usenet server password

[SeLfKiLlEr]

Hi guys

i got a request for you

is it possilbe to encrypt or hide the usenet server password somehow,
if the machine sabnzbd is running on is used by multiple persons
its kinda "unsave" for me to throw my account details in plain in the *.ini

or maybe a cached password , ask for the password when sabnzbd is starting up
so that it hasn't to be stored

cya
SeLfKiLlEr

[shypike]

Run it as a service under different account and restrict access to the INI file to that account.
The GUI will not show the passwords and even looking at the web page source
will reveal the passwords, since they are shown as real '*' characters.

You can also add the (not very well documented) keyword config_lock = 1 to the INI file.
This will block access to all Config pages.

[SeLfKiLlEr]

but since i'm not the only admin that doesn't work

don't save it in plain text , that would be nice

[switch]

How would you propose we save it?

If SABnzbd can decrypt it, then someone else also can with little work.

Most solutions require a lot of work, and still they can be easily sniffed out (out of memory for example). If you propose a solution that works, then yes we can implement it, however unless we prompt for the password to decrypt each time the program is started (which is against SABnzbd's goals, and still then the password can be fetched from RAM) then we cannot do much.

Security once people have physical access is commonly useless, or just a false sense of security.

[shypike]

There is a way to do it on Windows.
The Windows API contains encryption functions that will tie the encrypted passwords to the user account.
Then at least the attacker would need to know your password.

However, we do prefer portable methods.
We wouldn't be able to offer it on all platforms.

[inpheaux]

As switch and shypike said, there's no point. We have to send your password in cleartext. If we have to send it in cleartext, then there's no reason to encrypt it, because we'd also have to decrypt it. If we can decrypt it, it has to be trivial for anyone else to decrypt it. And even if we did find some magical strong way to encrypt it, we'd still have to send it to your host in cleartext, which means a local attacker - even one not necessarily with physical access to your computer, just physical access to your network - could intercept the packets. You'll find the same problem with every other client out there.

It's futile, so we don't bother. Anyone who does bother either doesn't understand encryption or is intentionally giving you a false sense of security.

FUN EXAMPLE: Use Firefox? Tools -> Options -> Security -> Saved Passwords -> Show Passwords.

What's that? You use a Master Password? Sorry.

[shypike]

We have to send your password in cleartext.

Not if you use an SSL connection to the Usenet server.

[inpheaux]

We have to send your password in cleartext.

Not if you use an SSL connection to the Usenet server.

Oh, right. SSL. Well, coming up with a strong cross-platform encryption solution is still futile.

[switch]

And if they have write access to the ini they can simply turn off SSL on the server settings and wait for you to reconnect.

[SeLfKiLlEr]

ok i get it, it might be hard because of the multiplatform policy

so i have to think of something locally

thx

[inpheaux]

ok i get it, it might be hard because of the multiplatform policy

so i have to think of something locally

thx

Store SABnzbd and everything related to it in a TrueCrypt partition. Turn off SABnzbd and lock the TrueCrypt partition whenever you are not standing vigilant over your computer.