--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 21, 2006 at 10:15:34PM -0500, Thor Lancelot Simon wrote:
> > > What exactly is the point of this?  The program which prompted for the
> > > user's password, after all,
[and might be swapped out]

> > Isn't it possible for the program to read the password into a mlock()ed
> > buffer when prompting for it? Maybe it's futile for a X11 application
> > but if you're reading it from a TTY or some other file descriptor, that=
's
> > possible, isn't it?
>=20
> 1) Do you believe that this is what programs that prompt for passwords
>    actually do?

Should do?

> 2) If this were what programs that prompted for passwords actually did,
>    then what you propose might protect against an attacker who did not
>    have root access to the machine now, but could at some point in the
>    future, if the programs were swapped out and those swap pages never
>    overwritten.   But, in fact, anyone who _does_ have access to not even
>    root, but instead the euid of the program that is prompting for the
>    password, can simply steal the password _now_.  So I am not sure what,
>    in the real world, this change would gain you.

What if the person might have physical access to the HDD later, like if
the company goes bust and their assets liquidated?

I recall in Garfinkel's paper "A Rememberance of Data Past" that they were
able to recover SSNs and other sensitive information from many used drives.

Maybe it's not relevant to a password, but I wouldn't be so swift to
make sweeping statements about the threat model.

> But that seems like a lot of complexity for a very
> hypothetical gain -- particularly when those worried about such attacks
> can (and should) just encrypt their entire swap partitions.

In this case, agreed.  I think the program is sufficiently simple that
it's unlikely to be a vulnerability, and that making it more complex
in order to deal with relatively minor threats would likely make is less
safe.
--=20
A: No.
Q: Should I include quotations after my reply?
<URL:http://www.subspacefield.org/~travis/> -><-

--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)

iQIVAwUBRZCo4WQVZZEDJt9HAQLo2g//c6Vk/tGoB8s83YMljbxOugxC0sLgknIg
E6OibcwUCXnfjoSUjajbx23E9gOrC5OZECCeSvlU/ltIQGcOWctXS05JTg5yIiYS
i8EGdXRHofHMU1COh69+Jb2b8rE60a6gv4A0QVzADAdGL9s3AmQVuZgSUgumYVgf
VEXSZjPyILoa2f7b6dtMxXsHml0KNqzL7duAxnabKxvm0ruKhxMpCtNkxdjFQYqS
zAqGVSjJuzp26c3vgfD4B/AkzxUSKHeodUSUo6U/otVZyT5EdNfCt/b4YdQSYQpP
iHvnAy6g+aTCocrORd6zKx1fcf7JC2woA1EcI70RWSKvbJnO6i9pOrAzuegqEagI
isru9k4Pv1O9FMTu9XxZUYZPjdM/EiSRVHC8y8GfxsIkaZb2v7exNar8nFBdQUJl
NXm6f6CSRLuY4p2jupDxiKf5EYlHt/luoP6yaTM22qBwpmpsXK+4ivXLMb0Uo8yB
LXpM3LfZwOyfCX+14RcO8BVXwXApMC4lxHdR74/H8xManLWWPTNZte8wF2xYIDC8
/SnKArvdnz0vUD3Wuygq31bVzXmequ1NqqGp7waflKC0smuTmdSk8BpEt6K21n7L
IW/4qIuBdbHINMVkgcFsYVRQWzum7iIijmRlk9OF31KF77skocvff6ZOi6AvvBhz
uZJNkJB6z1U=
=kdgP
-----END PGP SIGNATURE-----

--ZGiS0Q5IWpPtfppv--