pidgin-devel

[Gaim-devel] Password Obfuscation/Encryption in .gaimrc

[Michael L. <ma...@la...>]

I've just read the discussion about password encryption (libyahoo2
integration thread) and I must say that I find the attitude of the
developers on this subject a bit silly.

What is being asked is a bit of obfuscation , not perfect bulletproof
encryption. A dedicated person can always get around any encryption scheme
there is. If someone has physical access to my linux box they can have
root-level permissions in minutes - that does not mean I leave my root
password on a post it note glued to my monitor. Just because someone can
easily find means of decoding the passwords, does not mean they should be
available in plain view to anyone who happens to glance at the rc file.

Besides, noone in the discussion mentioned the obvious solution of having
all passwords encrypted by a single password you have to type in at start
time. This will eliminate every reason given against encryption in the
thread.

All that being said, I am not writing to start another flame war here. I
respect the developers descision even if I do not agree. It is their
decision to make. But this is an open source project and I was just
wondering that since it was mentioned that many people submitted patches to
solve this issue, can I get some pointers to those patches? I am not a real
programmer and thus make it a rule not to edit software unless I absolutely
have to - I'd rather not have to mess with gaim source code. Has someone on
this list written/have such a patch they can send me?


Thank you.

-Michael

Re: [Gaim-devel] Password Obfuscation/Encryption in .gaimrc

[Rob F. <ro...@ma...>]

I've already sent an e-mail somewhere saying that I will take care of
this.

Re: [Gaim-devel] Password Obfuscation/Encryption in .gaimrc

[Luke S. <lsc...@gm...>]

On Thu, Oct 10, 2002 at 03:44:31PM -0700, Michael Lasevich wrote:
> I've just read the discussion about password encryption (libyahoo2
> integration thread) and I must say that I find the attitude of the
> developers on this subject a bit silly.
> 
> What is being asked is a bit of obfuscation , not perfect bulletproof
> encryption. A dedicated person can always get around any encryption scheme
> there is. If someone has physical access to my linux box they can have
> root-level permissions in minutes - that does not mean I leave my root
> password on a post it note glued to my monitor. Just because someone can
> easily find means of decoding the passwords, does not mean they should be
> available in plain view to anyone who happens to glance at the rc file.
> 
> Besides, noone in the discussion mentioned the obvious solution of having
> all passwords encrypted by a single password you have to type in at start
> time. This will eliminate every reason given against encryption in the
> thread.

because if we did that we'd have to take care of 2 side effect cases:
1)alot of people will not want to remember any password for their im.
this means the encryption must be optional. 
2)people who enable it then want to disable it. along these lines, people
who forget the passphrase. this makes doing it less trivial. 

> 
> All that being said, I am not writing to start another flame war here. I
> respect the developers descision even if I do not agree. It is their
> decision to make. But this is an open source project and I was just
> wondering that since it was mentioned that many people submitted patches to
> solve this issue, can I get some pointers to those patches? I am not a real

i've never seen a patch. only requests. and some demands. 

luke

> programmer and thus make it a rule not to edit software unless I absolutely
> have to - I'd rather not have to mess with gaim source code. Has someone on
> this list written/have such a patch they can send me?
> 
> 
> Thank you.
> 
> -Michael
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Gaim-devel mailing list
> Gai...@li...
> https://lists.sourceforge.net/lists/listinfo/gaim-devel

-- 
-This email is made of 100% recycled electrons.

Re: [Gaim-devel] Password Obfuscation/Encryption in .gaimrc

[John B. S. <jo...@si...>]

There's some merit to the idea of a passkey to unlock your encrypted keys=
 -=20
this takes care of the problem I was just going to mention.  Barring this=
=20
idea, encryption in the rc file is completely moot based on the fact that=
 you=20
could just copy it to another account, run Gaim, and change the passwords=
,=20
without ever seeing, or trying to decrypt the 'encrypted passwords.'

John Silvestri

On Thursday 10 October 2002 06:44 pm, Michael Lasevich wrote:
> What is being asked is a bit of obfuscation , not perfect bulletproof
> encryption. A dedicated person can always get around any encryption sch=
eme
> there is. If someone has physical access to my linux box they can have
> root-level permissions in minutes - that does not mean I leave my root
> password on a post it note glued to my monitor. Just because someone ca=
n
> easily find means of decoding the passwords, does not mean they should =
be
> available in plain view to anyone who happens to glance at the rc file.

Re: [Gaim-devel] Password Obfuscation/Encryption in .gaimrc

[Luke S. <lsc...@gm...>]

On Thu, Oct 10, 2002 at 09:00:00PM -0400, John B. Silvestri wrote:
> There's some merit to the idea of a passkey to unlock your encrypted keys - 
> this takes care of the problem I was just going to mention.  Barring this 
> idea, encryption in the rc file is completely moot based on the fact that you 
> could just copy it to another account, run Gaim, and change the passwords, 
> without ever seeing, or trying to decrypt the 'encrypted passwords.'

again, the biggest problems this would cause are for those who don't to
remember a pass phrase, and for those who enable it and then latter
decide they no longer wish to use it.

you could secure the .gaimrc this way, but you probly couldn't do it in a
way that wouldn't be annoying.

luke

> 
> John Silvestri
> 
> On Thursday 10 October 2002 06:44 pm, Michael Lasevich wrote:
> > What is being asked is a bit of obfuscation , not perfect bulletproof
> > encryption. A dedicated person can always get around any encryption scheme
> > there is. If someone has physical access to my linux box they can have
> > root-level permissions in minutes - that does not mean I leave my root
> > password on a post it note glued to my monitor. Just because someone can
> > easily find means of decoding the passwords, does not mean they should be
> > available in plain view to anyone who happens to glance at the rc file.
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Gaim-devel mailing list
> Gai...@li...
> https://lists.sourceforge.net/lists/listinfo/gaim-devel

-- 
-This email is made of 100% recycled electrons.