| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <008f01c35c4a$8e689620$9302a8c0@Constant> From: jeremiah at nur.net (Jeremiah Cornelius) Subject: Re: ¿Bruce Schneir no intelligente? Hey, lorenzofaggot@...hmail.com . So sorry you missed out on the "Golden Age of Trolling". http://www.everything2.com/index.pl?node=Trolling That's O.K. You got enough to deal with, having five hyphenations in your name, with no "de". Jeremias deCornelio ----- Original Message ----- From: "Lorenzo Figueroa-Acuna-Gonzales-Garcia-Ortiz-Trujillo" <lorenzofaggot@...hmail.com> To: <full-disclosure@...ts.netsys.com> Sent: Tuesday, August 05, 2003 9:13 AM Subject: [Full-Disclosure] ?Bruce Schneir no intelligente? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ?Bueno! > > I reading these informacions, I no think Bruce Schneir smart. This error > made by kids. ?Matt Murphy right? > > - ------------- > Program description: > > - --- > Password Safe is a tool that allows you to have a different password > for all the different programs and websites that you deal with, > without actually having to remember all those usernames and passwords. > > Originally created by Bruce Schneier's Counterpane Labs, Password Safe > is now opening it's source, and development and maintenance has been > handed off to Jim Russell. Currently, the PasswordSafe Open Source > project is being administered by Rony Shapiro. > - --- > > Versions affected: 1.92b (latest) - tested both with win2k and XP. > > Description: about two years ago I was reporting here > > http://www.securityfocus.com/archive/1/213931 > > about some rare circumstances in which Password Safe will leave > cleartext in memory even when used in the most safest configuration. > > However, with the current version the situation is even worse - the > option "Clear the clipboard when minimized" is not helping at all - > you can still recover the last password used from the memory. > > How to reproduce: run password safe as usual, be sure to have the > options "Clear the clipboard when minimized", "Lock password database > on minimize" selected. Copy a password into clipboard (right click -> > copy password to clipboard) and minimize Password Safe. Now the > password should be erased, but it's not ! You can find the password > very easy - for example run winhex (the attacker can have winhex on a > floppy, it doesn't have to be installed), open the virtual memory > associated to the process Pwsafe, look into it (or dump to a file and > then use strings on that file). The password is there; one thing worth > mentioning - without the first character. But this is not a problem, > even if the first character is hard to guess (random password) most > systems can be brute-forced without any problem even with "bare > hands". > > Solution: not much to say ... just don't trust Password Safe when > minimized ... use the win2k/xp lock feature, keep your computer in a > safe, things like that. > > That's all, have a nice day, > Valentin (Vali) Butanescu > -----BEGIN PGP SIGNATURE----- > Note: This signature can be verified at https://www.hushtools.com/verify > Version: Hush 2.3 > > wkYEARECAAYFAj8v17IACgkQaXuo1rXWHGd1ewCcCMv2VEPWqcBXUrv0YiqGtHTUJNoA > njJ6dABQSAPZ7adKWGLtjVOKuOBQ > =5qmB > -----END PGP SIGNATURE----- > > > > > Concerned about your privacy? Follow this link to get > FREE encrypted email: https://www.hushmail.com/?l=2 > > Free, ultra-private instant messaging with Hush Messenger > https://www.hushmail.com/services.php?subloc=messenger&l=434 > > Promote security and make money with the Hushmail Affiliate Program: > https://www.hushmail.com/about.php?subloc=affiliate&l=427 > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists