Page 1 of 2
Yawcam BETA 2004-11-27
Posted: Sat Nov 27, 2004 1:26 pm
by malun
Get the new beta release:
http://www.yawcam.com/beta/yawcam_beta_2004-11-27.zip
What's new since last official release?
- Fixed some ftp bugs.
- Added silent retry option for ftp errors.
- Added path memory for save dialog.
- Added some new overlay variables.
- Added some new warning messages.
- Added announcement possibilities.
- Added possibility to use older language
files. Missing parts will now show up
in english.
- Added forced applet size.
- Added zoom functionality in applet.
- Added smarter code for data transfer to applet.
- Added password protection for the stream applet.
- Changed from java 1.4 to java 1.5 (5.0)
What's new since last beta?
- Added some new warning messages.
- Fixed some actions in the announcement GUI.
- Added GUI for password protection.
- Now saves password in a secure way (md5)
- Some size optimization done.
As usual you can report bugs to
bugs@yawcam.com
/malun
Posted: Sat Nov 27, 2004 2:28 pm
by Rille
How does the password thing work?
Posted: Sat Nov 27, 2004 3:10 pm
by malun
It stores a hash value (md5) of the real password in a password file. An md5-hash-funtion is a one-way-function, so there is no way (a
very small probability) to retreive the real password from the md5-value.
When a login attempt occurs the typed password is passed through the md5-function and the md5-value is compared with the md5-value stored in the password file.
Still the typed password will be transferred in clear text from the applet to Yawcam. So it's still voulnerble for sniffing. In other words the protection will be as safe as for example the ordinary FTP-protocol.
More info about md5 here:
http://en.wikipedia.org/wiki/MD5
and
http://www.faqs.org/rfcs/rfc1321.html
I hope this explanation was clear enough. Please ask otherwise!
/malun
Posted: Sat Nov 27, 2004 3:22 pm
by malun
Add some users in the password settings in Yawcam, and then look at the file pass.dat with a text editor. Then you'll see that the password you typed are not stored in clear text in the file.
/malun
Posted: Sat Nov 27, 2004 3:33 pm
by Rille
Does applet prompt for the password?
Posted: Sat Nov 27, 2004 3:35 pm
by malun
Yes it does!
/m
Posted: Sat Nov 27, 2004 3:38 pm
by Rille
hmm
when i use password the applet only display "Loading..."
Posted: Sat Nov 27, 2004 3:40 pm
by malun
Do you use an old applet?
You have to use the new one that came in this beta release.
/malun
Posted: Sun Nov 28, 2004 9:09 pm
by malun
Rille> Any progress with the applet error?
/malun
Posted: Sun Nov 28, 2004 11:46 pm
by Rille
Nope and i think that i use the new one
Posted: Tue Nov 30, 2004 12:14 am
by malun
All my tests show that it should work...
Anyone else having this problem?
/malun
MD5
Posted: Thu Dec 02, 2004 11:13 pm
by USER
I GUESS YOU HAVENT HEARD OF MD5BRUTE FORCING????
UNLESS THE HASH IS PASSED A SALT, THE MD5 IS VERY EASY TO CRACK.
EXAMPLE...
PASSWORD = 319F4D26E3C536B5DD871BB2C52E3178
password = 5F4DCC3B5AA765D61D8327DEB882CF99
try setting you password in the cam software as "password"
the md5 will be as that above.
please do not make false comments about the security of an unsalted md5 hash.
questions?
se_cur_ity@hotmail.com
more md5 proof
Posted: Thu Dec 02, 2004 11:35 pm
by user
i set user = test password = password
contents of "pass.dat"
------------------------
test 5f4dcc3b5aa765d61d8327deb882cf99
now try and tell me md5 is secure...
question?
se_cur_ity@hotmail.com
btw... you are running a vulnerable version of phpBB
DO YOU HAVE ANY IDEA OF SECURITY???
Posted: Fri Dec 03, 2004 1:39 am
by malun
Thanks for pointing out the lack of salt!
Ofcourse one can do brute force to get hold of the password, but also a salted password can get cracked by bruteforce. One have to decide on what level the security should be on. You can never get totally secure...
Perhaps the security with unsalted hash functions is to weak even for a simple webcam software...
I'll follow your advice and pass a salt to the hash function.
Still it will be possible to get hold of the password by sniffing the network, so even if it would be impossible to get the passwords from the password file, the overall security level would still be rather weak.
I do not recommend anyone to use the password function in Yawcam if security is really important. But for the ordinary home user, palying around with his/her webcam it should be enough.
Once again, thanks for your reminder about the salt. I'll try to implement it soon.
Regarding the phpBB version: Well, then I'll have to update... (thanx)
/malun
md5
Posted: Fri Dec 03, 2004 2:22 am
by user
thanks for the great response! Yes sniffing would reveal the pass.
the main issue is a non admin ( or other ) user accessing the pass.dat file locally, and then decoding the password. Often users ( admins ) use the same user/pass for everything, so by getting this via the pass.dat, it could lead to other compromise that may use the same use/pass combo.
phpBB - upgrade to 2.0.11 and/or turn off the highlight function ( as this is the attack vector ). Over 10,000 websites have been compromised / defaced by this exploit.