Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

As far as I understand if Dropbox wants to automatically run in the background w

ID: 659930 • Letter: A

Question

As far as I understand if Dropbox wants to automatically run in the background without asking the user for a password it has to store the password somewhere on the harddrive and has currently no way to encrypt that password in a way that other applications can't read it.

As a result some security aware application ask the user every time the run for a password to avoid storing the password.

I could imagine a system where the OS has a safe area that encrypted with the password that the user uses to login to it's user account and that configured in a way that only the dropbox exe can access. The dropbox.exe can identified via the path where it lies on the disk and a hash. When dropbox updates itself it would have to give a notice to the OS to calculate a new hash.

This not only goes for Apps like Dropbox but also for Apps like KeyPass that store lots of passwords. It seems to me that even a malware that can read the whole disk and capture keys via a keylogger couldn't steal passwords in a setup like this, provided the keylogger isn't active when the user signs into his user account.

Is there an error somewhere in my thinking?

Explanation / Answer

This an artifact with the way windows does permissions: you can't act as a user without knowing the user's password because certain key bits of information are encrypted using the user's password. So this applies to no other operating systems.

But the key here is that users have permissions and ownership rights, programs do not. So each application is just an activity that the user can perform. Dropbox can't own things because it's a program, not a user.

And the other key is that the task scheduler itself runs as the "system" user. So every task it performs it performs as "system". A program can take on another user's identity, but for that it needs the identity's password. Which means that the task scheduler user ("system") needs needs access to that password, which in turn gives that password to ANY program running as "system". Because ownership can only be assigned to users.

It's a bit of a mess, but the TL;DR is that the rules Microsoft created for Windows forced them into this corner. Yes, there are solutions that avoid this problem, and in fact every other OS has solved this. But not Windows. Feel free to complain to Microsoft.

Related Questions

As discussed throughout the reading, the field of Human Resource Management is q
Question #358292
As discussed, Java is an object-oriented programming language. Another programmi
Question #3691092
As district manager part of your responsibility is to identify reasons for chang
Question #2929063
As district manager part of your responsibility is to identify reasons for chang
Question #3231387
As district manager part of your responsibility is to identify reasons for chang
Question #3332652
As dogs age, diminished joint and hip health may lead to joint pain and thus red
Question #3022919
As e-commerce continues to grow in the United States and abroad, new consumer pr
Question #442969
As e-commerce entrepreneurs, it is important to think about how the future will
Question #368083

Navigate

Previous
As far as I know, the DNA sequence becomes shorter every time a cell divides. A
Next
As far as I understand it is a wide-spread opinion within the C++ community that

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.