Subject Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users
Author Milan Babuskov
Zd wrote:
> Firebird doesn't provide secure connections, instead I'm thinking of using a third party tool like ZeBeDee to create a secure tunnel

Won't work. The localhost connection between fbclient.dll and zebedee on
client side is not encrypted. Only the part between zbd server and
client is.

Also, if hacker has access to client machine, there are much bigger
problems. He can, for example, freeze your application with something
like SoftICE[1] and read the SYSDBA password from it's memory space.

[1] http://en.wikipedia.org/wiki/SoftICE

There are many other simialar tools, and even if you detect them all, he
can still run your program in a virtual machine using something like
VirtualBox, freeze the image, dump it's RAM to disk and analyze it as
much as (s)he wants. In short: physical access = no security

The only question is time. Can you make it so hard that he would need to
spend too much time and it simply isn't worth it.


--
Milan Babuskov
http://www.flamerobin.org
http://www.guacosoft.com