• (cs) in reply to GrandmasterB
    GrandmasterB:
    What?:
    I don't see the WTF. Of course its insecure. Its just obfuscation. If someone looks over the developers shoulder, he won't be able to read the password. If he gets the source, he can get the password anyway by just using exactly the same decryption function the program uses. so where's the wtf?

    The doit(), printit(), etc function names are more wtf worthy than the obfuscation. If the intention is to keep casual browsers of the .exe file from seeing the connection string, the simple encoding will do the trick. Will it keep the KGB out? No. Is it the best text-book way to do it? No. But it is enough to keep curious employees and the run-of-the-mill IT drones from seeing the connection info? Most likely. Like you said, its obfuscation, and as long as the programmer realizes what that is and isnt, there are times and places for it.

    There is NEVER a time and place for this. Put your connection string in a separate ini file (or .config file) and only give read access to the limited functional user account that runs your service.
  • Fred (unregistered) in reply to iMalc
    iMalc:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    You forgot the most important bit of all, the function you call to terminate the program:

    ahf*uckit();

    You don't have to quote a whole page of a long comment, you could, you know, just take a couple of lines and your readers would still have enough context...

  • Gordon (unregistered) in reply to Fred
    Fred:
    iMalc:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    You forgot the most important bit of all, the function you call to terminate the program:

    ahf*uckit();

    You don't have to quote a whole page of a long comment, you could, you know, just take a couple of lines and your readers would still have enough context...

    look, he missed one line. Can't beleive he did it manually.

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();
  • Herby (unregistered) in reply to Bennett
    Bennett:
    Reminds me of that Daft Punk Song

    Buy it, use it, break it, fix it, Trash it, change it, mail, upgrade it, Charge it, point it, zoom it, press it, Snap it, work it, quick erase it, Write it, cut it, paste it, save it, Load it, check it, quick rewrite it

    hahaha

    C - O - M - C - A - S - T

    Just like the commercial they are running now. Or at least that what it reminds me of. Of course, I feel like barfing when I see the commercial, but that is the way it goes.

  • JV (unregistered)

    At least they tried to encode it, when i started, they simply put the passwords in plaintext in the code and use the administrator account with full privileges.

    And for those who haven't used a hex-editor on an exe: plain text passwords can be retrieved from there with little difficulty.

    But we are making progress were not using 1 password for all protections anymore.

  • Boo (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    fuckit();

  • Worker Bee (unregistered) in reply to Anon Ymous
    Anon Ymous:
    ...Password=WEB456...
    Ah, so that's where we finally get to the real WTF...
  • Acolyte (unregistered) in reply to Worker Bee

    Not quite. I used to work for an ISP. One day, for curiosity sake, I checked login/mail passwords of all clients. About 10% of all of them (there are 3+ thousands of users) were '12345' or username+'123'.

    The tech guys that give default passwords to clients during installation of hardware used this password for ages, befor I came to work there. Lazy clients never changed it. So we agreed for them to use more random one. I checked few days later and there was it:

    '123456' and username+'1234'

    Now thats extra security.

    Days latter, I fixed the code and inserted password generator and some nasty rules (no username in password, min 3 chars and 4 digits in it etc.).

    Now everybody else was screaming about it but it made me happy :)

  • Dlareq (unregistered) in reply to SuperSecure
    SuperSecure:
    TRWTF is "Password=WEB456"

    Now that is secure, lightyears beyond "12345".

    Now excuse me while I go change the combo lock on my luggage.

    You're no president....

  • (cs)

    UseIt(); BreakIt(); BuyIt(); FixIt(); WhoDoYouThinkYouAre();

    hides face in shame

  • What? (unregistered) in reply to Acolyte

    "I used to work for an ISP. One day, for curiosity sake, I checked login/mail passwords of all clients."

    Checked? How? If I'm not mistaken, they should not be kept in any format where you can simply check them...

  • (cs) in reply to What?

    Indeed. Hashes should always be used.

  • O_o (unregistered) in reply to Eureka

    Driller, don't.

  • Paula (unregistered)

    brillantIt(first);

  • Zapp Brannigan (unregistered) in reply to Acolyte
    Acolyte:
    Days latter, I fixed the code and inserted password generator and some nasty rules (no username in password, min 3 chars and 4 digits in it etc.).

    Now everybody else was screaming about it but it made me happy :)

    Our network group also tightened password restrictions, so now everyone keeps their password on a post-it-note on their monitor.

  • Zapp Brannigan (unregistered) in reply to JV
    JV:
    At least they tried to encode it, when i started, they simply put the passwords in plaintext in the code and use the administrator account with full privileges.

    And for those who haven't used a hex-editor on an exe: plain text passwords can be retrieved from there with little difficulty.

    But we are making progress were not using 1 password for all protections anymore.

    So when the password changes in 30, 60, 90 days you have to recompile the .exe?

