Re: stored credentials was: Netscape 4.5 vulnerability

[jra () SCFN THPL LIB FL US (Jay R. Ashworth)]

On Fri, Apr 23, 1999 at 05:06:33PM -0400, Jefferson Ogata wrote:
> The encryption key then can only be retrieved by a user that can arrange
> that its own program have the filesystem.inode under which a key was stored,
> i.e. the owner of the directory where the binary is located, or root. Root
> could also just pull the key directly out of the database.
>
> I guess the original topic of discussion was the feasibility of a system
> that not even root could subvert. This doesn't qualify, but it does allow
> programs to save encrypted passwords that can be decrypted only by the
> program that stored them (or root) in a publically readable file. And I'm
> sure there's something fundamentally flawed about it, because I'm not a
> cryptography expert.

Alas, what is fundamentally flawed about it is that when I re-install
my backup software on a Friday afternoon, it will no longer be able to
access the capability key it needs to back up my servers, something I
will not find out until Monday morning, when I discover that my hard
drive crashed Sunday afternoon...

Cheers,
-- jra
--
Jay R. Ashworth                                                jra () baylink com
Member of the Technical Staff     Buy copies of The New Hackers Dictionary.
The Suncoast Freenet            Give them to all your friends.
Tampa Bay, Florida     http://www.ccil.org/jargon/             +1 813 790 7592