Subject Re: [IB-Architect] The Borland Back Door
Author Jim Starkey
At 11:28 AM 1/10/01 +0100, Nando Dessena wrote:
>I have diligently applied the fix, and out of curiosity went out to
>discover what the magic words were. I must say that I remained
>astonished; I thought I was using a product (a few products, actually)
>made by professionals; Anyway...
>My new "secure" IB6 server won't let me in with the magic account, but
>neither will the "insecure" one. Creating the magic account in the
>security database doesn't change things. How can I make sure that I had
>a security hole and, most of all, that it's gone after the patch?
>I guess that a public answer would imply revealing some details that are
>best kept secret; I'll accept any word that can make me rest assured.

If you tried with IBConsole the answer is simple: IBConsole upcases
accounts and passwords; the offending words were lower case. If
an attach from a program failed, let me know -- there is something
else going on that we don't understand.

If you're really curious, try running the server from a debugger.
Local symbols won't be visible, but globals are. Put a breakpoint
on the password validation code, then put a breakpoint on strcpy/
strcmp. All should become clear.

Computer security doesn't require that the algorithms or code be
secret; in general, the converse is true. The confidence we have
in RSA, SHA, MD5, and, (sorta) DES is because the algorithms are
published, the code is open to scutiny and study.

In a day or two we can stop being coy about the account/password
and give a proper name to this thread.

Jim Starkey