Re: [Omaha.pm] cisco vpn script

[Jay Hannah <jay@jays.net>]

On Nov 8, 2004, at 11:35 PM, Terry wrote:
> <<BRAINDUMP;
> One could argue about storing your VPN password in a script
> file....wonder if you could store it differently.....has to be passed
> to vpnclient in the clear.....can't reverse a hash....mmm...
> BRAINDUMP
>
>
> #!/usr/bin/perl
>
> use Expect;
>
> $username = 'terry';
> $password = 'password';

Ahh, Expect.pm. I have a soft spot for it. -sniff!- -grin-

Our passwords are in the clear in our source code too. I don't know how 
to really get around that. Sure, you can obfuscate the heck out of it, 
but you can't really make it unbreakable or you won't be able to use 
it. -grin-

chmod your source unreadable by untrusted accounts, and I guess you're 
as OK as you can be.

A vendor of ours forced us to start using a commercial version of PGP a 
few years ago. It's a real pain to install, use, and fix (thank 
goodness it is stable once running). You can't just run commands 
command line and have the PGP engine do its thing, you have to have a 
pgp daemon running and jump through a bunch of hoops to get anything 
done. At the end of the day the data's on disk somewhere, unreadable by 
untrusted users. Sure, it's obfuscated to the nth degree so even if you 
were root it would probably be hard to break, but if you know what 
you're doing I can't imagine it would be any harder than brute forcing 
/etc/shadow...

So much security stuff strikes me as existing solely for its own sake. 
Yes, I'm agitated by the entire registrar "certificate of authority" 
universe too. -grin-

</rant>

j