[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Simon Large <simon.tortoisesvn_at_gmail.com>
Date: Tue, 12 Apr 2011 18:25:33 +0100

On 12 April 2011 17:55, Dale McCoy <dalestan_at_gmail.com> wrote:
> On Tue, Apr 12, 2011 at 08:24, John McNamee <jpm_at_microwiz.com> wrote:
>> Stefan Küng <tortoisesvn_at_gmail.com> wrote:
>>> If you're system is configured so that users actually can open and
>>> read the paging file you don't need to worry about security issues
>>> anymore. Because you don't have any security at all and therefore
>>> can't have any issues with it. Can't have an issue with something that
>>> doesn't exist.
>>
>> The issue is not what happens while the OS is running.  Proper configuration
>> should prevent any information leaks, and improper configuration means you've
>> already lost.
>>
>> The problem is what happens if an attacker can examine the disk while the OS
>> is offline.  There have been too many examples of laptops being lost/stolen
>> with sensitive data on them to dismiss this scenario.
>
> I'd say this is another case of improper configuration. If any
> non-root user can read your pagefile, regardless of the circumstances,
> then you have no security.
> If this is a problem, then you need to either prevent physical access
> to the hardware or apply a configuration that prevents root privileges
> from being acquired even with the benefit of physical access. Or both.

This is not talking about normal OS consumers being able to read the
page file. If you boot from CD into Linux and look at the drive as a
raw device you can see its content. No OS can protect you from that.

Simon

-- 
:       ___
:  oo  // \\      "De Chelonian Mobile"
: (_,\/ \_/ \     TortoiseSVN
:   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
:   /_/   \_\     http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719153
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 19:25:35 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.