A word of warning on Prey -- I looked into it myself and last I checked, it stores your email password unencrypted in a plain text file in your filesystem. Better still, a comment in the file describes it as "base64 encrypted". Sure, your average laptop thief is probably too clueless to run the trivial command to "decrypt" it, but it still strikes me as highly irresponsible of the developer.
That alone was plenty to convince me not to install it.
I looked at my own Prey installation and found this password, but it was just "password", apparently because I don't use the email feature. So it only affects the users of this feature.
aside from mac os which has an encrypted keychain, how do you expect a password to be stored that is used by open source software, which has to be accessible by software that cannot prompt the user for a password?
You're right. To me, it's not their use of (effectively) plaintext that is worrisome. It's that the developer characterizes base64 as "encryption", which tells me that they don't even understand the security implications. As an example of a non-worrying response, here's Pidgin's documentation on their choice not to encrypt passwords: http://developer.pidgin.im/wiki/PlainTextPasswords
"Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner."
I must say I don't agree with the Pidgin devs. They think that the user will use the software in a more secure manner because they assume he's aware that the password is stored in cleartext.
That may be true on 1% of the cases. But the other 99% of the people probably don't have a clue, and they wouldn't even know where to find the accounts.xml file in the first place.
I'm not convinced that the appearance of that terminology in the file means the developer is unaware of the difference between encoding and encrypting something. I think we all know the meanings of some words, but continue to misuse them out of convenience and/or habit. It can be difficult to break such a habit. Perhaps you should simply include a patch that will reword the file in the correct manner. :)
Well, as you say OSX has the keychain (which is encrypted, and has command-line access tools). I think most Linux systems have something similar ('keyctl' on my system). I know nothing of Windows, but I would hope something analagous exists there too.
I mean, mail clients such as Thunderbird can be set up to safely remember passwords without storing them in cleartext, right? So clearly it's feasible...
no, thunderbird and firefox store passwords in a sqlite database. unless you have its "master password" set (which encrypts the contents with that password) then everything is in cleartext.
What's more, if you have firefox or chrome set to remember your passwords, anyone with access to your computer can look at them through the browser's options menu clear as day.
For Windows you can use the DPAPI, take a look at http://msdn.microsoft.com/en-us/library/ms995355.aspx. Of course if the intruder has your credentials then he can create a process to steal the encrypted passwords, but at least he can't just read the file by mounting the FS somewhere else
Every hour, generate a random passphrase and output it to a source file. Trigger an automated compile of the project and bake it into the executable which is then auto-bundled into the installer. Upon installation, generate an additional random passphrase and concatenate the two together to form the symmetric encryption key. It's still security through obscurity, but it's a hell of a lot better than base64 encoding.
As someone noted, this only applies for the old standalone mode, as Prey needs to store your SMTP password in order to send the report via email later.
That alone was plenty to convince me not to install it.
EDIT: it still does: https://github.com/tomas/prey/blob/master/config#L44