| Subject | Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users |
|---|---|
| Author | Zd |
| Post date | 2008-11-11T19:09:01Z |
Milan,
Are you saying the method of connection described here is not working?
http://www.firebirdsql.org/download/firebird_zebedee_eng.pdf
The ZeBeDee client is on the same machine as fbclient.dll. Also ZeBeDee server is on the same machine as Firebird server.
What's the problem with this?
If the hacker can get access to my computer and its memory space, no matter if I log-in using "traditional" methods (separate DB users), he will find out my DB username/password easily!
If the hacker can put a trojan to my computer and gain access to it there is nothing that can protect me. If I put my database on the Internet I have to take some risks (mostly caused by the stupidity of my users installing malware on their computer - acidentally of course).
If I really want to secure it, I can lock access to the office LAN, but then nobody will reach it from the Net...
What do you think?
Are you saying the method of connection described here is not working?
http://www.firebirdsql.org/download/firebird_zebedee_eng.pdf
The ZeBeDee client is on the same machine as fbclient.dll. Also ZeBeDee server is on the same machine as Firebird server.
What's the problem with this?
If the hacker can get access to my computer and its memory space, no matter if I log-in using "traditional" methods (separate DB users), he will find out my DB username/password easily!
If the hacker can put a trojan to my computer and gain access to it there is nothing that can protect me. If I put my database on the Internet I have to take some risks (mostly caused by the stupidity of my users installing malware on their computer - acidentally of course).
If I really want to secure it, I can lock access to the office LAN, but then nobody will reach it from the Net...
What do you think?
----- Original Message -----
From: Milan Babuskov
To: firebird-support@yahoogroups.com
Sent: Tuesday, November 11, 2008 6:01 PM
Subject: Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users
Zd wrote:
> Firebird doesn't provide secure connections, instead I'm thinking of using a third party tool like ZeBeDee to create a secure tunnel
Won't work. The localhost connection between fbclient.dll and zebedee on
client side is not encrypted. Only the part between zbd server and
client is.
Also, if hacker has access to client machine, there are much bigger
problems. He can, for example, freeze your application with something
like SoftICE[1] and read the SYSDBA password from it's memory space.
[1] http://en.wikipedia.org/wiki/SoftICE
There are many other simialar tools, and even if you detect them all, he
can still run your program in a virtual machine using something like
VirtualBox, freeze the image, dump it's RAM to disk and analyze it as
much as (s)he wants. In short: physical access = no security
The only question is time. Can you make it so hard that he would need to
spend too much time and it simply isn't worth it.
--
Milan Babuskov
http://www.flamerobin.org
http://www.guacosoft.com
[Non-text portions of this message have been removed]