| Subject | Re: Undocumented internal encrypt/decrypt in FB |
|---|---|
| Author | mspencewasunavailable |
| Post date | 2007-07-19T12:48:07Z |
--- In firebird-support@yahoogroups.com, Geoff Worboys <geoff@...>
wrote:
walk back through the stack frame doing checksums. Then it
can phone home, or give bogus results to make you think your
DLL isn't really working, or even fire a tamper circuit and
fry the device, which means you're back to a brute force
attack. I'm sure there's something that can be done to
forstall this as well, but I don't want to get into an arms
vs armor discussion here. See below.
developers to provide anything except a hook. I don't think
anyone who's participated in this thread has said that they
expect FB to provide unbreakable, undefeatable encryption
on a database.
You're assuming here that my goal is perfect security, that
I believe if only this hook was available, then no one would
ever be able to access this database unless they held the
key. But that's not what I think, nor even necessarily what
I want.
In my back yard is a tool shed, with an old bicycle in it.
There's a paving stone that holds the door shut, so if
anyone wants to get the bicycle, then they can just move the
stone and help themselves (kind of like the way FB is now).
If they don't have permission from me, I can file a
complaint but (since it's a really old, ratty bike) the best
I can do is probably a misdemeanor, and I may have to resort
to a civil action.
But if I put a hasp and a cheap padlock on that shed, then
things change. When someone snaps that padlock, they've
now committed a felony and things are much more serious.
I'm not a lawyer, but I'd bet that things work that way for
theft of data as well. Sometimes just having the cheap padlock
is enough, because when you find it broken, you know somebody
was misbehaving.
In my case, I'm not trying to prevent some agency of a
national government from reading my stuff, I'd just like to
make it a little harder for an unscrupulous competitor to
make off with my specialized database unbeknownst to me.
Swapping the security database is trivial and well
documented (moving the stone), but most wouldn't bother with
DLLs and hacking, because the return isn't worth the effort
they'd have to exert and because it's apt to leave tracks
and if they're caught they're guilty of a serious Federal
(US, anyway) crime. Without the "cheap padlock" I'm likely
down to arguing a civil suit about a copyright violation.
Michael D. Spence
Mockingbird Data Systems, Inc.
wrote:
><g> And my hypothetical plug can detect this, because it can
> >> If you want any chance of security by obscurity you must
> >> do it outside the open source - the Firebird developers
> >> cannot do it for you.
>
> > Exactly right. Which is why I originally asked about the
> > possibility of having a hook of some sort to a .dll that
> > *wouldn't* be open source. Then all of this would be up
> > to the user.
>
> If the project implements such a hook then within a few days
> you will find the bypass hooks available for download.
>
> Given that I have access to your system (the assumption we
> have made to be having this conversation) then depending on the
> situation I can copy what files I need to my own system or...
>
> if you have implemented something like:
> > some bit of custom USB-plug-based hardware (something you
> > have) with code in ROM (so it couldn't be hacked)
>
> I simply insert the new break DLL into the existing system and
> have it output the decrypted data to a new file that I will
> pick up after the next backup has run (all pages will have been
> read and so decrypted through the hooks).
>
walk back through the stack frame doing checksums. Then it
can phone home, or give bogus results to make you think your
DLL isn't really working, or even fire a tamper circuit and
fry the device, which means you're back to a brute force
attack. I'm sure there's something that can be done to
forstall this as well, but I don't want to get into an arms
vs armor discussion here. See below.
> [And please dont argue that you can stop users installing aAnd I can only repeat myself as well: Not asking for the
> new DLL onto the computer. If you could do that reliably
> then you would simply protect the database file properly to
> start with and ignore all this obfuscation nonsense.]
>
> I do not have to do anything difficult like try to steal keys
> or break encryption, I just hook in to the spot made so
> conveniently ready and identifiable your request to the
> open-source project. There is nothing obscure about it.
>
> I can only repeat myself:
>
> If you want any chance of security by obscurity you must
> do it outside the open source - the Firebird developers
> cannot do it for you.
developers to provide anything except a hook. I don't think
anyone who's participated in this thread has said that they
expect FB to provide unbreakable, undefeatable encryption
on a database.
You're assuming here that my goal is perfect security, that
I believe if only this hook was available, then no one would
ever be able to access this database unless they held the
key. But that's not what I think, nor even necessarily what
I want.
In my back yard is a tool shed, with an old bicycle in it.
There's a paving stone that holds the door shut, so if
anyone wants to get the bicycle, then they can just move the
stone and help themselves (kind of like the way FB is now).
If they don't have permission from me, I can file a
complaint but (since it's a really old, ratty bike) the best
I can do is probably a misdemeanor, and I may have to resort
to a civil action.
But if I put a hasp and a cheap padlock on that shed, then
things change. When someone snaps that padlock, they've
now committed a felony and things are much more serious.
I'm not a lawyer, but I'd bet that things work that way for
theft of data as well. Sometimes just having the cheap padlock
is enough, because when you find it broken, you know somebody
was misbehaving.
In my case, I'm not trying to prevent some agency of a
national government from reading my stuff, I'd just like to
make it a little harder for an unscrupulous competitor to
make off with my specialized database unbeknownst to me.
Swapping the security database is trivial and well
documented (moving the stone), but most wouldn't bother with
DLLs and hacking, because the return isn't worth the effort
they'd have to exert and because it's apt to leave tracks
and if they're caught they're guilty of a serious Federal
(US, anyway) crime. Without the "cheap padlock" I'm likely
down to arguing a civil suit about a copyright violation.
Michael D. Spence
Mockingbird Data Systems, Inc.