Securing Data

JUNIPER snijuniper at comcast.net
Sun Dec 2 16:02:02 EST 2007


   A very secure way would be to simply save data only to a removable disk
   and backup and remove them when not in use (safe deposit box? - Oops -
   my wife has a key!).
   Steve J

Date: Sat, 1 Dec 2007 14:42:33 -0800
From: "Charles Day" [1]<cedayiv at gmail.com>
Subject: Re: Quicken to GnuCash (Windows)
To: "Robert Heller" [2]<heller at deepsoft.com>
Cc: [3]gnucash-user at gnucash.org
Message-ID:
        [4]<1d6843d80712011442o3fd9eedp3f8f18cd9754cb96 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

On Nov 25, 2007 2:40 PM, Robert Heller [5]<heller at deepsoft.com> wrote:


I'll start by using TrueCrypt to create a secure partition, since I am
already family with it, but I can't say that this method really
satisfies. Once mounted, the financial data becomes cleartext to any
program (e.g. viruses). Is there a solution that makes the unencrypted
data only available to gnucash?

Yes, but you really are not going to like it: Linux, using either proper
UNIX User/Group file protection OR (even more secure) using SELinix and
ACLs (this probably only really makes sense if you are the accountant
for a spy agency or something and need to keep the accounting for 'black
opps' secure :-)).

Linux has no viruses (in the sense that MS-Windows does), so even
though the data is 'clear text', you only need to worry about other
users on the system from snooping -- if they have different UIDs and/or
GIDs and you set the protections of your gnucash files to be other=<no
access> and group=<no access> [chmod go-rwx ...], the normal file
system protections will keep everyone out (except the super user, who
is presumed to be trustworthy).  It does have quite functional file
protection and ownership -- MS-Windows NT only has a half-baked file
protection and ownership system using NTFS (WinNT, Win2k, and later)
and none at all with FAT (Win9x).

The only other solution would be to use a dedicated machine (which does
nothing but run gnucash) behind a very secure firewall and being totally
anal about virus scanning.

You could also install VMWare and install one of the popular end-user
Linux distros (such as unbuntu) on a virtual machine (again using
proper UNIX User/Group file protection on an Ext3 file system).  I
doubt that any of the MS-Windows viruses can deal with a Ext3 file
system on their own.



UNIX/Linux user/group file protection doesn't help me much. I want to keep
professional thieves away from my financial data, not my proverbial little
sister. A quick look at the Firefox bug list alone shows a history of
vulnerabilities that compromise user/group file protection. To steal gnucash
data now, it seems that one would only need to compromise the browser, for
example, then patiently wait for the gnucash data file to be exposed (if any
waiting is even required).

Quicken asks for a password on startup, then decrypts the data file
privately for itself as it accesses it. This is a significant additional
barrier. Naturally, the Quicken data can also be stored on an encrypted
partition using third-party software, if one felt that it was necessary. Of
course, the security or insecurity of Microsoft, Apple, and other
applications lies outside Quicken's control.

I see from other posts that adding this additional security barrier to
gnucash is a low priority for developers, and rightly so, since there are
many other areas that can more directly improve the user experience and
productivity. If additional security gets integrated with gnucash at some
point, great!  This would also make it feasible to add a feature allowing
users to download online transactions for all accounts at once, by caching
the individual account passwords (which would be a significant
improvement.)  But for now, has anyone created their own workaround?

Cheers,
Charles

References

   1. mailto:cedayiv at gmail.com
   2. mailto:heller at deepsoft.com
   3. mailto:gnucash-user at gnucash.org
   4. mailto:1d6843d80712011442o3fd9eedp3f8f18cd9754cb96 at mail.gmail.com
   5. mailto:heller at deepsoft.com


More information about the gnucash-user mailing list