[Alpine-info] Seeking someone who..?

Carlos E. R. robin.listas at telefonica.net
Mon Dec 4 05:24:27 PST 2023

Previous message: [Alpine-info] Seeking someone who..?
Next message: [Alpine-info] Seeking someone who..?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

El 2023-12-01 a las 12:43 -0800, jason-alpine-info at shalott.net escribió:

>> I will say one thing about the method Carlos posted to remove the password

>> file. I was aware of this, and I have seen posts like this in the past.

>> Alpine has the ability to remove this password too, and I have posted in

>> the past how to do this. This means, there are two ways to remove the

>> password from the encryption key, and I will modify Alpine to force

>> everyone to have a password in the encryption key.

>

> Can I ask what the specific threat model is that this step is meant to

> combat?

For example, a person that has (temporary) access to the machine, can open
Alpine and read the mail; likely also write and send email. This can be
used to get access to a bank account or to purchases. In the read emails
there can be private information of other people that they sent to you, in
confidence. An identity could be stolen.

Depending on software, they might read the mail accounts passwords, and
with that, go away and access your email from their home.

Possibly there is nobody in the premises with physical access to your
machine, but you never know, if you get visitors. Or your machine could
break down, and you may have technical service having a look at it.

That said, software like Thunderbird has the master password as optional.
Obviously, I set it up, but some (many?) people don't.

Also once I open and enter the password to Alpine or Thunderbird, the
application will be open for (many) days, not asking for the password
again. The only protection is the desktop user password (when the screen
saver kicks in).

There is other software that has mail passwords in plain text files
(postfix, for instance). it is a daemon, it can not ask for user
interaction.

- --
Cheers
Carlos E. R.

(from openSUSE 15.5 (Laicolasse))

-----BEGIN PGP SIGNATURE-----

iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZW3TCxwccm9iaW4ubGlz
dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVnREAnRM+TgYs75z4ylZ1TcR9
w3SPLUrDAJwLxVOfr93LKSehfeoPheqUJ/ZySQ==
=7THh
-----END PGP SIGNATURE-----

Previous message: [Alpine-info] Seeking someone who..?
Next message: [Alpine-info] Seeking someone who..?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list