duplicity-talk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] Setting the PASSPHRASE inside the duplicity program

From: Charles Duffy
Subject: Re: [Duplicity-talk] Setting the PASSPHRASE inside the duplicity program itself
Date: Mon, 26 Mar 2007 15:57:11 -0500
User-agent: Thunderbird 1.5.0.9 (X11/20061206)
Putting on my security and reverse-engineering hats here, that kind of obfuscation doesn't necessarily do very much good. If I want to know what a password used by an automated process is, I don't go poking around trying to figure out which file it's stored in -- I trace the process's network traffic (if it's making a network connection with unencrypted authentication) and system calls (particularly if it's passing passwords to a subprocess such as with ssh or GnuPG). Looking through strace also makes it very easy to find out where a password was read from -- even if it's buried somewhere otherwise nonobvious.
Be sure you aren't operating under the impression that the steps you're taking buy more security than they actually do.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]