lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a847a314050825103374569fb8@mail.gmail.com>
Date: Thu, 25 Aug 2005 17:33:57 +0000
From: Nick Boyce <nick.boyce@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users


On 8/24/05, Allen Parker <infowolfe@...il.com> wrote:

> On 23 Aug 2005 13:21:23 -0000, kozan@...instructors.com
> <kozan@...instructors.com> wrote:

[...]
> > ZipTorrent stores proxy server information and password in
> > X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt
> > in plain text. A local user can read passwords and others.
[...]
> ... I haven't seen many programs making use of
> proxies where the username/password pairs were obfuscated in any
> way... 

Indeed - unless the proxy and all clients have some agreed protocol
for exchanging some kind of encrypted / hashed password, then the
password *must* be stored in plain text of some sort (even if it is
obfuscated) on the client host, so that it can be made available
later, in plain text, for the automatic password exchange.  There is
no way out of this, and no way to completely secure the stored
password

Surely this is just another rehash of the same old debate that appears
here every now and then - the conclusion will always be that stored
passwords are inherently vulnerable.   They can be obfuscated as much
as you like, but it only needs one successful piece of R&D to render
the whole obfuscation scheme useless for everybody.

See 
   http://marc.theaimsgroup.com/?t=92420089800002&r=1&w=2 
   http://marc.theaimsgroup.com/?t=94570694700003&r=1&w=2
for a couple of useful Bugtraq debates on this topic. 
[both in 1999 ... was that _really_ the last time this came up ?]

Nick Boyce
-- 
Never fdisk after midnight.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