On Fri, Aug 20, 2010 at 10:52 PM, Hugo Cello <hugo.ce...@web.de> wrote: > Sorry for the noise!!! > > I first tried to send the below attached text to the list using a wrong sender > address so it never arrived, then I sent it from a Web interface with the > result, that the text was scrambled into some html crap. Now I'll try again > and hope, it goes through. Please ignore generously my former dilettanteish > efforts. > > -------------------------------------------------------------------------- > Hi Rockboxers, > > I'm using amongst others the keybox plugin for storing my passwords on a Sansa > e200. To fill this data base with a bigger amount of URLs, user and password > pairs it's a pain in the ass to type in all the data using the > internal "keyboard". That's why I wrote a patch for keybox to be able to read > the data base from an external text file and encrypt them (see > http://www.rockbox.org/tracker/task/11260). > > The patch now is rejected due to security reasons. The objection is that if I > copy the text file onto the device, import it into keybox and delete the file > afterwards, it could be restored from disk. Obviously even the possibility to > have a warning in the manual and let the user decide if he wants to take the > (really small) risk seems not to be acceptable. > > Still I think the usability of keybox would be greatly improved if we could > import the data base from file. So I like to ask you, the developers, if you > have any idea how to do this in a secure manner. One possibility could be to > offer an external program that creates the keyboard.dat file on your computer > and than copy it to Rockbox but I'd prefere to have this functionality inside > Rockbox. > > Any idea would be highly appreciated > Gerhard > > On Wednesday 18 August 2010, Rockbox wrote: >> The following task is now closed: >> >> FS#11260 - lets keybox import its database from an external text file >> User who did this - Nils Wallménius (nls) >> >> Reason for closing: Rejected >> Additional comments about closing: I'm sorry but this is a too great >> security risk and even reisk lulling users into false security. >> >> More information can be found at the following URL: >> http://www.rockbox.org/tracker/task/11260 >
Hi, I too thought about better ways to populate the keybox database and an external application is the only thing i could come up with. The plain text file with passwords that are imported might also encourage users to create and store such a file on their computer, also not everyone reads the manual and so might be unaware of the risk. A schredding (secure delete) function could probably be implemented but wouldn't be reliable on flash based targets where we do not have a software FTL. Nils
