| View previous topic :: View next topic |
| Author |
Message |
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3182
|
 Posted: Sat Dec 28, 2013 10:14 am Post subject: oh no! wifi passwordsare stored in plain text! |
 |
|
http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit.
_________________
emerge --quiet redefined | E17 vids: I, II |
|
| Back to top |
|
 |
Muso
l33t
Joined: 22 Oct 2002
Posts: 655
Location: The Holy city of Honolulu
|
| Posted: Sat Dec 28, 2013 10:18 am Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | That is so incredibly bad! |
Beyond bad, it's stupid.
_________________
“If the words 'life, liberty, and the pursuit of happiness" don't include the right to experiment with your own consciousness, then the Declaration of Independence isn't worth the hemp it was written on.” ~ T. McKenna |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.
|
| Posted: Sat Dec 28, 2013 1:12 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text
That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.
However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit. |
What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table. |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3182
|
| Posted: Sat Dec 28, 2013 1:57 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| BoneKracker wrote: | | What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table. |
It's a reflection of the past projected on to the future. 
_________________
emerge --quiet redefined | E17 vids: I, II |
|
| Back to top |
|
|
salahx
Guru
Joined: 12 Mar 2005
Posts: 368
|
| Posted: Sat Dec 28, 2013 8:43 pm Post subject: |
|
|
The files (though not the directory itself) /etc/NetworkManager/system-connection has permissions of 600, so only root can read them anyway. So this is a non-concern.
Second, pmtwkit already exists (although i am unsure if its been implemented or not) - http://freedesktop.org/wiki/Specifications/secret-storage-spec/ . Although that service is a per-user service, it would make less sense to create a system one since the user keyring are encrypted using the user's password, no such password exists (unless the system has a TPM or similar) on the system so it no better than what's already being done now. |
|
| Back to top |
|
|
wswartzendruber
Veteran
Joined: 23 Mar 2004
Posts: 1217
Location: Jefferson, USA
|
| Posted: Sat Dec 28, 2013 8:53 pm Post subject: |
|
|
| I'm also trying to understand what the big deal is. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 16090
Location: Colorado
|
| Posted: Sat Dec 28, 2013 11:43 pm Post subject: Re: oh no! wifi passwordsare stored in plain text! |
|
|
| ppurka wrote: | | Now we need [...] However, there is just one problem. All these [...] do not fit this model. |
systemd.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.
In Loving Memory
1787 - 2008 |
|
| Back to top |
|
|
Greens
n00b
Joined: 23 Aug 2013
Posts: 25
|
| Posted: Sun Dec 29, 2013 3:58 pm Post subject: |
|
|
It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 8:28 pm Post subject: |
|
|
| Yeah, fuck it. |
|
| Back to top |
|
|
Naib
Advocate
Joined: 21 May 2004
Posts: 4076
Location: Removed by Neddy
|
| Posted: Sun Dec 29, 2013 8:55 pm Post subject: |
|
|
| Greens wrote: | It actually requires root access to read it.
If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else. |
exactly... as wswartzendruber posted as well...
thats why I don't mind my samba credential files are "plain text" since they are 600 anyway...
for them to read that and my wifi files... some srs issues must have occured. Nice if they were encrypted BUT if non-root users or non-root process do not need to read them then ... its a problem for another day rather than feeding the sysd monster pushing into the linux userland.
_________________
A free press is the unsleeping guardian of every other right that free men prize; it is the most dangerous foe of tyranny. Where men have the habit of liberty, the Press will continue to be the vigilant guardian of the rights of the ordinary citizen. |
|
| Back to top |
|
|
Bones McCracker
Veteran
Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.
|
| Posted: Sun Dec 29, 2013 9:35 pm Post subject: |
|
|
| Yeah, that's all the security anybody needs: root access or no root access. |
|
| Back to top |
|
|
ppurka
Advocate
Joined: 26 Dec 2004
Posts: 3182
|
| Posted: Mon Dec 30, 2013 7:14 am Post subject: |
|
|
I guess the ubuntu guys panic because of the bad way sudo is (mis)configured in their systems - any command can be run with sudo, and once credentials are provided, the user remains authenticated for about 15 or so minutes.
Ideally, they either should enable sudo only for some very specific applications by default (package manager, system settings like time, etc), OR they should simply not enable sudo with a timeout. Ask for the user password every single time one needs to access anything using sudo.
_________________
emerge --quiet redefined | E17 vids: I, II |
|
| Back to top |
|
|
|
Off the Wall
