Bugtraq mailing list archives
Re: stored credentials was: Netscape 4.5 vulnerability
From: jra () SCFN THPL LIB FL US (Jay R. Ashworth)
Date: Sat, 24 Apr 1999 15:12:28 -0400
On Fri, Apr 23, 1999 at 05:06:33PM -0400, Jefferson Ogata wrote:
The encryption key then can only be retrieved by a user that can arrange that its own program have the filesystem.inode under which a key was stored, i.e. the owner of the directory where the binary is located, or root. Root could also just pull the key directly out of the database. I guess the original topic of discussion was the feasibility of a system that not even root could subvert. This doesn't qualify, but it does allow programs to save encrypted passwords that can be decrypted only by the program that stored them (or root) in a publically readable file. And I'm sure there's something fundamentally flawed about it, because I'm not a cryptography expert.
Alas, what is fundamentally flawed about it is that when I re-install my backup software on a Friday afternoon, it will no longer be able to access the capability key it needs to back up my servers, something I will not find out until Monday morning, when I discover that my hard drive crashed Sunday afternoon... Cheers, -- jra -- Jay R. Ashworth jra () baylink com Member of the Technical Staff Buy copies of The New Hackers Dictionary. The Suncoast Freenet Give them to all your friends. Tampa Bay, Florida http://www.ccil.org/jargon/ +1 813 790 7592
Current thread:
- Re: stored credentials was: Netscape 4.5 vulnerability Juha Jäykkä (Apr 23)
- <Possible follow-ups>
- Re: stored credentials was: Netscape 4.5 vulnerability Jefferson Ogata (Apr 23)
- Re: stored credentials was: Netscape 4.5 vulnerability Valdis.Kletnieks () VT EDU (Apr 25)
- Re: stored credentials was: Netscape 4.5 vulnerability Jay R. Ashworth (Apr 24)