  • Untouchable (unregistered)

    Once, when debugging a system that had been deployed months ago, I noticed that most of the users had the same password (they were hashed, but I could see the hash was the same). It took me like 5 tries to figure out what that password was (the name of the company, that was probably chosen by the admin as the default password). I notified the admin of the application about the fact that many of the passwords were the same (but spared him of the fact that I could figure it out), and he said he would make people change the password. Months later, nothing changed.

    The next system I've made for that company I added the username to the salt before hashing the password. At least I had the false sense of more security. Well, I also removed from the admin the option to allow people not to change the password on first login, but I feel my sense of security comes from the new salt.

  • Patrick (unregistered) in reply to Gordon
    Gordon:
    look, he missed one line. Can't beleive he did it manually.
    HAHA, yeah, search and replace missed 8. Thought I got them all.
  • MB34 (unregistered) in reply to bjolling
    bjolling:
    There is NEVER a time and place for this. Put your connection string in a separate ini file (or .config file) and only give read access to the limited functional user account that runs your service.

    Actually, in Delphi, he should have set the ConnectionString property of the conn TADOConnection control. Any decent hacker would be able to get to that connectionstring with no problem either by going through the algorithm or using a resource editor and looking at the DFM code that would contain the connectionstring in the control's property.

  • Acolyte (unregistered) in reply to Thief^
    Thief^:
    Indeed. Hashes should always be used.

    MS-CHAP2 likes clear text passwords, so they kept them in database. M$-thing and security.

  • (cs) in reply to david
    david:
    alegr:
    I've been running as a Limited User since Windows 2000 days. No problems whatsoever.

    How you managed this I cannot imagine. Yesterday I was unable to even install the current release of Flash player on a limited-user XP box. Most users in this situation would just continue to run with the old Flash player.

    Unpatched Flash player with known and easily exploitable vulnerabilities, is the single most dangerous thing to have on a computer (with the possible exception of what's between chair and keyboard).

    Personally, having seen limited-user accounts repeatedly fail to repel any nasties, and prevent the installation of essential updates, I think they are a liability not an asset.

    How about logging on as Administrator to update Flash, Acrobat and other crap? This is what Administrator accout is for: for performing administratove tasks.

  • (cs) in reply to What?
    What?:
    "I used to work for an ISP. One day, for curiosity sake, I checked login/mail passwords of all clients."

    Checked? How? If I'm not mistaken, they should not be kept in any format where you can simply check them...

    Dialup and PPPoE use CHAP for authentication. For CHAP, you have to keep plaintext passwords on the server side, unfortunately.

  • (cs) in reply to Acolyte
    Acolyte:
    Thief^:
    Indeed. Hashes should always be used.

    MS-CHAP2 likes clear text passwords, so they kept them in database. M$-thing and security.

    Go back to slashdot.

    Original PPP CHAP (non-MS) and MS-CHAP1 requires plaintext password.

    MS-CHAP2 can use password's hash for hashing the challenge.

  • Airhead (unregistered) in reply to Untouchable
    Untouchable:
    The next system I've made for that company I added the username to the salt before hashing the password. At least I had the false sense of more security. Well, I also removed from the admin the option to allow people not to change the password on first login, but I feel my sense of security comes from the new salt.

    My current system has a random salt string in database for each user. The salt is changed each time user chages password, so even if user "changes" the password to be exactly same as before, the hash is changed.

  • Buddy (unregistered) in reply to Zapp Brannigan
    Zapp Brannigan:
    Acolyte:
    Days latter, I fixed the code and inserted password generator and some nasty rules (no username in password, min 3 chars and 4 digits in it etc.).

    Now everybody else was screaming about it but it made me happy :)

    Our network group also tightened password restrictions, so now everyone keeps their password on a post-it-note on their monitor.
    LOL - for real! Seen it, done it, doing it...

  • (cs) in reply to A. Nonny Moos
    A. Nonny Moos:
    snoofle:
    I might try offsetting by one, two or even three characters to decode it, but fifteen!? Now *that's* secure!

    Secure? That's nothing. At my place of work, we go the added mile. First we offset by 37 characters, note that it's a prime offset. Then we do a reverse offset of 61 characters, again a prime offset. Finally, to mislead the potential hackers and confuse them even further, we do a third offset of 24 characters - a non-prime offset this time. This has them pounding their heads against their keyboards.

    That won't work, they'll end up with what they started with! What rubbish security!

  • anon (unregistered) in reply to jonnyq
    jonnyq:
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); start_formatit();

    We have a winner! Please collect your prize!

    damnit();

  • m0ffx (unregistered) in reply to david
    david:
    alegr:
    I've been running as a Limited User since Windows 2000 days. No problems whatsoever.

    How you managed this I cannot imagine. Yesterday I was unable to even install

    Installing != running. You install stuff as Administrator, you don't run as it all the time.

