lookup_account.xml - cleartext acckey?

Author	Message
apo Send message Joined: 19 Mar 07 Posts: 10 Credit: 759,409 RAC: 0	Message 43336 - Posted: 7 Jul 2007, 11:29:18 UTC hey :) is it true that lookup_account.xml in the boinc root dir does contain the account key without any encryption? so everyone who has access to my computer can take my account? cheers felix ID: 43336 · Rating: 1 · rate: / Reply Quote

Sebastian Gosenheimer Send message Joined: 21 Oct 06 Posts: 14 Credit: 1,090,091 RAC: 0	Message 43338 - Posted: 7 Jul 2007, 11:52:17 UTC - in response to Message 43336. Hmm, i take a look by my own and yes you are really right. Maybe in future this acckey could be encrypted? best regards, sebastian hey :) is it true that lookup_account.xml in the boinc root dir does contain the account key without any encryption? so everyone who has access to my computer can take my account? cheers felix If it's not broken, don't fix it ID: 43338 · Rating: 1 · rate: / Reply Quote

apo Send message Joined: 19 Mar 07 Posts: 10 Credit: 759,409 RAC: 0	Message 43339 - Posted: 7 Jul 2007, 12:08:06 UTC It would be nice to have only 1 file containing all login and project data for every project.. this file should be encrypted of course. as a result of this it would be possible to copy this file to another computer so that no login data would be needed to attach new computers. just 1 encrypted file to becopied around :) (i mentioned this point in another thread. how to add computers without giving around youre login..) ahhhh, it would fix all my problems (concerning boinc ;-D) ID: 43339 · Rating: 0 · rate: / Reply Quote

Christoph Send message Joined: 10 Dec 05 Posts: 57 Credit: 1,512,386 RAC: 0	Message 43344 - Posted: 7 Jul 2007, 14:32:55 UTC Every encryption can be decrypted, except if the encryption key is not stored on your disk. That is, you have to enter everytime the password when you start BOINC. And even then, one could read the password out of the memory. ID: 43344 · Rating: 0 · rate: / Reply Quote

apo Send message Joined: 19 Mar 07 Posts: 10 Credit: 759,409 RAC: 0	Message 43345 - Posted: 7 Jul 2007, 16:20:20 UTC Last modified: 7 Jul 2007, 16:49:58 UTC So let's store it online. The decrypted key could be stored in memory only.. It should not be 100% safe but at the moment it's just too easy to steal an account. ID: 43345 · Rating: 0 · rate: / Reply Quote

FluffyChicken Send message Joined: 1 Nov 05 Posts: 1260 Credit: 369,635 RAC: 0	Message 43375 - Posted: 8 Jul 2007, 10:31:15 UTC IT always been like that, it has been suggested to BOINC developers many time I believe and I know I have. I forget the silly reasons for not encrypting it at least slighty. Ok so it can be decrypted but some of the higer strength used take a long time, hence why there are DC (e.g. BOINC) projects hacking the stuff. As for on the server, well if they where going to bother to decrypt a file, then they would go to the bother to snoop/listen to your network connection and get it that way. But you need to be on the BOINC forums or 'dev' lists as it's really down to them, not Rosetta@Home. The worst part is the password to allow remote access to your boinc program is also just an unencrypted text file. Team mauisun.org ID: 43375 · Rating: 0 · rate: / Reply Quote