LinuxFormat 60 (UK) and GnuCash security ??

Derek Atkins warlord at MIT.EDU
Sat Oct 23 17:34:57 EDT 2004 

Hi,

Neil Williams <linux at codehelp.co.uk> writes:

[snip]
> All good, up to here:
>
> The 'missing' feature that counted against GnuCash in the review was 
> 'security', strangely.
>
> "What's not great are the security features - there aren't any. You can't 
> password protect a file or encrypt it and, even worse, GnuCash retains it's 
> XML data in a plain text file. It's relatively simple to comb through this 
> file and find dates and amounts of transactions. This is the application's 
> biggest weakness and although it can be overcome with the addition of KDE's 
> or Gnome's own encryption systems, it certainly doesn't make it seamless in 
> use"
>
> "Despite my reservations on security (and it's final rating would have been 
> 9/10 if this had been addressed), GnuCash is the best application here. If 
> you want serious features for very little effort, install it and get used to 
> the routine of encrypting your files."

We specifically, conciously decided NOT to do security, because in
many ways it causes more problems than it solves.  First, users should
use the File System to protect access to their data file.  If someone
can read your files then many worse issues exist.  We also really
didn't want to deal with the constant "I lost my password -- how do I
recover my data" questions which ALWAYS occur as soon as you introduce
any kind of integrated encryption.

> Hmm. Well the XML is only readable once someone has got passed the usual 
> GNU/Linux login and having a plain text format (or in future a SQL backend) 
> is useful, isn't it?

Well, I never considered XML useful, but other devs have.  But yes, it
does assume that someone has already gained access to your account.

> Should GnuCash hide all the transactions in password protected files?

No.

> Isn't that what permissions are for?

Yes.

> The magazine and reviewers do genuinely welcome feedback on reviews from users 
> and developers. Rather than mail bombing them (!), if there's a consensus 
> here, a 'collective' letter can be sent?
>
> What would the reviewer think of multi-user access?

Good question...

> (Moneydance with 56-bit DES encryption won praise for security but the same 
> mark overall.)

56-bit DES?  Gee, perhaps we should just rot13 our data to keep it from
prying eyes?  ;)

> GnuCash was deemed to best overall in the review, but the idea of encrypting 
> GnuCash data is a mystery to me. Why should it be so important?

I honestly don't know.  People do consider financial data more
sensitive than other data, so they want it protected.  But I don't
think that GnuCash per se should provide that service.  At _best_
Gnucash could provide an easy way to integrate gpg. 

If someone (else!  not you, Neil, you're busy with more important
tasks!)  wanted to submit patches to implement a gpg plug-in I don't
think I'd object, so long as it didn't add gpg as a build-time
dependency.  Ideally I'd like to get gpg without having to compile in
anything special...

But that presumes we go down this road, which I'm not sure we should.

> Do we care?

No, I dont think so.

> Are there reasons for security to NOT be used?
>
> Have we missed something?
> Has the reviewer missed something?
> (These aren't GNU/Linux newbies, the reviews are usually excellent and the 
> writers are respected and knowledgeable. The magazine does emphasise the 
> newbie angle.)

I think they've certainly ignored the threat model, or haven't played
with it much.  I doubt they are security experts, and instead they are
more likely just working from a checklist.  "Does gnucash have
encryption?  no.  ok, move on".  I doubt they understand what
encryption buys you, and what it does NOT buy you.

> I'm often accused of being overly paranoid about security and encryption - my 
> GnuPG signatures have caused lots of reaction on other (more Windowsie) lists 
> - but encrypting my GnuCash file just didn't occur to me.

I do Security in my day job, and I don't encrypt my gnucash files,
either.

> All my bank statements are in the filing cabinet behind me - it's not locked. 
> That's far easier to access than my Debian box once I've logged out.
>
> (The lack of an automatic backup also features as a minor point.)

What exactly do you mean by "automated backup".  We do back up the
data file every time it's saved.  Or do you mean "autosave", where
your data is saved periodically during the session?  The latter issue
will get solved when we move to SQL.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the gnucash-devel mailing list