On 12 April 2011 18:30, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
> On 12.04.2011 19:25, Simon Large wrote:
> > On 12 April 2011 17:55, Dale McCoy<dalestan_at_gmail.com> wrote:
> >> On Tue, Apr 12, 2011 at 08:24, John McNamee<jpm_at_microwiz.com> wrote:
> >>> Stefan Küng<tortoisesvn_at_gmail.com> wrote:
> >>>> If you're system is configured so that users actually can open and
> >>>> read the paging file you don't need to worry about security issues
> >>>> anymore. Because you don't have any security at all and therefore
> >>>> can't have any issues with it. Can't have an issue with something that
> >>>> doesn't exist.
> >>>
> >>> The issue is not what happens while the OS is running. Proper
> configuration
> >>> should prevent any information leaks, and improper configuration means
> you've
> >>> already lost.
> >>>
> >>> The problem is what happens if an attacker can examine the disk while
> the OS
> >>> is offline. There have been too many examples of laptops being
> lost/stolen
> >>> with sensitive data on them to dismiss this scenario.
> >>
> >> I'd say this is another case of improper configuration. If any
> >> non-root user can read your pagefile, regardless of the circumstances,
> >> then you have no security.
> >> If this is a problem, then you need to either prevent physical access
> >> to the hardware or apply a configuration that prevents root privileges
> >> from being acquired even with the benefit of physical access. Or both.
> >
> > This is not talking about normal OS consumers being able to read the
> > page file. If you boot from CD into Linux and look at the drive as a
> > raw device you can see its content. No OS can protect you from that.
>
> And no normal process can prevent that its memory can be stored in the
> page file.
> But let's be serious: if you can boot the computer with another OS, all
> your data is not protected anymore anyway. Basically, in such a
> situation you don't own your PC anymore.
The OP was able to search for his password in the process memory because he
knew what it was, and therefore what to search for. If I set my own password
to something industrial-strength chosen from arbitrary characters, and sent
you my process dump or page file, would you be able to find it just as
easily without knowing what it was?
>
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719161
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-12 19:40:53 CEST