On 12 April 2011 18:30, Stefan Küng <tortoisesvn_at_gmail.com> wrote:
> On 12.04.2011 19:25, Simon Large wrote:
>> On 12 April 2011 17:55, Dale McCoy<dalestan_at_gmail.com> wrote:
>>> On Tue, Apr 12, 2011 at 08:24, John McNamee<jpm_at_microwiz.com> wrote:
>>>> Stefan Küng<tortoisesvn_at_gmail.com> wrote:
>>>>> If you're system is configured so that users actually can open and
>>>>> read the paging file you don't need to worry about security issues
>>>>> anymore. Because you don't have any security at all and therefore
>>>>> can't have any issues with it. Can't have an issue with something that
>>>>> doesn't exist.
>>>>
>>>> The issue is not what happens while the OS is running. Proper configuration
>>>> should prevent any information leaks, and improper configuration means you've
>>>> already lost.
>>>>
>>>> The problem is what happens if an attacker can examine the disk while the OS
>>>> is offline. There have been too many examples of laptops being lost/stolen
>>>> with sensitive data on them to dismiss this scenario.
>>>
>>> I'd say this is another case of improper configuration. If any
>>> non-root user can read your pagefile, regardless of the circumstances,
>>> then you have no security.
>>> If this is a problem, then you need to either prevent physical access
>>> to the hardware or apply a configuration that prevents root privileges
>>> from being acquired even with the benefit of physical access. Or both.
>>
>> This is not talking about normal OS consumers being able to read the
>> page file. If you boot from CD into Linux and look at the drive as a
>> raw device you can see its content. No OS can protect you from that.
>
> And no normal process can prevent that its memory can be stored in the
> page file.
> But let's be serious: if you can boot the computer with another OS, all
> your data is not protected anymore anyway. Basically, in such a
> situation you don't own your PC anymore.
And that is exactly the point. For sensitive information you would
always choose not to cache the auth data at all. I'm assuming you
never allow a browser to cache your bank password. If someone steals
my PC I am relying on the fact that they will never find my bank
password because it isn't there, not because I have encrypted it or
hidden it.
Simon
--
: ___
: oo // \\ "De Chelonian Mobile"
: (_,\/ \_/ \ TortoiseSVN
: \ \_/_\_/> The coolest Interface to (Sub)Version Control
: /_/ \_\ http://tortoisesvn.net
------------------------------------------------------
http://tortoisesvn.tigris.org/ds/viewMessage.do?dsForumId=4061&dsMessageId=2719362
To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_tortoisesvn.tigris.org].
Received on 2011-04-13 10:58:16 CEST