Re: ZipTorrent 1.3.7.3 Discloses Proxy Passwords to Local Users

[Nick Boyce <nick.boyce () gmail com>]

On 8/24/05, Allen Parker <infowolfe () gmail com> wrote:

> On 23 Aug 2005 13:21:23 -0000, kozan () spyinstructors com
> <kozan () spyinstructors com> wrote:

[...]
> > ZipTorrent stores proxy server information and password in
> > X:\\[Program_Files_Path]\[ZipTorrent_Path]\pref.txt
> > in plain text. A local user can read passwords and others.
[...]
> ... I haven't seen many programs making use of
> proxies where the username/password pairs were obfuscated in any
> way... 

Indeed - unless the proxy and all clients have some agreed protocol
for exchanging some kind of encrypted / hashed password, then the
password *must* be stored in plain text of some sort (even if it is
obfuscated) on the client host, so that it can be made available
later, in plain text, for the automatic password exchange.  There is
no way out of this, and no way to completely secure the stored
password

Surely this is just another rehash of the same old debate that appears
here every now and then - the conclusion will always be that stored
passwords are inherently vulnerable.   They can be obfuscated as much
as you like, but it only needs one successful piece of R&D to render
the whole obfuscation scheme useless for everybody.

See 
   http://marc.theaimsgroup.com/?t=92420089800002&r=1&w=2 
   http://marc.theaimsgroup.com/?t=94570694700003&r=1&w=2
for a couple of useful Bugtraq debates on this topic. 
[both in 1999 ... was that _really_ the last time this came up ?]

Nick Boyce
-- 
Never fdisk after midnight.