| Subject | Re: [firebird-support] Guys! I got it! - Re: Avoiding hard-coding db pass in app - without using db users |
|---|---|
| Author | Steve Wiser |
| Post date | 2008-11-11T19:12:47Z |
The hacker would either have to already know the "application" password
(the one used to verify the user is correct before sending back the real
firebird password) or hijack a legitimate user's computer while they are
logged into the app. If the hacker already knows the password then what
is the point of hacking the app? They already can log into the app? If
they are hijacking a legitimate user's computer then I think you have
many more problems...
-steve
Milan Babuskov wrote:
Specialized Business Software attempts to sweep harmful content (e.g. viruses) from e-mail and attachments, however we cannot guarantee their safety and can accept no liability for any resulting damage. The recipient is responsible to verify the safety of this message and any attachments before accepting them.
(the one used to verify the user is correct before sending back the real
firebird password) or hijack a legitimate user's computer while they are
logged into the app. If the hacker already knows the password then what
is the point of hacking the app? They already can log into the app? If
they are hijacking a legitimate user's computer then I think you have
many more problems...
-steve
Milan Babuskov wrote:
>This message and any files transmitted with it may contain information that is privileged, confidential, and exempt from disclosure under applicable law. They are intended solely for the use of the intended recipient. If you are not the intended recipient, distributing, copying, disclosing, or reliance on the contents of this communication is strictly prohibited. If this has reached you in error, kindly destroy this message and notify the sender immediately. Thank you for your assistance.
> Zd wrote:
> > Firebird doesn't provide secure connections, instead I'm thinking of
> using a third party tool like ZeBeDee to create a secure tunnel
>
> Won't work. The localhost connection between fbclient.dll and zebedee on
> client side is not encrypted. Only the part between zbd server and
> client is.
>
> Also, if hacker has access to client machine, there are much bigger
> problems. He can, for example, freeze your application with something
> like SoftICE[1] and read the SYSDBA password from it's memory space.
>
> [1] http://en.wikipedia.org/wiki/SoftICE
> <http://en.wikipedia.org/wiki/SoftICE>
>
> There are many other simialar tools, and even if you detect them all, he
> can still run your program in a virtual machine using something like
> VirtualBox, freeze the image, dump it's RAM to disk and analyze it as
> much as (s)he wants. In short: physical access = no security
>
> The only question is time. Can you make it so hard that he would need to
> spend too much time and it simply isn't worth it.
>
> --
> Milan Babuskov
> http://www.flamerobin.org <http://www.flamerobin.org>
> http://www.guacosoft.com <http://www.guacosoft.com>
>
>
Specialized Business Software attempts to sweep harmful content (e.g. viruses) from e-mail and attachments, however we cannot guarantee their safety and can accept no liability for any resulting damage. The recipient is responsible to verify the safety of this message and any attachments before accepting them.