[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: IBM Applies for Password Manager Patent
From: Jeff Stuart <jstuart () computer-city ! net>
Date: 2003-11-13 8:40:31
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
On Wednesday 12 November 2003 04:47 pm, George Staikos wrote:
> On Wednesday 12 November 2003 16:32, Aaron Seigo wrote:
> > On Wednesday 12 November 2003 13:54, George Staikos wrote:
> > > > Let me just add my hearty AMEN to this. I also am using wallet for
> > > > this specific purpose. I am the only person who uses this computer
> > > > (or even has access to it) so I'm not THAT worried about security.
> > >
> > > You may not be,
> >
> > that's right, he isn't. and yet you still hold that you/KDE know better
> > and therefore have a right to control his machine andh is use of his
> > machine. who controls the machine, exactly? the user or KDE/George
> > Staikos?
>
> I know from experience. Not only does the compromise of his passwords
> cause harm to him, but it causes harm to others. I have a right to run an
> open relay and sendmail 8.6.9, but I'll spread spam and worms like there's
> no tomorrow. Therefore Linux distributions do not ship sendmail 8.6.9 or
> open relays. You can change it as you please. It's free software, as you
> point out below.
AHH I see you know my life better than I do. Ok. :) Let me make it clear. :)
I live alone. I am single. Therefore, yes, my root password is...
"password". And yes, I have complete unlimited access. If someone gets
physical access to the computer, am I screwed? Yup! However, I make 3 phone
calls and problem "solved". Am I worried that my DOG or one of my CATS is
going to gain access to my passwords? I think not. :) I am MUCH more
concerned of course with attempts to access my computer over the Internet...
which is why I have a number of security layers in place to handle that!
(Please note: this paragraph is meant to be read with tounge in cheek type
humor. IE it is not intended in ANY WAY as a personal attack or even ANY
kind of attack at all on ANYONE)
Do I run my servers that I admin this way? HELL NO!!!
Why? Because what's on the servers is 1000x more important than what's on MY
computer!
The "problem" of having security programs/systems/methods accepted in general
use is very simple. The more secure you make something, the less easy it is
to use. QED, my home machine here, it's geared for EASE OF USE. My
servers... geared to SECURITY.
Now, I do I expect that I am the majority case? I HOPE NOT! LOL
> You might be surprised to know who's been 0wned lately. If KWallet used
> the login password, all this person's passwords would be compromised too.
>
Are you saying that KWallet is insecure then? Are you saying that there's a
backdoor in KWallet that you've programmed in? Or are you saying that you've
hacked my machine? :) (Note: for the humor impared, this is a joke. Though
I am interested in exactly WHAT you mean here George.)
> > > and many others are.
> >
> > this isn't about the default settings, which MUST indeed be secure (i
> > have no beef with KWallet there =); this is about optional settings that
> > the user should have access to.
>
I would NEVER EVER EVER Expect something like this to be the DEFAULT! That
goes without saying!
> Ok this is what I said, and I have absolutely no intentions of
> implementing this option. It's free software, someone else can do it. I
> will however ensure that it does not compromise security for everyone else.
George, I don't expect you to to implement the option. My apologies if my
email came across as a request to YOU personally to add this. It was not
intended in that light, the previous email and this one are to show that
there are some edge use cases (and the reasons why) that maybe need/want to
be considered. Also, if/when a patch for this is submitted, I would hope AND
EXPECT that it be scrutinized heavily because as has been said, a poorly
written patch COULD well cause security problems.
--
Jeff Stuart
jstuart@computer-city.net
[Attachment #5 (application/pgp-signature)]
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic