50
Re: Why Cached mail is not encrypted on the N900 device???
 
Please, don't make us throw again the same tired arguments against plain text passwords again and read the thread I quoted on the previous page.

michaelxy 2010-10-30 19:11
Re: Why Cached mail is not encrypted on the N900 device???
 
Security Flaws can not be mentioned often enough. But it can also be a feature - so other people must reply to hundreds of mails in my own inbox :eek:


All times are GMT. The time now is 08:47.
Page 3 of 3 12 3
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8