[OT] Security for stacks with Community version

Paul Hibbert lc at pbh.on-rev.com
Mon May 6 09:58:12 EDT 2013 

Tim,

I came across a topic on stack exchange that you may be interested in…

http://security.stackexchange.com/questions/18720/how-secure-is-filevault-2-while-the-computer-is-in-sleep-mode

There is a link to Apple's white paper on FileVault 2, this may help answer some of your concerns, but you should also be aware of software from here…

http://www.lostpassword.com

It seems if you have $995 to spare you can access almost any password protected file or volume, so they say.

In the end, only you can decide how physically vulnerable your machine is, but to me at least, it does appear that FileVault could be more secure than a just password protected stack, however I'm no expert on file security.

HTH

Paul

On 2013-05-05, at 11:29 PM, Timothy Miller wrote:

> Years ago, when I first wrote my "rolodex" stack, I intended to store phone numbers, addresses, passwords, credit card numbers, bank account numbers, and other useful information in one convenient place, one stack in a suite of stacks I use in my day to day business. If these fell into the wrong hands, any small time crook could completely take over my identity and the identities of others. I was also concerned about security if I needed to get the machine serviced.
> 
> At the time, Macs secured by log-in password only, weren't very secure, as I recall. For example, if you restarted the machine with command-T down, and connected to another machine by Firewire, you could use the first machine as if it were an external hard disk. In that case, the log-in password gave you no protection. FileVault did not exist at the time.
> 
> So, with Jacque's help, I set up an encryption system for my "rolodex" stack.  If a given card was security sensitive, I'd click on a button, enter the password, and certain fields were hashed and hidden. Click on the same button, enter the same password, the fields were un-hashed and un-hidden. Because the stack was password-protected, you couldn't peek at the button script to find out the key for hashing and un-hashing the fields. "Set the password of this stack to foo" didn't work unless you first un-protected the stack, which required the master password for the stack. There were other details, but that's the general idea. It wasn't perfect, but I was satisfied with it. As I recall, a tech-savvy person could, in theory, use a text editor to discover the master password for the stack.
> 
> Now, I'm switching to LiveCode Community 6.0.1, so I have to re-think security for this stack.
> 
> One possibility is to re-write the script for the hash-and-hide button, using the encrypt and decrypt commands. If I choose that route, I'll probably have to pay a consultant. I can actually do Chinese arithmetic, but that's easy compared to the documentation for those commands.
> 
> It also occurred to me that I could just enable FileVault -- hadn't used it before.
> 
> Now that I've tried FileVault, I've realized how little I understand about the topic of security for modern Mac machines and OS. Hence, the following questions:
> 
> 1-If my machine is lost or stolen, while shut down, how hard would it be to get past the log-in password, to my relatively insecure "rolodex" stack? How does one get past the log-in password? (for this question and the next two, assume FileVault is turned off.)
> 
> 2-If I set up an administrator account for technicians, with a different log-in password, how hard would it be for the technician to get past the log-in password for my user account?
> 
> 3-In recent versions of the OS, does my log-in password protect the hard disk when it's removed from my machine? How hard is it to defeat that protection?
> 
> 4-Given that you can't use my machine to launch a nuclear missile, do I really need the ultra-secure protection provided by FileVault?
> 
> BTW, if this stack ever leaves my machine, for the cloud or a USB thumb drive, for instance, I always encrypt it first, usually with StuffIt Deluxe.
> 
> 
> Thanks in advance,
> 
> 
> Tim Miller
> 
> 
> 
> 
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list