On 15 April 2011 10:13, Daniel Klima <danklima_at_gmail.com> wrote:
>> 15.04.11, 01:07, "Daniel Klima" <danklima at gmail dot com>:
>> > Dmitry,
>> > could you please read Raymond Chen's blog (http://blogs.msdn.com/b/oldnewthing/) and especially series about "on the other side of this airtight hatchway".
>> > What you want is not what you get. You won't get security,just obfusction and considering it would be already running on same privlege level as is user's => other and more easier ways to get info you want. And obfuscation and opensource doesn't go well together anyway.
>> Okay, I agree to admit that erasing the buffers once they are no longer needed is not Security, but it's Obfuscation and let's only use the word "obfuscation" hereinafter. You're completely right when you say the program doesn't become more secure in classic sense, but still breaking it becomes slightly harder.
>> What I was trying to say it makes no sense to store the credentials in encrypted form when they've been previously manipulated using a class like CString because CString won't erase itself and therefore you will have one encrypted copy and numerous unencrypted copies of the credentials. This has nothing to do with security, but that's obfuscation done wrong.
>> Bets wishes.
> You seem to be confused.
I don't think so. He never mentioned the hard drive, this is purely
about in-memory storage.
> File with passwords on hardrive has to be encrypted as it is longterm storage. THIS IS NOT AN OBFUSCATION BUT BASIC SECURITY MEASURE - you can gain access to hdd even offline and read any arbitrary sector,but access to process memory only as correct user with Debug priviledge or higher.
> RAM enc is obfuscation,enc of file on drive is not.
> Is that clear?
Yes we know all that. You have jumped into the middle of a (long and
acrimonious) discussion without reading the background, which is here:
This is only about obfuscating RAM content, not disk storage which is
: oo // \\ "De Chelonian Mobile"
: (_,\/ \_/ \ TortoiseSVN
: \ \_/_\_/> The coolest Interface to (Sub)Version Control
: /_/ \_\ http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [dev-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-15 11:51:36 CEST