Re[2]: Some serious security holes in 'The Bat!'
Anyone running in so insecure an environment to make this so called vulnerability an issue ... JN the fact JN remains that third party access ... is conceivable in any JN number of innocent situations, most commonly repair scenarios. MW ... why encrypt plain text messages ... when you send them over MW the Internet without encryption? Consider that most every home IS an insecure environment, families ARE 3rd parties, and in such a situation sending communications over the internet is NOT the weakest link in most security chains, it is easy access at home. RitLabs would do well to add logins to TB! so that family members would not see each other's communications since so many do share PCs email clients. M$ lookOut does see this (though the BIG single file approach is obviously flawed), and Pegasus makes each user login (though I do not at all know how it stores email files). For myself, even though I have sole use of a secure PC, I STILL wish for an email client that would require logins before allowing anyone who can touch the machine to become me ... (Then again I am insane.) -- Rich Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
... add logins to TB! so that family members not see each other's ... email M Options/Network Administration/Privileges HEY! Wadda ya know! I have no idea HOW to use it but it looks like that's what 'm talkin' about... Is there any kind of encryption of the email files tied to TB! login or can a savvy user access files on the hard drive that aren;t theirs? -- Rich Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
Hello Steve, Tuesday, October 28, 2003, 1:51:59 AM, you wrote: ST Hello Joseph, ST Monday, October 27, 2003, 5:06:17 PM, you wrote: JN But now I JN need a place to store them, since there's no mnemonic to keep them in JN mind. But, of course, the place to store them needs to be encrypted JN and passworded, so I need a password for that :-) ST I manage a ton of passwords, not only for myself, but for my clients ST as well. I use a product called SplashID from www.splasdata.com. It ST operates on both my desktop and my Palm so I always have the data ST available, and yes, you do need to remember that ONE password. I had to add an h to your url.Should read www.splashdata.com -- Best regards, Barry Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
Hi Martin Tuesday, October 28, 2003, 3:31:13 AM, you wrote: V I'm not sure what your point here is..did I miss something in the discussion? MW Yes, I think so... How? I read the whole thread. Were you talking about the repair scenario? MW Still more probable than a complete stranger sitting in front of my PC MW and reeking havoc with his hex editor. (assuming he can log on and MW access my folders) I think someone would notice that! :-) V This is actually completely unnecessary if this stranger somehow manages to V install a trojan on your machine remotely. MW And again. :-) No, I don't think I missed anything here. You and others seemed to imply that reading those plaintext passwords was only possible if someone had physical access. Either when he sat down at your machine to carry out the exploits mentioned in the article, or when you gave your hard disk out for repair. This isn't necessary. Cheers, -- Vishal Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
Hi Martin Tuesday, October 28, 2003, 1:02:56 PM, you wrote: MW Yes. If someone has concerns about passwords being compromised while the MW PC is repaired the simple solution is to change them beforehand. If that MW isn't possible then change them when it's returned. Actually, both would have to be done. MW That's because the original text MW (http://lists.netsys.com/pipermail/full-disclosure/2003-October/012716.html) MW refers to someone hacking passwords using a hex editor while sitting in MW front of the PC. You're right. But it doesn't specifically have anything to do with sitting in front of the PC. He probably experimented on his own machine, so he did it that way. It talks about using a hex editor, but that vulnerability could just as easily be exploited remotely on a downloaded file. MW Nonetheless, I'm not disputing what you're saying, it's just not very MW probable on my machine. I'm sure you're right :) MW BTW, the passwords aren't plain text. My mistake, I meant messages :p Cheers, -- Vishal Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
On Sunday, October 26, 2003, Marck D Pearlstone wrote in mid:[EMAIL PROTECTED]: Of course, these are not bugs. They are deliberate design decisions. Anyone running in so insecure an environment to make this so called vulnerability an issue should consider a more expensive solution - like SB or TB Pro. Marck, While I agree in general with your response to the issue, the fact remains that third party access to hard drives is conceivable in any number of innocent situations, most commonly repair scenarios. A minimal change in the configuration--encrypting account passwords--would go a long way toward preserving the current security model of limited account access. -- JN Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
Hello Jurgen, On 27 October 2003, at 10:25:40 +0100 you wrote: JH isn't SecureBat! the Paranoia's choice of email program? I'm not sure that I correct understand what you means but try to ask on this. I think that some people has their some reasons to prevents some information from strange eyes. And choosing of SB! as email program is not a paranoia. As about me. I don't use encrypted disk(s) for storage TB!'s mails and others information because it is not necessary now and I know that nobody don't able to access into my computer (at home). But I believe that at office are very useful utilities for restricting of access to computer. -- Best regards, Vasiliymailto:[EMAIL PROTECTED] Using: * The Bat! 2.01.7 * Windows XP 5.1 Build 2600 * PGP 8.0.3 pgp0.pgp Description: PGP signature Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
