On Wed, 22 Aug 2012 14:24:20 +0200 rustyBSD <rusty...@gmx.fr> said: > Le 22/08/2012 14:12, Tom Hacohen a écrit : > > On 22/08/12 15:04, Carsten Haitzler (The Rasterman) wrote: > >> On Wed, 22 Aug 2012 14:54:30 +0300 Tom Hacohen <tom.haco...@samsung.com> > >> said: > >> > >>> On 22/08/12 14:51, Carsten Haitzler (The Rasterman) wrote: > >>>> On Wed, 22 Aug 2012 14:46:50 +0300 Tom Hacohen <tom.haco...@samsung.com> > >>>> said: > >>>> > >>>>> To be honest, I don't know how secure we can get there because of entry. > >>>>> We only free (without explicitly erasing) the buffers used internally by > >>>>> entry (elm+edje) and textblock, so there might be cleartext copies of > >>>>> the pass in memory anyway... > >>>> it doesnt use elm or edje entry or e entry.. its literally done by hand > >>>> listening to keystrokes (whihc frankly if u can force coredumps u can > >>>> divine the passwd thru keystroke memory history if u are lucky). :) > >>> So not entry, but it uses text/textblock to show the text, doesn't it? > >>> If so, the same logic applies. > >> it only shows ***** > >> > >> so i guess u could find out how many chars the pw has.. that's it. evas > >> only ever sees *** (and edje too). > >> > >> > > Ah, you are right. I remembered it had issues with handling hebrew > > passwords (it showed as many * as the bytes instead of the chars), but > > it's because the count was wrong, not a malfunction in edje/textblock. > > Now I remember. :) > > > > Ok, cool. > > > > -- > > Tom. > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > enlightenment-devel mailing list > > enlightenment-devel@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/enlightenment-devel > > > > https://www.securecoding.cert.org/confluence/display/seccode/MSC06-C.+Be+aware+of+compiler+optimization+when+dealing+with+sensitive+data > > Mmhhh...
it's almost all fine as its in malloced memory which the compiler can't deduce usage of later on as it persists... except E_Desklock_Auth da; it's on the stack... except.. the child (forked) process exits immediately after so i'm not sure how bad this really is. -- ------------- Codito, ergo sum - "I code, therefore I am" -------------- The Rasterman (Carsten Haitzler) ras...@rasterman.com ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ enlightenment-devel mailing list enlightenment-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
