[Waste-public] WASTE vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

It looks like I've found a possible exploitable bug in the WASTE code.
The private key uses a set ciphertext to verify the password.  It seems
like knowing what the object is before you try decrypting it would aid any
potential crackers.  I propose that we change this either to:

1.) Generate random text and calculate the MD5sum.  then();

or:

2.) Calculate the MD5sum of the private key.  then();

then()
{
Encrypt both using the same Blowfish algorithm the WASTE currently uses.
Upon client start, ask for a password and decrypt.  Calculate the MD5sum.
If they match, continue.
}

-- 
|Andrew A. Gill                       |I posted to Silent-Tristero and|
|<sup...@fr...>         |all I got was this stupid sig! |
|alt.tv.simpsons CBG-FAQ author       |                               |
|                          (Report all obscene mail to Le Maitre Pots)|
|Nothing here yet: <http://www.needsfoodbadly.com>    Temporary sig: --

What'dya think, sirs?