hi
i have a ruby script screenscraping my bank. how can i encypt the
userid/password in the ruby so that even if someone steals my script,
they will not have access to my passwords.
On Fri, Sep 3, 2010 at 4:20 PM, Junkone [email protected] wrote:
hi
i have a ruby script screenscraping my bank. how can i encypt the
userid/password in the ruby so that even if someone steals my script,
they will not have access to my passwords.
The problem is of course your script will have to decrypt the password
in order to use it. So how does your script decrypt it in a way that
someone who steals your script won’t be able to. If you give it some
thought, you’ll realize anything your script can do, so can your
attacker.
You’re probably better off running your script as a daemon and on
startup prompting the user for the username/password and caching that
in memory. This isn’t 100% secure either- anyone who is root or
logged as you on your box can dump the memory and find the info, but
it would solve your specific attack vector of someone stealing your
code.
Personally, I’d never write code which does what you want to do (login
to my bank’s website without me entering the username/password each
time)- too risky.
–
Aaron T.
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
– Benjamin Franklin
“carpe diem quam minimum credula postero”
You could also store the user/pass off in a read-protected file
somewhere else on the fs, and read it in at runtime, depending on how
secure the box running the script is.
Then again, I have to agree with the concept that storing bank
credentials anywhere (encrypted or no) presents a security
vulnerability.
On Fri, Sep 3, 2010 at 4:45 PM, Junkone [email protected] wrote:
thought, you’ll realize anything your script can do, so can your
to my bank’s website without me entering the username/password each
time)- too risky.
how about one way hashes or digital keys which is based on my machine.
i just read this stuff on internet and dont know how to use or create
them. looking for ideas.
Nope, a one-way-hash is “one way”. Meaning you can go from cleartext
to hash, but not back to cleartext.
Encrypting the passwords with AES or RSA or something like that won’t
help either, because your script need the key to decrypt the password.
That means either hard coding it (not secure) or making it readable
to the script in another way. I’m going to assume if the attacker can
read the script, then they can read the key.
If your attack vector is merely that you want to put your script up on
github and you’re not worried about people hacking your computer, then
just put the username/password in an environment variable, database or
other file and access that from your script. But if someone can hack
your computer and read the script, then chances are they’ll be able to
read the environment variable, database or other file, etc.
–
Aaron T.
http://synfin.net/ Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
Windows
Those who would give up essential Liberty, to purchase a little
temporary
Safety, deserve neither Liberty nor Safety.
– Benjamin Franklin
“carpe diem quam minimum credula postero”