[OT] Security for stacks with Community version

Timothy Miller gandalf at doctorTimothyMiller.com
Mon May 6 13:38:37 EDT 2013


On May 6, 2013, at 7:56 AM, Richard Gaskin <ambassador at fourthworld.com> wrote:

> Andrew Kluthe wrote:
>> Was it not mentioned long ago that a password protected stack's script and
>> custom properties could be accessed in memory while it is running in a
>> stand alone? So your data was probably never as secure as you really
>> thought it was.

Thank you for your comments Richard.

I never thought my data was profoundly secure. The level of security was acceptable to me. This stack was never a standalone -- I don't know if that's relevant.

Like I said, I am mostly concerned about identity theft by a fairly ordinary criminal, with a little technical knowledge, if the machine were lost or stolen, while asleep (requiring a login password to wake) or shut down.

On May 6, 2013, at 6:58 AM, Paul Hibbert <lc at pbh.on-rev.com> wrote:

> It seems if you have $995 to spare you can access almost any password protected file or volume, so they say.

Thanks, Paul. If someone obtained my lost or stolen machine, he could easily make a profit on the invested $995 by stealing my identity and those of others, if he were a skilled and highly motivated identity thief. On the other hand, he would have to know my machine held all that sensitive information. Otherwise, he would not want to invest the $995. Few thieves want to invest money in a theft. They want quick cash.

I'd be more concerned about a crooked technician. Even then, dishonest technicians are going to pick the low-hanging fruit. They aren't going to invest $995, hoping to make a profit.

On May 6, 2013, at 7:39 AM, Andrew Kluthe <andrew at ctech.me> wrote:

> As for the documentation on those encrypt/decrypt commands, they seem
> pretty straight forward.

> get "bla"
> encrypt it using "blowfish" with "1234567"
> put it

Thank you, Andrew.

Sure, it's possible I will figure out how to script these commands.

I don't get your example. As far as I can tell, it's worthless if anyone can look at the relevant script to discover the encrypting keys. But let's save that for another thread.



Getting back to my original question.

I should have been more precise and concise. Mostly, I'm trying to understand how secure, or insecure, my machine is, if lost or stolen, if protected only with a login password.

I'll repeat my main questions:


On May 5, 2013, at 11:29 PM, Timothy Miller <gandalf at doctorTimothyMiller.com> wrote:

> 1-If my machine is lost or stolen, while shut down, how hard would it be to get past the log-in password, to my relatively insecure "rolodex" stack? How does one get past the log-in password? (for this question and the next two, assume FileVault is turned off.)
> 
> 2-If I set up an administrator account for technicians, with a different log-in password, how hard would it be for the technician to get past the log-in password for my user account?
> 
> 3-In recent versions of the OS, does my log-in password protect the hard disk when it's removed from my machine? How hard is it to defeat that protection?
> 
> 4-Given that you can't use my machine to launch a nuclear missile, do I really need the ultra-secure protection provided by FileVault?

Thanks in advance,

Tim Miller





More information about the use-livecode mailing list