    Zapp Brannigan:
    Our network group also tightened password restrictions, so now everyone keeps their password on a post-it-note on their monitor.
    Which IMHO isn't so bad. Your building security should stop random joes walking around the office, and remote hackers can't read that post-it. You probably are still more secure than with weak passwords.
    Airhead:
    My current system has a random salt string in database for each user. The salt is changed each time user chages password, so even if user "changes" the password to be exactly same as before, the hash is changed.
    The user shouldn't be allowed to do a null password change, and the system you've created means you can't stop that.
  • IMSoP (unregistered) in reply to m0ffx
    m0ffx:
    The user shouldn't be allowed to do a null password change

    Why not? There was no mention of expiry, only that the password was resalted when changed by the user.

    and the system you've created means you can't stop that

    Anyway, yes you can: if hash(old_password + old_salt) == hash(new_password + old_salt) then show_unchanged_password_message() else save_password(hash(new_password + new_salt))

  • omgoral (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    Thank you for the program code, will appear in next release of software package. Is attribution sufficient or are license fees involved?

  • karate kid (unregistered)

    for waxing in "on" "off" do wax( waxing ) done

  • aoiedrns (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); breakit(); fixit(); Trashit(); changeit(); mail_upgradeit(); Chargeit(); pointit(); zoomit(); pressit(); Snapit(); workit(); quick_eraseit(); Writeit(); cutit(); pasteit(); saveit(); Loadit(); checkit(); quick_rewriteit(); Plugit(); playit(); burnit(); ripit(); Draganddropit(); zip_unzipit(); Lockit(); fillit(); callit(); findit(); Viewit(); codeit(); jam_unlockit(); Surfit(); scrollit(); pauseit(); clickit(); Crossit(); crackit(); switch_updateit(); Nameit(); rateit(); tuneit(); printit(); Scanit(); sendit(); fax_renameit(); Touchit(); bringit(); Payit(); watchit, Turnit(); leaveit(); start_formatit();

    Hahaha, awesome, exactly what went through my head when I read the article.

    Blue, please!

  • aoiedrns (unregistered) in reply to Anon
    Anon:
    WorkIt(harder); MakeIt(better); DoIt(faster); MakesUs(stronger);

    MoreThan(ever); Hour_After(hour);

    for ($our_work = 0,$our_work = 0,our_work++) { WorkIt(harder); MakeIt(better); DoIt(faster); MakesUs(stronger); }

    Great stuff, this is hilarious... needs to be blue as well!

    Though, I had to think about the for-loop for a second, before I got it... excellent!

  • Bob (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....

    Buyit(); useit(); [...] start_formatit();

    ...

    profit()

  • Piskvor (unregistered) in reply to WayneCollins
    WayneCollins:
    Have you tried running Windows XP as a non-administrator?
    Yes. Up-to-date XP SP3 w/ AV, limited user account, no problems whatsoever. Really old stuff goes through DOSBox, newer has LUA-aware replacements. With SudoWin, no problems - I only need to elevate my privileges about 1x a week (this is my dev box, 1 year so far).

    Tried Vista on the new box, ran away screaming ("Yes, yes, okay, okay, okay, OKAY, I DO want to do that! Just stop asking me and DO IT already, you pathetic excuse for an angry fruit salad!").

  • Joe (unregistered)

    not the best Delphi code in the world but it may be written for a reason. You can open an executable in an editor and look for readable code. If the connection string (including password) would be readable you could easily find it and hack the database. By encrypting the connection string this is not so easy anymore.

  • JV (unregistered) in reply to Zapp Brannigan
    Zapp Brannigan:
    JV:
    At least they tried to encode it, when i started, they simply put the passwords in plaintext in the code and use the administrator account with full privileges.

    And for those who haven't used a hex-editor on an exe: plain text passwords can be retrieved from there with little difficulty.

    But we are making progress were not using 1 password for all protections anymore.

    So when the password changes in 30, 60, 90 days you have to recompile the .exe?

    The passwords are only there to activate some configurable settings. My boss never changes the passwords. It would make things to difficult for him and his technicians. Our main software protection is a usb-dongle-key without it our software is useless.

  • rcc (unregistered)

    I guess it's valid for delphi too. that you can see the clear strings in the exe while opening with ant hex viewer. So if the connection string contained the DB log in data, then I find it completely understandable.

  • TravisO (unregistered) in reply to Patrick
    Patrick:
    I can just imagine the main function of the app now....
    I love that Daft Punk song, although I don't think anybody else here got your joke.

    PS: If you really typed that out, you're a maniac.

  • CaptObvious (unregistered)

    worthIt(); workIt(); putMyThingDown(); flipIt() && reverseIt();

  • Matt (unregistered)

    The sad thing is, probably the connection string was originally in plain text. But then a superior said, "It's bad design to put it right there in the program..." So instead of a configuration file, we get...

Leave a comment on “That Kind of Security”

Log In or post as a guest

Replying to comment #:

« Return to Article