Security alert for DEVONnote

Hello,

I’m posting this because I’ve seen a thread in some other forum
that deals with a topic where a member said that he has his DEVONnote
database secured with a name and a password and if he opens
the ~/Library/Application\ Support/DEVONnote/DEVONnote-1.database
in a texteditor that there is the user name and password in plain text included.

I’ve tested that fact with my DEVONnote PE application as well
and yes there is everything included.

Can somebody please provide a hint to fix that?

This level of protection is typical of most password protection schemes in consumer software and is intended to prevent prying by casual intruders, but not by determined hackers. It has the “advantage” that if you forget your password, you are not forever locked out of your information. Indeed, the most common problem with password protection is that users set passwords, enter valuable information, then forget their passwords! :slight_smile:

So this isn’t a “security” issue in the same sense that Windows operating systems have security issues. It’s a scheme that allows DEVONtechnologies Support to help users who have forgotten their password and need access to their information.

It would be possible to provide bullet-proof encryption security to material that’s held within a DEVONthink or DEVONnote database. In fact, that can already be done outside the DEVONtechnologies software by encrypting information externally, importing the encrypted document (which will, of course, not be readable within the DEVONtechnologies application), and exporting it for decryption.

Note: Of course, FileVault already exists in OS X and this is a much higher level of security for material held in your User directory (including your DEVONthink PE or DEVONnote database). Personally, I don’t enable FileVault on my computers, precisely because it’s another source of problems that I’d like to avoid.

Question: Do users really want bullet-proof security in DEVONtechnologies applications? Remember that we can’t help you recover information if anything goes wrong, in such case.

First of all, thanks for that quick reply.

If I understand you right do you see the plain password and user info in the database as an advantage.
I can understand that point of view from your site (as vendor), but please stop thinking like a developer
for one moment and think of how you would feel if a program would offer you the possibility to safe
your credit card or what ever sensitive data and you would realize one day that you could write it also
with every other texteditor because they are all on the same security level.

I think the point that users often forgett the passwords they entered is a true point.
But if they have a brain like a sieve then they better don’t use that feature.

For me, and that’s my personal opinion, is that so called “feature”
at the moment nothing more then non sense.

And to answer your question: Yes I would really like to have that feature.
I have searched around a lot for a texteditor with style and the ability to safe my data
in a secure way. But there are only 1 and a half. The half one is unfortunately DEVONnote.

Sure there are external tools to encrypt text after you’ve written it but is it really so hard
to implement such a feature into an application? I think developers can use much frameworks
which would provide that feature. And I’m not willing to pay for a secound product only because
the one application does only the half of it’s job.

Thanks for understanding

Janosh

I don’t use the name/password security scheme in DT. If I did, however, I’d agree with Janosh. I can see a case for not offering the feature at all, and a case for offering a reasonably strong password encryption feature. But storing the password in the clear is a compromise that could lead to trouble.

Bill is quite right that a very highly developed security feature is built into Mac OS X: FileVault. A little less well known, however, is that Disk Utility can build a custom-sized, encrypted disk image that can be used to store DT/DN databases, or anything else for that matter. This is essentially FileVault written small.

This option is available immediately to anyone wishing to encrypt their files.

Thanks, Fred. An encrypted disk image would be a good approach for someone with highly sensitive information. That’s a lot less trouble than FileVault. One could make an alias of the DEVONthink or DEVONnote database while the encrypted disk image is open, and replace the corresponding database folder in /YourUserHome/Library/Application Support/… with that alias. Of course, the database can only be found when the disk image is open.

How to: First, copy the DT or DN database folder over to the encrypted disk image you’ve created. Second, make an alias of the database folder in its new location. Finally, replace the existing DT or DN database folder in Application Support with the alias of the database folder that’s stored on the encrypted disk image. (You may need to remove “copy” from the name of the alias.) Now, when you quit DEVONthink or DEVONnote and unmount the disk image, it would be very difficult for anyone else to access the information. That includes you, if you forget the password to mount the disk image!

As for credit cards, sometimes I shudder at how many people have access to my card numbers. Every time I pay a bill at a restaurant the waiter walks away and could easily record and use the number. I make a fair number of transactions on the Net and have never had a problem. We’ve only experienced credit card fraud twice. Once a department store clerk copied my card number and made purchases with the card. On another occasion, my wife’s purse was stolen from her desk and ATM withdrawals were made. In both cases, it cost us nothing. I make it a practice not to deal with banks that don’t promise full coverage if a card is fraudulently used or my identity is stolen.

Janosh, I’m one of those people with a brain like a sieve. :smiley: I have to use passwords for several financial accounts and Web sites. But I can rarely remember them. So I depend on my computer to remind me, with the passwords stored “in the clear.” About the only accommodation that I make to security is to semi-hide number strings in fake phone numbers or street addresses.

Mac OSX has a very nice place to keep little pieces of private information like credit card numbers and passwords. The utility is called “Keychain Access”. You can have any number of keychains and keychains can contain passwords or secure notes, all encrypted on disk. You only need to remember the one password used to unlock a keychain.

Perhaps DevonThink should be using the keychain mechanism to remember the database password?

Thanks for the opionions and comments.

Anyways I still don’t understand why you’re doing it
that way and make the user trust in security that doesn’t exist.

See you in an other live, Janosh!