On Monday, October 27, 2003, Martin Webster wrote in mid:[EMAIL PROTECTED]: MW Perhaps plain text editors should encrypt data? Ludicrous! And why MW encrypt plain text messages to your hard disk when you send them MW over the Internet without encryption? E-mail (SMTP/POP) is MW inherently insecure. Ummm, no one is talking about encrypting the messages, Martin. That's what SecureBat, disk encryption, or encrypted messages are for. We're talking only about passwords, which pertain not only to existing content but also to one's identity. They are two separate issues. A misused password can wreak boundless havoc for years after the incident. MW As for passwords, doesn't the same apply since most POP servers use plain text MW authentication? No, it doesn't. Security is not a binary choice; there are degrees of need and degrees of security. The possibility of someone snatching a password from regular Internet usage is real, but the probability is low. In any event, (a) most POP servers nowadays probably provide for MD5 authentication, and (b) the user can choose a provider that does provide the required level of authentication. Again, it's a matter of degrees and choice. The problem with an unencrypted password is that it pretty much vitiates any other choices that have been made. MW There's some merit in having the mail folder under Documents and MW Settings (XP) and I guess this could be a future install option. Albeit MW there's nothing stopping you from doing this now. I did it a long time ago. -- JN Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
On Monday, October 27, 2003, Martin Webster wrote in mid:[EMAIL PROTECTED]: MW Surely you would change your password(s) before handing your PC MW to a stranger? And if you can't beforehand, afterwards? Martin, Certainly a good point. I've started using one of those password generators on occasion, because I've about used up all the cute ones I can remember. But now I need a place to store them, since there's no mnemonic to keep them in mind. But, of course, the place to store them needs to be encrypted and passworded, so I need a password for that :-) -- JN Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Some serious security holes in 'The Bat!'
Hi Martin Monday, October 27, 2003, 4:48:28 PM, you wrote: JN They are two separate issues. A misused password can wreak boundless JN havoc for years after the incident. MW You use one password for everything? This issue is completely separate from the one of a misused password. You can have as many as you like, but if you don't change them, then it doesn't make any difference. Any one of them can be compromised and used for years. MW And continue to use it after the possibility of it being compromised? Often, the victim has no idea that he has been compromised. The situation described, where someone other than yourself is reading your email, is exactly one of these. If the attacker merely wants to read your mail without your knowing, and does not change anything, there is no reason for the average user to suspect wrongdoing. And therefore no reason to change his password. Even users who would not typically be considered 'average' grow complacent enough that this occurs often. MW Surely you would change your password(s) before handing your PC to a MW stranger? And if you can't beforehand, afterwards? I'm not sure what your point here is..did I miss something in the discussion? MW Certainly, if you're that concerned about password security you MW shouldn't save it in the first place; it's an option after all. :-) True. MW Still more probable than a complete stranger sitting in front of my PC MW and reeking havoc with his hex editor. (assuming he can log on and MW access my folders) I think someone would notice that! :-) This is actually completely unnecessary if this stranger somehow manages to install a trojan on your machine remotely. Compress it, encrypt it, bind it to an innocuous file type and most antiviruses will not catch it. No need to log on, the program could be made to run with your privileges. No need for a hex editor since he's not modifying anything. Most advanced trojans have impressive capabilities when it comes to downloading and uploading anything from your machine, so he could simply download the message files and .cfg files to his own machine and play in peace :) Hell, if he did want to wreak havoc, he could even fire up the hex editor and look through your downloaded EXEs. All this said, using PGPDisk and not using default installation paths is the way to go if you have reason to anticipate security breaches. Or use SecureBat, which I'll take the other posters' word for, is designed to be more secure. Cheers, -- Vishal Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: : Some serious security holes in 'The Bat!'
Monday, October 27, 2003, 6:28:12 PM, Perry wrote: PN Hi Joseph, PN Monday, October 27, 2003, 8:06:17 PM, you wrote: JN I've started using one of those password generators on occasion, JN because I've about used up all the cute ones I can remember. But JN now I need a place to store them, since there's no mnemonic to JN keep them in mind. PN I've used Counterpane's Password Safe for a long time, and it PN contains a password generator as well. You might want to check it PN out at ... PN http://www.schneier.com/passsafe.html Also their is PINS: http://www.mirekw.com/winfreeware/pins.html This is a SourceForge/Delphi app that uses blowfish to. Seems to be pretty tight. -- Neal Using The Bat! v2.01.7 on Windows 2000 Service Pack 3 Current version is 2.01.3 | Using TBUDL information: http://www.silverstones.com/thebat/TBUDLInfo.html
