Page 11 of 42 FirstFirst ... 91011121321 ... LastLast
Results 101 to 110 of 413

Thread: Keyring passwords visible after login without second password prompt

  1. #101
    Join Date
    Apr 2008
    Beans
    139

    Re: Blatant security flaw much?

    Personally i think the best way to solve this would be the exactly the same way as the other privileges are handled, for example if i change CPU frequency i get some key-icon in my tray saying i still have privileges and just clicking that icon will drop them.
    would it be possible to have a tray-icon showing that your keyring is unlocked and locking it just by clicking that icon?

    and btw, does anyone know the CLI command to lock default keyring? im thinking of adding a custom launcher that executes that command, that way i would never be more than one click away from having my passwords securely encrypted.

  2. #102
    Join Date
    Oct 2008
    Beans
    561

    Re: Blatant security flaw much?

    Quote Originally Posted by SeanBlader View Post
    I totally agree with this, but this isn't a stupidity issue, it's an education issue. And if you're not going to go to the steps to educate your users to protect themselves from "everyone" then you need to help them. Seahorse isn't helping. Of course there's no way you're going to protect yourself from Kevin Mitnick should he want to know your passwords, but at least you shouldn't have to worry about protecting your passwords from Paris Hilton. The current default setup doesn't even manage that.
    the point is if you protect your passwords from 'paris hilton', most users will think their computer is secure, ignoring the fact it is trivially easy for 'Kevin Mitnick' to get what he wants, at present if the system isnt secure the system makes no attempt to actually make it appear secure (anything else is security through obscurity), thus the user should be more likely to secure it properly.
    i dont think its an education issue, it should be fairly obvious that if you leave your computer logged in and unlocked it wont be secure. linux actually does a very good job in those circumstances by protecting everyone else, ie through sudo etc.
    Check out my little app. Tnote

  3. #103
    Join Date
    Aug 2007
    Location
    Silicon Valley, CA
    Beans
    142
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Blatant security flaw much?

    Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?
    "If all else fails, immortality can always be assured by spectacular error." -John Kenneth Galbraith, Economist

  4. #104
    Join Date
    Oct 2008
    Beans
    561

    Re: Blatant security flaw much?

    Quote Originally Posted by SeanBlader View Post
    Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?
    log out when leaving your computer unattended
    Check out my little app. Tnote

  5. #105
    Join Date
    Jun 2006
    Location
    Solihull, UK
    Beans
    1,413

    Re: Blatant security flaw much?

    Quote Originally Posted by SeanBlader View Post
    Here's what it comes down to, I don't need to SEE my passwords, and I don't want anyone else with 30 seconds to spare to SEE them either if they walk up to my console. What is the best way can we make this happen?
    Change your keyring password to not match your login password? It's easy, and it means the keyring won't be unlocked when you log in. But you'll have to enter the keyring password to unlock it when an application like NM, Evolution, Empathy etc wants to access it

  6. #106
    Join Date
    Aug 2007
    Location
    Silicon Valley, CA
    Beans
    142
    Distro
    Ubuntu 12.10 Quantal Quetzal

    Re: Blatant security flaw much?

    Quote Originally Posted by benj1 View Post
    log out when leaving your computer unattended
    And if you forget? I don't think, "sucks to be you" is the message you want to send if you ever want to fix this bug.

    Let me put it this way, are you going to tell your CEO that if he wants to keep anyone from accessing all his passwords he has to log out of his machine every time he looks away from his computer for more than 30 seconds? I know for a fact that a certain CEO at a major encryption company would laugh in your face, with the comment, "my time is more important than that, you just need to make your software better."
    "If all else fails, immortality can always be assured by spectacular error." -John Kenneth Galbraith, Economist

  7. #107
    Join Date
    Apr 2008
    Beans
    135

    Re: Blatant security flaw much?

    Quote Originally Posted by benj1 View Post
    log out when leaving your computer unattended
    This won't prevent him from seeing his password if he's logged in. If you don't want to be able to see your password list from the main menu, you can remove the PASSWORDS entry from the menu and delete or rename the /usr/bin/seahorse program to something you will remember.

  8. #108
    Join Date
    Jun 2006
    Location
    Solihull, UK
    Beans
    1,413

    Re: Blatant security flaw much?

    Quote Originally Posted by DodgeV83 View Post
    This won't prevent him from seeing his password if he's logged in. If you don't want to be able to see your password list from the main menu, you can remove the PASSWORDS entry from the menu and delete or rename the /usr/bin/seahorse program to something you will remember.
    And that won't prevent me from seeing your password. I'll just bring a copy of seahorse on my pendrive, or extract it from a deb i download on your machine, or bring another small utility i write which retrieves all your secrets from your unlocked keyring.

    It seems weird that a bunch of people who seem to be paranoid about things like this can't even be bothered with pretty basic security such as locking your screen when you're away, or changing your keyring password to not unlock on log in etc.

  9. #109
    Join Date
    Oct 2008
    Beans
    561

    Re: Blatant security flaw much?

    Quote Originally Posted by SeanBlader View Post
    And if you forget? I don't think, "sucks to be you" is the message you want to send if you ever want to fix this bug.

    Let me put it this way, are you going to tell your CEO that if he wants to keep anyone from accessing all his passwords he has to log out of his machine every time he looks away from his computer for more than 30 seconds? I know for a fact that a certain CEO at a major encryption company would laugh in your face, with the comment, "my time is more important than that, you just need to make your software better."
    if you forget, they are unsecure. what would the ceo say when his passwords were taken from his computer that he thought was secure but in fact wasnt, it just gave the illusion of being so, if you prefer that security model go with windows. yes you could take the menu option away but the passwords still wont be secure, you could just do this http://michael.susens-schurter.com/b...gnome-keyring/
    if you want it actually secure logout or set your system to not unlock the keyring on login, and set up a time out.
    the most secure method would to have every app have its own password keyrings with separate passwords etc, on time outs, but i would rather not have to log in to wifi then evolution and everything else that needs a password separately, that is why we have one app to do it all at once.
    Check out my little app. Tnote

  10. #110
    Join Date
    Apr 2008
    Beans
    135

    Re: Blatant security flaw much?

    Quote Originally Posted by benj1 View Post
    the point is if you protect your passwords from 'paris hilton', most users will think their computer is secure, ignoring the fact it is trivially easy for 'Kevin Mitnick' to get what he wants, at present if the system isnt secure the system makes no attempt to actually make it appear secure (anything else is security through obscurity), thus the user should be more likely to secure it properly.
    i dont think its an education issue, it should be fairly obvious that if you leave your computer logged in and unlocked it wont be secure. linux actually does a very good job in those circumstances by protecting everyone else, ie through sudo etc.
    This is a computer geek's way of thinking which will never apply to the real world.

    Regarding this bug which was mentioned earlier. This is how the conversation will go down for any new user I setup a new computer with:

    Windows/Mac computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. An expert computer hacker can have access to all your passwords if he knows what he's doing."

    Ubuntu computer: "Ok you're all setup. Now a word of warning, always be careful who you let on your computer. Ubuntu has a "PASSWORDS" button (ironically right next to the "search" button), which will provide anyone who can click a mouse with immediate access to all your passwords"

    You may be thinking "Great! Now the Ubuntu user will be extra super duper careful who they let on their computer and lock their computer 100% of the time!"

    Reality - "Please give me my Windows back."


Page 11 of 42 FirstFirst ... 91011121321 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •