Itay Duvdevani wrote:
Since the source code is available to everyone, I conclude my
passwords can be easily deciphered by anyone who has access to the
code.
As any experienced software cracker will tell you, not having the code
doesn't make it all that harder to figure out the ciphering method. With
enough experience, one simply sees through the machine language, and -
of course - tools such as IDA really help. If you need proof, just look
at the amount of keygens being made...
Encryption method is known, and so is the encryption key (whether in
the source code or anywhere on my hard drive).
Reminds me of the way the first "DeCSS" (decrypting DVD video) was done.
The encryption key was extracted from Xing's DVD Player
(non-open-source) software.
My questions are these:
1. Is it so? Is stealing passwords from these application is as
possible as I see it?
Yes, but ...
2. If I wanted to build a password manager of this sort, and release
it under the GPL, could I choose *not* to release the encryption key
as part of the source code, and keep it hidden and secret from the
world, or this would prevent me from releasing it under the GPL (or
any other free license)? If it will, how can I build a secure FS
application of this sort? Any ideas?
Have you noticed that most of those programs offer you to protect your
personal data with a passphrase? When you choose to use a passphrase,
it's using an industry-grade encryption method (the same kind of method
that is used in SSL etc.) and the decryption key (= passphrase) is known
only to you, so having the source code doesn't help the thief.
When you first use the Firefox password manager, it offers you to
protect your personal information with a Master Password (= passphrase).
If you wish to enable this at a later time, use:
Edit | Preferences | Privacy | Saved Passwords | Set Master Password.
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
