On 2006-04-13 17:01:25 +0200, Alexander Foken wrote: > On 13.04.2006 16:42, Luke Bakken wrote: > >If you have strings in the executable file, they can be discovered. > > > They could be encrypted, using something trivial like rot13 or xor, or even > good encryption algortihms like 3DES, blowfish, etc., and still they can be > recovered. See below.
That depends. If the program is used interactively, encrypting stored passwords makes sense. See for example the way Mozilla stores passwords for web sites. The user enters a master password to decrypt the stored passwords, which limits attacks to the time he is actually using the program. If someone gets access to the file with the stored passwords (e.g., by stealing the computer or a backup) he cannot access the passwords. If the program is used non-interactively (e.g. a web server), encrypting stored passwords is useless, because the key has to be stored as well. Removing passwords and similar sensitive information from the code and putting them into configuration files still makes a lot of sense: 1) You can publish the source code. 2) You let several of your users use the same scripts and let each of them manage their own passwords. 3) It centralizes information in one place - you just have to change one config file instead of umpteen scripts. [...] > Try strings /proc/self/environ on any linux box. Not very impressive. That's the environment of the process itself. It can access that anyway :-). Try /proc/$pid/environ for a process which you do not own. You cannot read that unless you are root. So on linux, putting sensitive data into the environment is about as safe as putting them into a file. -- _ | Peter J. Holzer | If I wanted to be "academically correct", |_|_) | Sysadmin WSR | I'd be programming in Java. | | | [EMAIL PROTECTED] | I don't, and I'm not. __/ | http://www.hjp.at/ | -- Jesse Erlbaum on dbi-users
pgpt2EaB8tbJA.pgp
Description: PGP signature