Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 12 of 12
  1. #1
    Join Date
    January 2010
    Location
    Austria
    Posts
    9

    [Suggestion] Secure the Identity-System

    Hello everybody!

    I just studied the Identity Import/Export feature, which seems to be a security hole imo.

    example: Laptop with ServerAdmin Identity is left open at a LAN-Party, conference, meeting or convention. Everybody could plug in a USB-Stick, export and copy the Identity and fool around with the server.
    An Identity might get stolen and is made public in the internet. could cause problems for important/big servers.

    Suggestion: Pass-phrase

    You can set a pass-phrase for every Identity. You need to enter the pass-phrase if you want to:
    change it
    export the Identity
    import the Identity

    this would ensure maximum security.

  2. #2
    Join Date
    December 2009
    Location
    Switzerland
    Posts
    439
    A password for every identity is too much. The master password could be used to secure exports. But why secure imports?

    And by the way: NEVER leave your computer unlocked!

  3. #3
    Join Date
    December 2009
    Posts
    244
    Asking another time for the master password when you want to export could be another good solution

  4. #4
    Join Date
    October 2008
    Location
    Alberta, Canada
    Posts
    166
    What would be an extremely simple solution, I think, is to just encrypt the exports with a chosen password as the key, and then decrypt with that password on import. (You click export and the dialog pops up and says: "Choose an encryption key (password) for this exported identity.")

  5. #5
    Join Date
    December 2009
    Location
    Hannover, Germany
    Posts
    35
    Quote Originally Posted by UF|Renegade|LTG View Post
    What would be an extremely simple solution, I think, is to just encrypt the exports with a chosen password as the key, and then decrypt with that password on import. (You click export and the dialog pops up and says: "Choose an encryption key (password) for this exported identity.")
    Yes, I support that point.

  6. #6
    Join Date
    December 2009
    Location
    Switzerland
    Posts
    439
    Quote Originally Posted by UF|Renegade|LTG View Post
    What would be an extremely simple solution, I think, is to just encrypt the exports with a chosen password as the key, and then decrypt with that password on import. (You click export and the dialog pops up and says: "Choose an encryption key (password) for this exported identity.")
    Problem with this is: I backup my identity and store it on a CD in my safe. 2 years later my system crashes and I want to import the identity. But wait... what was the password again?

  7. #7
    Join Date
    December 2009
    Location
    Sweden
    Posts
    25
    Well, if you backup your identy for 2 years in a safe, it's prob ok to just type down the password on a note and put the note in the safe as well.

    :P

  8. #8
    Join Date
    October 2008
    Location
    Alberta, Canada
    Posts
    166
    If you're planning to put in in a safe, I think that you're going to be fine with the password "1111." This is more for when you need to move it from point A to point B.

  9. #9
    Join Date
    July 2002
    Location
    Germany
    Posts
    2,192
    The master password is designed to protect your config file (including your identities). If you set one in the options you will be asked it whenever you start teamspeak. It might be a good idea to re-ask the master password when exporting, but really once teamspeak is RUNNING the identity has to be in memory somewhere, so a skilled attacker could just dump your memory and extract it from there later...so don't leave your windows open, unprotected by e.g. screensaver with pw and with teamspeak running if you care for your identities

  10. #10
    Join Date
    December 2009
    Location
    Arkansas, USA
    Posts
    74
    i have found where the Identities file has been stored and i find more of a hole in that then with export. because with exporting to a USB drive or any other place is different then the indent file just sitting on the hard drive just waiting to be mined with a simple copying.. Not saying that his suggestion should not be taken I THINK IT SHOULD.


    But my suggestion for the file just sitting on the hard drive is this:

    use a encrypt the file that sits on the hard drive

    we need something for those forgetful people that wont be able to remember a master password.

    we have to remember that if someone gets ahold of a plain text Identities CONF it is over... that brings un needed losses. So it needs to have some kind of encryption. I am saying this from my own point of view. because i dont want it getting mined by a program any mroe then the next person

    Salted MD5 hashes might be the best bet. But the problem is we need to have some way of recovering that MD5 hash because... of the export problem. and we cant have a program wide default key that it is salted with. IDK.

    hope someone can build off this idea like i built of the idea of Sintharas

  11. #11
    Join Date
    July 2002
    Location
    Germany
    Posts
    2,192
    An attacker gaining access to your hard drive is a very dangerous and hopefully not very common situation. The attacker can do MANY tricks once he is there...of course one of them, if the user is a "lazy" user that has software remember his passwords, is to steal those passwords (this is true for things like your webbrowser, email program etc. too, not only teamspeak.

    Now, for those of you that are more security aware than most of the users, the master password was invented to precisely make the stealing of the config file no use (without the master password).

    Of course every security system can be built stronger, but at some point you HAVE to draw a line where you say, this is as hard as I will make it for an attacker. I think that with the master password system we already have a (unusually) strong mechanism in place to prevent config file theft. Of course we will keep an open mind and eye and if we notice the wall we built is not high enough in this area we will add a couple of more layers of bricks to prevent those pole-vaulters from entering

  12. #12
    Join Date
    January 2010
    Location
    Secret Base in Arctic Region
    Posts
    1,671
    Right Peter, like the old saying
    If someone has physical access to your computer, its no longer your computer...
    And even the attacker cant use the conf file, he may destroy it, so you cant use it either i. e.
    Of course, every security system can be made stronger, but also every security system can be breached / broken / abused (cross out not applicable )
    And its on the users side to secure his machine, not the programmers.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [Suggestion] TS3 Away system!
    By el3ment in forum Suggestions and Feedback
    Replies: 3
    Last Post: June 13th, 2010, 06:29 PM
  2. [Suggestion] Group-log + Warn-System
    By Conreason in forum Suggestions and Feedback
    Replies: 1
    Last Post: February 9th, 2010, 09:49 PM
  3. [Suggestion] Lock NickName to Identity Option
    By HakuAnime in forum Suggestions and Feedback
    Replies: 3
    Last Post: January 14th, 2010, 12:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •