Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.security > #179

Re: passwords, Strings an

Path csiph.com!x330-a1.tempe.blueboxinc.net!feeder1.hal-mli.net!news.glorb.com!news-out.readnews.com!news-xxxfer.readnews.com!news-out.news.tds.net!newsreading01.news.tds.net!86597e80!not-for-mail
From "Wojtek" <wojtek@THRWHITE.remove-dii-this>
Subject Re: passwords, Strings an
Message-ID <mn.5abd7d89241bd5ee.70216@a.com> (permalink)
X-Comment-To comp.lang.java.security
Newsgroups comp.lang.java.security
In-Reply-To <uhsnpdghaq12.dlg@kimmeringer.de>
References <uhsnpdghaq12.dlg@kimmeringer.de>
Content-Type text/plain; charset=IBM437
Content-Transfer-Encoding 8bit
X-Gateway time.synchro.net [Synchronet 3.15a-Win32 NewsLink 1.92]
Lines 45
Date Wed, 27 Apr 2011 16:08:36 GMT
NNTP-Posting-Host 96.60.20.240
X-Complaints-To news@tds.net
X-Trace newsreading01.news.tds.net 1303920516 96.60.20.240 (Wed, 27 Apr 2011 11:08:36 CDT)
NNTP-Posting-Date Wed, 27 Apr 2011 11:08:36 CDT
Organization TDS.net
Xref x330-a1.tempe.blueboxinc.net comp.lang.java.security:179

Show key headers only | View raw

  To: comp.lang.java.security
Lothar Kimmeringer wrote :
> Wojtek wrote:

>> However a String which is created while the application is running 
>> (user entered, read from file, HTML parameters) does not get put into 
>> the string pool.
> That's not true as you can see above.

Hey, this is not a wasted day, I just learned something!

> There not kept there forever, i.e. if no reference points to the
> element in the pool it can be garbage collected. The problem
> is that you can't control the Garbage Collector and its decision
> if a specific element in the String-pool should be garbage
> collected or not.

True.

And I forget to mention the memory swap file. Which would be an easier 
point of access.

>> And there is no easy way to determine what a series of characters 
>> represents in memory.
>
> Security by Obscuity doesn't work.

True. Though it does slow the attacker down. Which is the ultimate goal 
anyway. There is no encryption system in existance which cannot be 
cracked eventually. You can only strech the time it takes.

Hopefully the cracking time will be longer than the lifetime of the 
sensitivity of the information.

And then some all-knowing C-level PHB will copy the data in clear onto 
his USB key "for convienience" and lose it in a washroom at the strip 
club...

-- 
Wojtek :-)

---
 * Synchronet * The Whitehouse BBS --- whitehouse.hulds.com --- check it out free usenet!
--- Synchronet 3.15a-Win32 NewsLink 1.92
Time Warp of the Future BBS - telnet://time.synchro.net:24

Back to comp.lang.java.security | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

passwords, Strings and me "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
  Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
    Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
      Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Lothar Kimmeringer" <lothar.kimmeringer@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Wojtek" <wojtek@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
        Re: passwords, Strings an "Fred" <fred@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000
          Re: passwords, Strings an "Maarten Bodewes" <maarten.bodewes@THRWHITE.remove-dii-this> - 2011-04-27 16:08 +0000

csiph-web