Yawcam BETA 2004-11-27

Beta versions of Yawcam will be announced in this section. You are also welcome to discuss the beta versions in here.
malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Yawcam BETA 2004-11-27

Postby malun » Sat Nov 27, 2004 1:26 pm

Get the new beta release:
http://www.yawcam.com/beta/yawcam_beta_2004-11-27.zip

What's new since last official release?
- Fixed some ftp bugs.
- Added silent retry option for ftp errors.
- Added path memory for save dialog.
- Added some new overlay variables.
- Added some new warning messages.
- Added announcement possibilities.
- Added possibility to use older language
files. Missing parts will now show up
in english.
- Added forced applet size.
- Added zoom functionality in applet.
- Added smarter code for data transfer to applet.
- Added password protection for the stream applet.
- Changed from java 1.4 to java 1.5 (5.0)

What's new since last beta?
- Added some new warning messages.
- Fixed some actions in the announcement GUI.
- Added GUI for password protection.
- Now saves password in a secure way (md5)
- Some size optimization done.

As usual you can report bugs to bugs@yawcam.com

/malun

Advertisement



Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Postby Rille » Sat Nov 27, 2004 2:28 pm

How does the password thing work?

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Sat Nov 27, 2004 3:10 pm

It stores a hash value (md5) of the real password in a password file. An md5-hash-funtion is a one-way-function, so there is no way (a very small probability) to retreive the real password from the md5-value.

When a login attempt occurs the typed password is passed through the md5-function and the md5-value is compared with the md5-value stored in the password file.

Still the typed password will be transferred in clear text from the applet to Yawcam. So it's still voulnerble for sniffing. In other words the protection will be as safe as for example the ordinary FTP-protocol.

More info about md5 here:
http://en.wikipedia.org/wiki/MD5
and
http://www.faqs.org/rfcs/rfc1321.html

I hope this explanation was clear enough. Please ask otherwise!

/malun

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Sat Nov 27, 2004 3:22 pm

Add some users in the password settings in Yawcam, and then look at the file pass.dat with a text editor. Then you'll see that the password you typed are not stored in clear text in the file.

/malun

Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Postby Rille » Sat Nov 27, 2004 3:33 pm

Does applet prompt for the password?

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Sat Nov 27, 2004 3:35 pm

Yes it does!

/m

Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Postby Rille » Sat Nov 27, 2004 3:38 pm

hmm
when i use password the applet only display "Loading..."

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Sat Nov 27, 2004 3:40 pm

Do you use an old applet?
You have to use the new one that came in this beta release.

/malun

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Sun Nov 28, 2004 9:09 pm

Rille> Any progress with the applet error?

/malun

Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Postby Rille » Sun Nov 28, 2004 11:46 pm

Nope and i think that i use the new one

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Tue Nov 30, 2004 12:14 am

All my tests show that it should work... :cry:
Anyone else having this problem?

/malun

USER

MD5

Postby USER » Thu Dec 02, 2004 11:13 pm

I GUESS YOU HAVENT HEARD OF MD5BRUTE FORCING????
UNLESS THE HASH IS PASSED A SALT, THE MD5 IS VERY EASY TO CRACK.
EXAMPLE...
PASSWORD = 319F4D26E3C536B5DD871BB2C52E3178
password = 5F4DCC3B5AA765D61D8327DEB882CF99


try setting you password in the cam software as "password"
the md5 will be as that above.

please do not make false comments about the security of an unsalted md5 hash.

questions?
se_cur_ity@hotmail.com

user

more md5 proof

Postby user » Thu Dec 02, 2004 11:35 pm

i set user = test password = password

contents of "pass.dat"
------------------------
test 5f4dcc3b5aa765d61d8327deb882cf99


now try and tell me md5 is secure...



question?
se_cur_ity@hotmail.com

btw... you are running a vulnerable version of phpBB


DO YOU HAVE ANY IDEA OF SECURITY???

malun
Site Admin
Posts: 1495
Joined: Sun Jan 04, 2004 1:29 pm

Postby malun » Fri Dec 03, 2004 1:39 am

Thanks for pointing out the lack of salt!

Ofcourse one can do brute force to get hold of the password, but also a salted password can get cracked by bruteforce. One have to decide on what level the security should be on. You can never get totally secure...
Perhaps the security with unsalted hash functions is to weak even for a simple webcam software...
I'll follow your advice and pass a salt to the hash function.

Still it will be possible to get hold of the password by sniffing the network, so even if it would be impossible to get the passwords from the password file, the overall security level would still be rather weak.

I do not recommend anyone to use the password function in Yawcam if security is really important. But for the ordinary home user, palying around with his/her webcam it should be enough.

Once again, thanks for your reminder about the salt. I'll try to implement it soon.

Regarding the phpBB version: Well, then I'll have to update... (thanx) :D

/malun

user

md5

Postby user » Fri Dec 03, 2004 2:22 am

thanks for the great response! Yes sniffing would reveal the pass.
the main issue is a non admin ( or other ) user accessing the pass.dat file locally, and then decoding the password. Often users ( admins ) use the same user/pass for everything, so by getting this via the pass.dat, it could lead to other compromise that may use the same use/pass combo.

phpBB - upgrade to 2.0.11 and/or turn off the highlight function ( as this is the attack vector ). Over 10,000 websites have been compromised / defaced by this exploit.


Return to “Beta”

Who is online

Users browsing this forum: No registered users and 1 guest