Subject Fw: Mischievous SYSDBA
Author Steve Tendon
I'm forwarding the following to IB Architects...

What is the current thinking WRT this problem?


----- Original Message -----
From: Dmitry Garin
To: steve@...
Sent: Monday, May 22, 2000 10:29 AM
Subject: Mischievous SYSDBA

Hello Steve.

I don't know if you're still interested but here's some thinking on SYSDBA
role soultion

1. Here's an e-mail that I received but I haven't tried it myself:

If you mean that SYSDBA -role solution, I think it is not an answer. It took
only 5 minutes from a newbie like me to open that "protection".

When you (customer or competitor of my software) just change the isc4.gdb
and try to login with SYSDBA to database where we have SYSDBA role already,
the IBConsole tells you that there is a role named SYSDBA. Now you just open
the db file with some hex-editor, find word SYSDBA, change one letter e.g.
to SYTDBA, save file and connect with SYSDBA, and now you have all
information available again.

Did I miss something, or is it really this easy? Is there a way to encrypt
the whole gdb file?


2. Here's another way:
Now when SYSDBA is off the track what you need to know is the username which
is now your password. So if you copy a database that you need to hack to the
new IB server with fresh ISC4.GDB and create any user, then connect to that
database under that user - you'll be able to find out the owner of the
database, then create the user =owner and connect to the database under that
user. That's it - you're in.

Besides all this here's something for you. Wouldn't it be easier just to
encrypt the database. That's the question I asked in the very beginning of
IB 6 field test and Bill Karwin replied that IB is not planning to improve
security side and kindly forwarded me to read FAQs on MERS site.

Dmitry Garin