[OT] Security for stacks with Community version

Andrew Kluthe andrew at ctech.me
Mon May 6 09:39:11 CDT 2013


Was it not mentioned long ago that a password protected stack's script and
custom properties could be accessed in memory while it is running in a
stand alone? So your data was probably never as secure as you really
thought it was.

As for the documentation on those encrypt/decrypt commands, they seem
pretty straight forward. There are some more complicated things you can do
with them if you like but at their simplest they work like this.

get "bla"
encrypt it using "blowfish" with "1234567"
put it

encrypt sVarToEncrypt using "ciphername" with "password"

decrypt sVarToDecrypt using "ciphername" with "password"




On Mon, May 6, 2013 at 8:58 AM, Paul Hibbert <lc at pbh.on-rev.com> wrote:

> Tim,
>
> I came across a topic on stack exchange that you may be interested in…
>
>
> http://security.stackexchange.com/questions/18720/how-secure-is-filevault-2-while-the-computer-is-in-sleep-mode
>
> There is a link to Apple's white paper on FileVault 2, this may help
> answer some of your concerns, but you should also be aware of software from
> here…
>
> http://www.lostpassword.com
>
> It seems if you have $995 to spare you can access almost any password
> protected file or volume, so they say.
>
> In the end, only you can decide how physically vulnerable your machine is,
> but to me at least, it does appear that FileVault could be more secure than
> a just password protected stack, however I'm no expert on file security.
>
> HTH
>
> Paul
>
> On 2013-05-05, at 11:29 PM, Timothy Miller wrote:
>
> > Years ago, when I first wrote my "rolodex" stack, I intended to store
> phone numbers, addresses, passwords, credit card numbers, bank account
> numbers, and other useful information in one convenient place, one stack in
> a suite of stacks I use in my day to day business. If these fell into the
> wrong hands, any small time crook could completely take over my identity
> and the identities of others. I was also concerned about security if I
> needed to get the machine serviced.
> >
> > At the time, Macs secured by log-in password only, weren't very secure,
> as I recall. For example, if you restarted the machine with command-T down,
> and connected to another machine by Firewire, you could use the first
> machine as if it were an external hard disk. In that case, the log-in
> password gave you no protection. FileVault did not exist at the time.
> >
> > So, with Jacque's help, I set up an encryption system for my "rolodex"
> stack.  If a given card was security sensitive, I'd click on a button,
> enter the password, and certain fields were hashed and hidden. Click on the
> same button, enter the same password, the fields were un-hashed and
> un-hidden. Because the stack was password-protected, you couldn't peek at
> the button script to find out the key for hashing and un-hashing the
> fields. "Set the password of this stack to foo" didn't work unless you
> first un-protected the stack, which required the master password for the
> stack. There were other details, but that's the general idea. It wasn't
> perfect, but I was satisfied with it. As I recall, a tech-savvy person
> could, in theory, use a text editor to discover the master password for the
> stack.
> >
> > Now, I'm switching to LiveCode Community 6.0.1, so I have to re-think
> security for this stack.
> >
> > One possibility is to re-write the script for the hash-and-hide button,
> using the encrypt and decrypt commands. If I choose that route, I'll
> probably have to pay a consultant. I can actually do Chinese arithmetic,
> but that's easy compared to the documentation for those commands.
> >
> > It also occurred to me that I could just enable FileVault -- hadn't used
> it before.
> >
> > Now that I've tried FileVault, I've realized how little I understand
> about the topic of security for modern Mac machines and OS. Hence, the
> following questions:
> >
> > 1-If my machine is lost or stolen, while shut down, how hard would it be
> to get past the log-in password, to my relatively insecure "rolodex" stack?
> How does one get past the log-in password? (for this question and the next
> two, assume FileVault is turned off.)
> >
> > 2-If I set up an administrator account for technicians, with a different
> log-in password, how hard would it be for the technician to get past the
> log-in password for my user account?
> >
> > 3-In recent versions of the OS, does my log-in password protect the hard
> disk when it's removed from my machine? How hard is it to defeat that
> protection?
> >
> > 4-Given that you can't use my machine to launch a nuclear missile, do I
> really need the ultra-secure protection provided by FileVault?
> >
> > BTW, if this stack ever leaves my machine, for the cloud or a USB thumb
> drive, for instance, I always encrypt it first, usually with StuffIt Deluxe.
> >
> >
> > Thanks in advance,
> >
> >
> > Tim Miller
> >
> >
> >
> >
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



-- 
Regards,

Andrew Kluthe
andrew at ctech.me


More information about the use-livecode mailing list