Subject Re: [Firebird-Architect] Re: [Firebird-admin] Re: [Firebird-devel] Common Message Repository
Author Alexandre Benson Smith
Alex Peshkov wrote:

>>Now, putting that aside temporarily, it has been reported that there are
>>somewhere between 4 million and 40 million compromised PCs on the net,
>>inside and outside of firewalls. Any (or all!) of these could be
>>running a password sniffer with an ethernet board running in promiscuous
>>mode. Since Firebird, all versions, send passwords in clear or
>>trivially obfuscated, it is easy game.
>Not sure that things are really looking so bad. For example, PC on which
>I'm typing this letter, is connected to switch, not hub. Therefore any
>packet, send from it, can't be caught by sniffer, even if it is present
>in my LAN on some box, sitting in the hub. During last 5 years dumb hubs
>became mush less popular even in Russia. So if one thinks about
>protecting from sniffers, he should simply replace hubs with switches.
>Though, certainly, it doesn't solve a problem, when a packet with
>pseudo-crypted password travels over public network.

I know you know security much better then me, but I have just a comment:

I have read a good doc about how to sniff on nets with switchs, it relys
on a Switch behaving like a hub in some conditions (when one forge a MAC
address duplicating it, the HUB goes crazy and start broadcasting, the
other way was flooding the switch with ARP requests the same happens,
switch start behave like hubs).

I have googled for some info, didn't find the original article I read
some years ago, but look here:

Don't know if newer switches are not vulnarable with this approach.

I think the best that could be done is to encrypt the traffic, it's easy
with zebedee or other tunnel software. If one cares about it it could
already implement it, and FB could focus on other points to improve the

>>A short term easy to implement fix is to anchor accounts to what I call
>>coteries -- sets of IP addresses from which a given account is valid.
>>This won't stop your roommate, co-worker, or kid from attacking your
>>account, but it will stop other remaining 99.9999% of the hackers.
>It's really easy to implement. Do you think it's worth adding it to 2.0?
I liked it !

What about a "finger print" that the client should send to the server
that prove it is an "valid" client.

Of course itwill not solve the problem completely, but an client should
have this finger print in an server autorized files to gain access to it.

see you !

Alexandre Benson Smith
THOR Software e Comercial Ltda
Santo Andre - Sao Paulo - Brazil