Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
oh no! wifi passwordsare stored in plain text!
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
ppurka
Advocate
Advocate


Joined: 26 Dec 2004
Posts: 3182

PostPosted: Sat Dec 28, 2013 10:14 am    Post subject: oh no! wifi passwordsare stored in plain text! Reply with quote

http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text

That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.

However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit.
_________________
emerge --quiet redefined | E17 vids: I, II
Back to top
View user's profile Send private message
Muso
l33t
l33t


Joined: 22 Oct 2002
Posts: 655
Location: The Holy city of Honolulu

PostPosted: Sat Dec 28, 2013 10:18 am    Post subject: Re: oh no! wifi passwordsare stored in plain text! Reply with quote

ppurka wrote:
That is so incredibly bad!


Beyond bad, it's stupid.
_________________
“If the words 'life, liberty, and the pursuit of happiness" don't include the right to experiment with your own consciousness, then the Declaration of Independence isn't worth the hemp it was written on.” ~ T. McKenna
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.

PostPosted: Sat Dec 28, 2013 1:12 pm    Post subject: Re: oh no! wifi passwordsare stored in plain text! Reply with quote

ppurka wrote:
http://www.itworld.com/open-source/397843/did-ubuntu-goof-storing-wi-fi-passwords-clear-text

That is so incredibly bad! Now we need a pass-me-the-word-kit (pmtwkit) that will securely store our wifi passwords using 16384 bit one-way encryption. This will be futuristic kit using which networkmanager will be able to query for the password using dbus and pmtwkit will return you the password via dbus.

However, there is just one problem. All these low level wpa_supplicant, dhcpcd do not understand dbus and so do not fit this model. Dbus-aware networking component should be integrated with systemd to efficiently and transparently talk over dbus with networkmanager. After these changes wpa_supplicant, dhcp clients, etc will not be supported anymore. In the far future, we in fact need to merge nm into systemd so that there is no need to even use dbus. At that point we can deprecate pmtwkit.

What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table.
Back to top
View user's profile Send private message
ppurka
Advocate
Advocate


Joined: 26 Dec 2004
Posts: 3182

PostPosted: Sat Dec 28, 2013 1:57 pm    Post subject: Re: oh no! wifi passwordsare stored in plain text! Reply with quote

BoneKracker wrote:
What is sad is that this is frighteningly close to the truth. It makes me want to bang my head on the table.
It's a reflection of the past projected on to the future. :P
_________________
emerge --quiet redefined | E17 vids: I, II
Back to top
View user's profile Send private message
salahx
Guru
Guru


Joined: 12 Mar 2005
Posts: 368

PostPosted: Sat Dec 28, 2013 8:43 pm    Post subject: Reply with quote

The files (though not the directory itself) /etc/NetworkManager/system-connection has permissions of 600, so only root can read them anyway. So this is a non-concern.

Second, pmtwkit already exists (although i am unsure if its been implemented or not) - http://freedesktop.org/wiki/Specifications/secret-storage-spec/ . Although that service is a per-user service, it would make less sense to create a system one since the user keyring are encrypted using the user's password, no such password exists (unless the system has a TPM or similar) on the system so it no better than what's already being done now.
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1217
Location: Jefferson, USA

PostPosted: Sat Dec 28, 2013 8:53 pm    Post subject: Reply with quote

I'm also trying to understand what the big deal is.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 16090
Location: Colorado

PostPosted: Sat Dec 28, 2013 11:43 pm    Post subject: Re: oh no! wifi passwordsare stored in plain text! Reply with quote

ppurka wrote:
Now we need [...] However, there is just one problem. All these [...] do not fit this model.
systemd.
_________________
lolgov. 'cause where we're going, you don't have civil liberties.

In Loving Memory
1787 - 2008
Back to top
View user's profile Send private message
Greens
n00b
n00b


Joined: 23 Aug 2013
Posts: 25

PostPosted: Sun Dec 29, 2013 3:58 pm    Post subject: Reply with quote

It actually requires root access to read it.

If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.

PostPosted: Sun Dec 29, 2013 8:28 pm    Post subject: Reply with quote

Yeah, fuck it.
Back to top
View user's profile Send private message
Naib
Advocate
Advocate


Joined: 21 May 2004
Posts: 4076
Location: Removed by Neddy

PostPosted: Sun Dec 29, 2013 8:55 pm    Post subject: Reply with quote

Greens wrote:
It actually requires root access to read it.

If someone suspicious has root access to your computer or is sitting there booting a livecd to look at your unencrypted disk, I don't think they care much about your wifi password, maybe they'd check it to see if your using it for anything else.

exactly... as wswartzendruber posted as well...
thats why I don't mind my samba credential files are "plain text" since they are 600 anyway...

for them to read that and my wifi files... some srs issues must have occured. Nice if they were encrypted BUT if non-root users or non-root process do not need to read them then ... its a problem for another day rather than feeding the sysd monster pushing into the linux userland.
_________________
A free press is the unsleeping guardian of every other right that free men prize; it is the most dangerous foe of tyranny. Where men have the habit of liberty, the Press will continue to be the vigilant guardian of the rights of the ordinary citizen.
Back to top
View user's profile Send private message
Bones McCracker
Veteran
Veteran


Joined: 14 Mar 2006
Posts: 1553
Location: U.S.A.

PostPosted: Sun Dec 29, 2013 9:35 pm    Post subject: Reply with quote

Yeah, that's all the security anybody needs: root access or no root access.
Back to top
View user's profile Send private message
ppurka
Advocate
Advocate


Joined: 26 Dec 2004
Posts: 3182

PostPosted: Mon Dec 30, 2013 7:14 am    Post subject: Reply with quote

I guess the ubuntu guys panic because of the bad way sudo is (mis)configured in their systems - any command can be run with sudo, and once credentials are provided, the user remains authenticated for about 15 or so minutes.

Ideally, they either should enable sudo only for some very specific applications by default (package manager, system settings like time, etc), OR they should simply not enable sudo with a timeout. Ask for the user password every single time one needs to access anything using sudo.
_________________
emerge --quiet redefined | E17 vids: I, II
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum