r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

[Core] Discuss core issues

Dockimbel
16-Sep-2009
[14736]
Btw, congratulation to the author, Vincent Ecuyer for this great 
library!
Maxim
17-Sep-2009
[14737x2]
anyone know of a way to get a persistent value based on someone's 
computer... the longer the string the better... (on windows)

this is with a /command license, so any accessible rebol feature 
is usable.

something like:
    -System install serial number
    -Disk serial number
    -CPU id


I want to generate an encryption key which isn't stored as part of 
the code.  It just makes it a bit more complicated to reverse engineer 
the stored password if the encryption key is different for all installations.
this value is only the basis for an intense series of string manipulations 
which make even the original data useless unless someone has the 
exact algorythm which generated the key.
Graham
17-Sep-2009
[14739]
MAC address ??
Maxim
17-Sep-2009
[14740]
how do I get that info into rebol?
Graham
17-Sep-2009
[14741x2]
get-modes ??
or not
Pekr
17-Sep-2009
[14743x2]
I am not sure get-modes gets you a mac address ....
you can as well use some power of command line - parse results of 
commands like ipconfig, arp -a, etc.
Maxim
17-Sep-2009
[14745x3]
ahh. yes... doing a dir returns the volume name and serial number 
in one shot  :-) perfect.
so I'll just call and use the result string!
btw, thanks pekr don't know why I didn't of such a simple solution.... 
to much PITL dev I guess ;-)
Pekr
17-Sep-2009
[14748]
yes. The same went for my news-scroller. I just tried to outline 
it in REBOL, thinking someone should do it in some PITL environment. 
Then I saw my brother using it in PC Shop on his LCD TV. I asked 
him - hey, wait till someone makes final version, and he replied 
- it works, no? And then I thought to myself - can I regard 2 pages 
of code being actually an application? :-)
Maxim
17-Sep-2009
[14749]
hehe
Gabriele
19-Sep-2009
[14750]
max, it always scares me when people think that obscurity is a form 
of security...
Maxim
19-Sep-2009
[14751x2]
Gab, are you saying that my idea is only obscurity, or that its the 
proper approach?  just want to confirm what you mean.  the
the idea is for the encryption key to a stored password is created 
dynamically via an algorythm.  
If the software is encapped, then its a pretty safe system IMHO.


But if the software stays open source (and interpreted), at least 
I can use some natives for which the key-gen algorythm is hard to 
reverse engineer.

Although someone with rebol know-how can obviously get the passwd 
by running the algorythm manually, there is no way around this AFAIK.
Gabriele
20-Sep-2009
[14753x2]
There is no way to protect a password you are saving. Normally, you 
just want to obfuscate it so that it does not jump to the eyes when 
someone is looking.
if the file containing the password is accessible to other people, 
then the password is accessible to other people.
Maxim
20-Sep-2009
[14755x3]
but that is true of all passwords on a computer even login passwds.
but an encrypted password, without the key isn't usable if you don't 
know the key.
or even the algorythm its encoded with
Gabriele
20-Sep-2009
[14758x3]
If you think that keeping the algorithm secret increases the security 
of your encryption then you should not be writing an encryption algorithm. 
it's that simple. :)
The application knows the key, so anyone that can access the application 
knows the key.
the only way to keep a password secret if your files are accessible 
to other people is to not store it into a file.
Maxim
20-Sep-2009
[14761]
you mean like in the registry?
Henrik
20-Sep-2009
[14762]
I've wondered how useful it is not to store the password itself, 
but encrypting each keypress instead on top of the last keypress.
Maxim
20-Sep-2009
[14763]
know that I understand that ultimately there is no method to hide 
any data.
Gabriele
20-Sep-2009
[14764]
I mean that thing that humans have that's called "memory".
Maxim
20-Sep-2009
[14765x2]
yes ...  and it forgets   ;-)
I have a record right now of 67 passwords I have to remember... I 
mean I can't remember all of them.
Gabriele
20-Sep-2009
[14767x4]
right, so you have two options: you make sure noone can access your 
files (like you make sure noone can access your credit card), or 
you make sure you don't forget.
I do remember dozens of passwords, but this is not the point. Now 
you're talking about a different thing, which is a password manager.
A password manager encrypts all your passwords using a single password 
that you have to remember. so you remember just one.
In decent operating systems, that is standard with the OS, so what 
your app does is just communicate with the password manager and store 
passwords there.
Maxim
20-Sep-2009
[14771]
yep, but it can be broken, just like any other system, cause it, 
like any system has to store those passwords somewhere.
Gabriele
20-Sep-2009
[14772x3]
as long as the master password is not stored anywhere... you are 
safe.
No, it does not have to store the master password anywhere.
You need at least one password you don't store; otherwise, you can 
only try to keep your files out of anyone else hands.
Maxim
20-Sep-2009
[14775]
true
Gabriele
20-Sep-2009
[14776x2]
And, this is not a problem that *your* app has to solve. It is just 
wasted time for you. Either you make use of a password manager, or 
just use obfuscation.
I'd just use encloak with some random text. If you think it's easy 
enough to get a system specific key, you might do that, but I don't 
know if users will be happy to find out that their passwords don't 
work anymore when they upgrade their PC or move to another computer.
Maxim
20-Sep-2009
[14778x2]
its for a client app... so its not a big issue... its only so the 
software remembers the login for subsequent calls to the server... 
just like all the browsers & OS "do you want   xxxxxx   to remember 
this password"
I'll use real encryption (using command)
Gabriele
20-Sep-2009
[14780]
Right, and do you think that the browsers are secure, or use a secret 
algorithm for that? :)
Maxim
20-Sep-2009
[14781]
its a choice I make.  and I know every single piece of data on my 
computer is vulnerable.
Gabriele
20-Sep-2009
[14782x2]
using real encryption does not make any difference... but anyway.
that is what I'm saying... so why waste time with some complicated 
scheme to store the password?
Maxim
20-Sep-2009
[14784x2]
I mean Gabriele, no system in the world is ultimately secure.  The 
point is only to make it unfeasible.
cause its going to be requested from every user the first time they 
have to "re-login"  ;-)