[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: plaintext passwords - my 0.02c

From: Saulius Grazulis <grazulis_at_akl.lt>
Date: 2006-07-19 12:45:06 CEST

Hi all,

On Wednesday 19 July 2006 08:08, Stuart Celarier wrote:

> 1. Trust the OS to protect the data...

I can not help to point out one serious flaw in the above argument, a flaw
which was strangely never pointed out in the previous discussions:

the data are not always under protection of you OS, even if that OS is
bullet-proof. Anyone gaining physical access to the disk or its copies
(backups) will be able to retrieve the stored information, bypassing OS
autentication, protection of the directories and so on.

Just think:

a) do we always carefully erase HD before giving the computer to a service
people? (most probably not; personally I do not have time to reinstall the
system each time, nor my colleagues have.)

b) are we sure there are no old HDs (with bad sectors, unreliable, but still
readable) somewhere on the shelf, or even worse, in a recycling container?
(most probably we are not sure unless we are a military site)

c) are we sure all physical backup copies have the same level of authorisation
and protection as set on the original password directory? (I bet they are
stored in a cupboard, good if locked).

e) are we sure that all old backup tapes and CDs are properly destroyed and
not simply disposed in the hardware recycling container? (ehhh... I usuall I
break backup CDs in pieces before throwing them away, but I am not sure many
people do so -- they are pretty hard those plastic coasters. And I have not
yet see a CD shredder in operation ;)).

f) are we sure nobody just took the disk, or one of the mirror raid disks out
of the workstation, replacing it by an new one? Some disks are even
hot-swappable -- can be done in seconds... ;)

Plain passwords on a disk make all the above-mentioned possibilities an easy
method for an attack to gain passwords -- sometimes much easier and stelthier
than actually breaking in into an os.

If subversion password ever coinsides with a login password (which should
never happen for plain text passwords, but I bet many people do it for
convenience or just without knowing the situation), an account with such
password (and its owner;) may be in trouble.

Good encryption of the passwords on the disk greatly diminishes the risk of
the such attacks in all above mentioned cases.

It is really great that Subversion team addresses the problem, but I too agree
with Stuart that FAQ exposes Subversion in an unfavorable light.

Regards,

-- 
Saulius Gražulis
Visuomeninė organizacija "Atviras Kodas Lietuvai"
P.Vileišio g. 18
LT-10306 Vilnius
Lietuva (Lithuania)
tel/fax:      (+370-5)-210 40 05
mobilus:      (+370-684)-49802, (+370-614)-36366

  • application/pgp-signature attachment: stored
Received on Wed Jul 19 12:44:35 2006

This is an archived mail posted to the Subversion Users mailing list.