Yawcam BETA 2004-11-27

Beta versions of Yawcam will be announced in this section. You are also welcome to discuss the beta versions in here.
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Yawcam BETA 2004-11-27

Post by malun »

Get the new beta release:
http://www.yawcam.com/beta/yawcam_beta_2004-11-27.zip

What's new since last official release?
- Fixed some ftp bugs.
- Added silent retry option for ftp errors.
- Added path memory for save dialog.
- Added some new overlay variables.
- Added some new warning messages.
- Added announcement possibilities.
- Added possibility to use older language
files. Missing parts will now show up
in english.
- Added forced applet size.
- Added zoom functionality in applet.
- Added smarter code for data transfer to applet.
- Added password protection for the stream applet.
- Changed from java 1.4 to java 1.5 (5.0)

What's new since last beta?
- Added some new warning messages.
- Fixed some actions in the announcement GUI.
- Added GUI for password protection.
- Now saves password in a secure way (md5)
- Some size optimization done.

As usual you can report bugs to bugs@yawcam.com

/malun
Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Post by Rille »

How does the password thing work?
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

It stores a hash value (md5) of the real password in a password file. An md5-hash-funtion is a one-way-function, so there is no way (a very small probability) to retreive the real password from the md5-value.

When a login attempt occurs the typed password is passed through the md5-function and the md5-value is compared with the md5-value stored in the password file.

Still the typed password will be transferred in clear text from the applet to Yawcam. So it's still voulnerble for sniffing. In other words the protection will be as safe as for example the ordinary FTP-protocol.

More info about md5 here:
http://en.wikipedia.org/wiki/MD5
and
http://www.faqs.org/rfcs/rfc1321.html

I hope this explanation was clear enough. Please ask otherwise!

/malun
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

Add some users in the password settings in Yawcam, and then look at the file pass.dat with a text editor. Then you'll see that the password you typed are not stored in clear text in the file.

/malun
Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Post by Rille »

Does applet prompt for the password?
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

Yes it does!

/m
Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Post by Rille »

hmm
when i use password the applet only display "Loading..."
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

Do you use an old applet?
You have to use the new one that came in this beta release.

/malun
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

Rille> Any progress with the applet error?

/malun
Rille
Posts: 46
Joined: Mon Mar 29, 2004 6:36 pm

Post by Rille »

Nope and i think that i use the new one
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

All my tests show that it should work... :cry:
Anyone else having this problem?

/malun
USER

MD5

Post by USER »

I GUESS YOU HAVENT HEARD OF MD5BRUTE FORCING????
UNLESS THE HASH IS PASSED A SALT, THE MD5 IS VERY EASY TO CRACK.
EXAMPLE...
PASSWORD = 319F4D26E3C536B5DD871BB2C52E3178
password = 5F4DCC3B5AA765D61D8327DEB882CF99


try setting you password in the cam software as "password"
the md5 will be as that above.

please do not make false comments about the security of an unsalted md5 hash.

questions?
se_cur_ity@hotmail.com
user

more md5 proof

Post by user »

i set user = test password = password

contents of "pass.dat"
------------------------
test 5f4dcc3b5aa765d61d8327deb882cf99


now try and tell me md5 is secure...



question?
se_cur_ity@hotmail.com

btw... you are running a vulnerable version of phpBB


DO YOU HAVE ANY IDEA OF SECURITY???
malun
Site Admin
Posts: 1589
Joined: Sun Jan 04, 2004 1:29 pm

Post by malun »

Thanks for pointing out the lack of salt!

Ofcourse one can do brute force to get hold of the password, but also a salted password can get cracked by bruteforce. One have to decide on what level the security should be on. You can never get totally secure...
Perhaps the security with unsalted hash functions is to weak even for a simple webcam software...
I'll follow your advice and pass a salt to the hash function.

Still it will be possible to get hold of the password by sniffing the network, so even if it would be impossible to get the passwords from the password file, the overall security level would still be rather weak.

I do not recommend anyone to use the password function in Yawcam if security is really important. But for the ordinary home user, palying around with his/her webcam it should be enough.

Once again, thanks for your reminder about the salt. I'll try to implement it soon.

Regarding the phpBB version: Well, then I'll have to update... (thanx) :D

/malun
user

md5

Post by user »

thanks for the great response! Yes sniffing would reveal the pass.
the main issue is a non admin ( or other ) user accessing the pass.dat file locally, and then decoding the password. Often users ( admins ) use the same user/pass for everything, so by getting this via the pass.dat, it could lead to other compromise that may use the same use/pass combo.

phpBB - upgrade to 2.0.11 and/or turn off the highlight function ( as this is the attack vector ). Over 10,000 websites have been compromised / defaced by this exploit.
Post Reply