Pulling from a couple different messages here...

> Last time I checked, POP passwords were clear text
> anyway. Clear text in --> Clear text out. Not sure
> about ICQ passwords, but I gather they're the
> same. Not sure what kind of magic you're looking
> for.

While I agree with the POP3 statement, this does bring to mind a situation
where this might be a problem. If you are using the SSL capabilities of a
mail program, your password is no longer sent in the clear, however it might
still show up in clear text in the crash dump.

> It totally depends on how the process stores it in memory,
> even then, protocols who need plaintext passwords are,
> always vulnerable to this, if you encrypt the password
> in memory, you mostly have every other detail which
> you need to decrypt it again in memory too. Still this
> is not a bug and is not ICQ-specific. Like always:
> coredumps should be set mode 600 and root processes
> should not ever dump core. This is Dr.Watsons problem.

Agreed, the problem is not really ICQ's fault, and IMHO I don't consider an
ICQ password to be of critical importance. I guess this could be a problem
if you had multiple users who were semi-trusted by an administrator but did
not trust each other. As always, if you have untrusted users logging into
an NT box, or any box for that matter, you NEED to meticulously check
permissions on EVERYTHING. That may seem obvious for some, but I'll bet
there are a lot of newbie admins out there (especially with NT) who expect
things to be secure out of the box and need a reality check.

Anything that needs a password to be REALLY secure, PGP for example, needs
to take extra precautions anyway, such as locking pages to make sure they
are never swapped to disk and readable in the swap space (getting stuff out
of swap usually requires physical access though). I'm not sure if Dr.
Watson dumps locked pages, though with NT4 I think it may require a kernel
driver to pull off; so it would probably be considered kernel space rather
than user space and not dumped. The best solution is to just use system or
group policies to get rid of Dr. Watson all together. It doesn't really
provide any useful information and the crash files just take up disk
space...

Craig

Usual disclaimer: This is my opinion, given free of charge. If you
disagree, you can return it for a full refund.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]