Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-09-01 Thread Travis H.

On 9/1/06, Andrew C Burnette <[EMAIL PROTECTED]> wrote:

Yes, short answer is, if you can't trust your filesystem (or more
directly the OS with access to it), you've already been owned, and the
train has already left the station.


Well, there are a class of vulnerabilities which grant read access to
[any] file(s),
but in general, the game is over by that time.


If it's that secret (read NSA guidelines on security as they're actually
not half bad),


Link:
http://www.nsa.gov/snac/

Note they only have security guides for commercial OSes.

If anyone is inclined, send their PR or public relations office a
thank-you note for
developing stuff for open-source OSes.  They took a toungue-lashing from MS
over SELinux, and are careful to state that they aren't endorsing one vendor
over another, etc.  Let them know that open-source allows the maximum benefit
from their research and development because others can study the
implementation easily.
--
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-09-01 Thread Andrew C Burnette
Yes, short answer is, if you can't trust your filesystem (or more
directly the OS with access to it), you've already been owned, and the
train has already left the station.

If it's that secret (read NSA guidelines on security as they're actually
not half bad), then you need another factor (physical and knowledge)
to add into the mix.  And that's not possible to automate, no matter
what Tom Cruise does in Mission Impossible :-)

Have a nice weekend.
andy

Travis H. wrote:
> On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote:
>> I was looking through my XML configuration recently, and I noticed
>> that my
>> Dynamic DNS password is not encrypted like the PFsense password is.
>> It seems to me that this is a rather important password and should be
>> encrypted (if possible).
> 
> This is also true of other programs, such as gaim.
> Your IM passwords are stored in plaintext, for the same reasons.
> The best way to deal with this is to make your home directory encrypted,
> but that rules out unattended mounting almost by definition.
> Take a look at truecrypt for one cross-platform open-source tool
> that supports steganography as well.
> 
> Another way to deal with it would be to use something like a keychain
> program
> (similar to ssh-agent) to give the daemon the key, or to get it from
> another
> machine (if you wish to have unattended boots with /home mounted).  Of
> course if you're worried about power outages, you will want to UPS
> that other machine,
> and/or have a generator with automatic switchover from the grid.  One
> advantage of natural gas generators is not having to be there to
> refill it with fuel.


Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-08-31 Thread Travis H.

On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote:

I was looking through my XML configuration recently, and I noticed that my
Dynamic DNS password is not encrypted like the PFsense password is.
It seems to me that this is a rather important password and should be
encrypted (if possible).


This is also true of other programs, such as gaim.
Your IM passwords are stored in plaintext, for the same reasons.
The best way to deal with this is to make your home directory encrypted,
but that rules out unattended mounting almost by definition.
Take a look at truecrypt for one cross-platform open-source tool
that supports steganography as well.

Another way to deal with it would be to use something like a keychain program
(similar to ssh-agent) to give the daemon the key, or to get it from another
machine (if you wish to have unattended boots with /home mounted).  Of
course if you're worried about power outages, you will want to UPS
that other machine,
and/or have a generator with automatic switchover from the grid.  One
advantage of natural gas generators is not having to be there to
refill it with fuel.
--
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484


Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-08-29 Thread DarkFoon
I see,
thank you for the clarification.


- Original Message - 
From: "Scott Ullrich" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, August 29, 2006 7:59 AM
Subject: Re: [pfSense-discussion] Dynamic DNS - no password encryption


> On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote:
> > I was looking through my XML configuration recently, and I noticed that
my
> > Dynamic DNS password is not encrypted like the PFsense password is.
> > It seems to me that this is a rather important password and should be
> > encrypted (if possible).
>
>
http://faq.pfsense.com/index.php?action=artikel&cat=1&id=37&artlang=en&highlight=encrypted
>
> Refer to mailing list history for juicy flame wars.  We are not going
> there again.
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.405 / Virus Database: 268.11.6/430 - Release Date: 8/28/2006
>
>



Re: [pfSense-discussion] Dynamic DNS - no password encryption

2006-08-29 Thread Scott Ullrich

On 8/29/06, DarkFoon <[EMAIL PROTECTED]> wrote:

I was looking through my XML configuration recently, and I noticed that my
Dynamic DNS password is not encrypted like the PFsense password is.
It seems to me that this is a rather important password and should be
encrypted (if possible).


http://faq.pfsense.com/index.php?action=artikel&cat=1&id=37&artlang=en&highlight=encrypted

Refer to mailing list history for juicy flame wars.  We are not going
there again.


[pfSense-discussion] Dynamic DNS - no password encryption

2006-08-29 Thread DarkFoon



I was looking through my XML configuration 
recently, and I noticed that my Dynamic DNS password is not encrypted like the 
PFsense password is. 
It seems to me that this is a rather important 
password and should be encrypted (if possible).