[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Credentials held unencrypted in memory during runtime

From: Stefan Küng <tortoisesvn_at_gmail.com>
Date: Wed, 13 Apr 2011 08:14:44 +0200

On Wed, Apr 13, 2011 at 07:41, Andrew <agaspar_at_odecee.com.au> wrote:
> Hi
> The organisation that I am currently working for has also found this security issue, and being a financial organisation we are considering not allowing our developers to use tortoise SVN.

Please use another client then.

And let me point out: as a financial organization, you should have a
better understanding of security.
As I mentioned repeatedly: if an attacker can execute code on your
machines, your security is gone, does not exist anymore.

Do you understand that? Please try to understand my last sentence:
your security is gone, does not exist anymore.
Your computer isn't yours anymore, it already belongs to the attacker.
Including all your data on your computer. That includes all data from
the repository since you have a working copy of it. This also includes
all your saved web passwords and cookies. The attacker already has
installed a keylogger (takes a few milliseconds), monitors your every
move. Has access to all your protected websites, is already inside
your LAN and therefore has access to your servers, ...

If your "security" rules let it happen that an attacker can execute
code but then require normal processes to protect themselves against
that, IMHO you shouldn't be allowed to touch any money at all. Then
your organization is the security issue, not TSVN.

So go ahead, use another client. Please!
Make sure the client is not open source, otherwise your requirement
for obscurity can't be met.

This will be my last post to this thread. I think I explained in
detail why this is not a security issue at all. Those of you who just
don't want to understand this and rely on obscurity instead of
security, keep posting if you want - I'll ignore this thread from now


  oo  // \\      "De Chelonian Mobile"
 (_,\/ \_/ \     TortoiseSVN
   \ \_/_\_/>    The coolest Interface to (Sub)Version Control
   /_/   \_\     http://tortoisesvn.net
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 08:15:11 CEST

This is an archived mail posted to the TortoiseSVN Users mailing list.