[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Dale McCoy <dalestan_at_gmail.com>
Date: Tue, 12 Apr 2011 12:55:48 -0400

On Tue, Apr 12, 2011 at 08:24, John McNamee <jpm_at_microwiz.com> wrote:
> Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>> If you're system is configured so that users actually can open and
>> read the paging file you don't need to worry about security issues
>> anymore. Because you don't have any security at all and therefore
>> can't have any issues with it. Can't have an issue with something that
>> doesn't exist.
>
> The issue is not what happens while the OS is running.  Proper configuration
> should prevent any information leaks, and improper configuration means you've
> already lost.
>
> The problem is what happens if an attacker can examine the disk while the OS
> is offline.  There have been too many examples of laptops being lost/stolen
> with sensitive data on them to dismiss this scenario.

I'd say this is another case of improper configuration. If any
non-root user can read your pagefile, regardless of the circumstances,
then you have no security.
If this is a problem, then you need to either prevent physical access
to the hardware or apply a configuration that prevents root privileges
from being acquired even with the benefit of physical access. Or both.

Dale McCoy

------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719142

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 18:55:56 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.