RFBServer>>#encryptPassword: wipes the password thats passed in and I'm confused why that's ok.

> IF I load the RFB package from lukas's site[1] (Pharo 1.4, recent enough
> VM, linux) and set the RFB server's fullPassword like this:
>
> MyObject>>startRFB
> RFBServer current setFullPassword: self rfbPassword
>
> MyObject>>rfbPassword
> ^'1234'
>
>
> After that send the source of rfbPassword shows '1234' but the bytecodes
> show that it is '' and the apparently empty string is 8 bytes long with
> each character being (Character value:0)
>
>
> #setFullPassword: uses #atAllPut: to set the value of #rfbPassword to
> 'Character value: 0'.
>
> My concerns are these:
>
> 1. Using the current implementation its impossible to stop and restart
> the RFB server with a default password programmatically.
>
> 2. The implementation is not idempotent when starting/stopping.
>
> 3. I don't understand the security consequences of removing the part
> where the password sent to #encryptPassword: is set to NULL characters.
>
> Is wiping the values of the #rfbPassword method necessary for security
> reasons?  I  assume that setting the RFB server to only accept
> connections from localhost and using X forwarding would take care of
> most of the risk of having a string literal in the image.
>
>
> Or- should I be accessing a default RFB password from another source
> than a class side method in the image?
>
> Is there a standard practice for starting and stopping the RFB server in
> Pharo 1.4 where the RFB server is up and down during the time the image
> is up?
>
>
> Thanks for any advice
>
>
> Paul
>
>
>
>
> 1 - The change was from this package:  RFB-MiguelCoba.26.mcz from this
> repo: http://source.lukas-renggli.ch/unsorted
>