Re^5: mod_perl2 interactive startup

That leads me to believe it is not as trivial b/c an intruder needs physical access.

It doesn't say that.

Quickly overwriting passwords in memory would minimize the risk of capture via physical access, cold boot techniques, swap space forensics or simple, live, privileged memory captures.

Comment on Re^5: mod_perl2 interactive startup

Replies are listed 'Best First'.
Re^6: mod_perl2 interactive startup by d_m (Initiate) on Aug 18, 2009 at 21:29 UTC
So are you arguing that random apache vulnerabilities are as likely to give simple, live, privileged memory access as they are to give access to the filesystem?? Assuming the system doesn't allow core dumps, this seems far-fetched. In its conclusion the paper doesn't argue that developers should store passwords in plaintext in configuration files (which is the insane point you seem to be arguing for). It argues that passwords should be erased from memory when they're no longer needed. Do you actually have anything useful to suggest?	[reply]

Replies are listed 'Best First'.

Re^6: mod_perl2 interactive startup
by d_m (Initiate) on Aug 18, 2009 at 21:29 UTC

So are you arguing that random apache vulnerabilities are as likely to give simple, live, privileged memory access as they are to give access to the filesystem?? Assuming the system doesn't allow core dumps, this seems far-fetched.

In its conclusion the paper doesn't argue that developers should store passwords in plaintext in configuration files (which is the insane point you seem to be arguing for). It argues that passwords should be erased from memory when they're no longer needed.

Do you actually have anything useful to suggest?

[reply]