Security?

[Athley]

A thread in another forum raised a couple of questions for me.... as no resultion to that thread have come, I thought it would be good to se if someone here knows.

If you create an application, package it and distribute it, and then open the .exe file in notepad, you will be able to read all kinds of text from your code. For example I made a program that connected to a SQL server to do some updates and I found the complete connection string with password and all in notepad (not good =).

I guess this has to do with the JIT-compiler step. The exe of a .NET application does not contain native code but IL-code to be compiled at runtime....

Anyone know a way around this?

[Edneeis]

http://www.preemptive.com/

There is an Obfuscator a partial copy of which will be in the next version of VS.NEt. You can also store all important information in an ecrypted external file instead.

[Athley]

Ahh, ok. Thanks.

Storing in an encrypted file is what I do now. but it's extra work.

/Leyan

[adsc]

This is very important question, since a big part of passwords are included, ofcourse most of us store there hard coded passwords in there programs.

I remmber we discussed something about security in the course before, that .NET has somthing called a "Key" to be added in the package setup, and can contain any important information, the work of this key is to encrypt all it's information and it will be used within the package only, no one else can read it.

I don't remember the steps exactly, I need to check it out.

[Edneeis]

Yes please do, as I have been wondering about the use of key files.

[Hu Flung Dung]

Originally posted by Athley
A thread in another forum raised a couple of questions for me.... as no resultion to that thread have come, I thought it would be good to se if someone here knows.

If you create an application, package it and distribute it, and then open the .exe file in notepad, you will be able to read all kinds of text from your code. For example I made a program that connected to a SQL server to do some updates and I found the complete connection string with password and all in notepad (not good =).

I guess this has to do with the JIT-compiler step. The exe of a .NET application does not contain native code but IL-code to be compiled at runtime....

Anyone know a way around this?

Actually, thats not really a VB.NET thing! Even in VB6, if you hard-code a string, you can read it back though notepad.

[hellswraith]

I always thought it was bad practice to include your passwords in the exe itself. This means if you need to change the password, you would need to recompile the app and distribute again. Not very efficient. Sometimes it is better to code a little more in the beginning to solve these types of things, otherwise you will spend more time later trying to fix them.

Just remember, a hacker/cracker (whatever you want to call them) can find these passwords and such in any app. The only thing you can do is make it harder for them. Your goal is to make it hard enough that it isn't worth their time. But some just have all the time in the world...lol. Also, you should have ways to solve the problem if the password does get hacked. You should have a system in place that allows you to change the password whenever you need to.

[Athley]

Truly spoken Hellswraith. Looks like encrypted file is the solution.

Thanks guys!

/Leyan

[Edneeis]

Here is my question though, I use an ecrypted file with any important file info but where do you put the encryption key? I have been doing this and just hard coding the key in the app but when using a string based key it could still be spotted in notepadded code. I haven't really checked out what options I have yet, but it seems like there should be a better way.

[Hu Flung Dung]

Originally posted by Athley

If you create an application, package it and distribute it, and then open the .exe file in notepad, you will be able to read all kinds of text from your code. For example I made a program that connected to a SQL server to do some updates and I found the complete connection string with password and all in notepad (not good =).

Anyone know a way around this?

Actually, I just thought of something. If your storing the password info in your program, why would a hacker even need to go through the trouble of opening your app in notepad (or a disassembler)? They could just use your program to access whatever info they want from the SQL server.

Your users should enter the password whenever they use your app. Thats the only secure way I can think of!

[adsc]

Leaving the ball in the users hands will even make it worst, because not all the users are in the same level of feeling responsibilities, meaning you can’t count on them specially when it comes to a passwords.

I dealed with some users don’t care if others know there password and some of them do a fane thing like (when they type the password they type it click by click using one finger !!!!) as they telling the customer how is in front of them PLEASE TAKE MY PASSWORD!

What I was doing before moving to .NET and VB6, in Clipper when I need to hardcode my password I don’t type it like this: “mypassword” no I used to collect the characters using the ASCI codes like (Char(12) + Char(11) + Char(3) etc..)
This way even if someone opened the .EXE file will not find/notes it.

In .Net I don't know how I'll do it, I didn't think about it becuase they have some feature I could use, and if not, maybe I'll use my old way.

Yes I forget to add this, when storing the passwords in the database Never Ever store it as it is easy to read. No Encrypt it with adding some other letters to it

HTH

[Hu Flung Dung]

Originally posted by adsc
I dealed with some users don’t care if others know there password and some of them do a fane thing like (when they type the password they type it click by click using one finger !!!!) as they telling the customer how is in front of them PLEASE TAKE MY PASSWORD!

Well, umm..

If your storing the password anywhere and auto-authenticating the user, this program is too easy to hack (would a hacker be able to just use your program to access the data base? Would a hacker be able to modify the SQL statements with a HEX-editor to read/delete whatever he wants? If so, he wouldn't even need the password.)

Now that I think of it, I wonder how many millions of dollars Microsoft wasted on their 'product activation' feature on Windows XP? People cracked that within a couple of weeks after WinXP was released! I guess there's nothing you can do against a determined hacker!

[hellswraith]

Now that I think of it, I wonder how many millions of dollars Microsoft wasted on their 'product activation' feature on Windows XP? People cracked that within a couple of weeks after WinXP was released! I guess there's nothing you can do against a determined hacker!

Sure, but how many people bought legit versions of XP just because of the activation feature...probably way more than a couple million it took to design and implement the activation feature. In my book, it was a success. After SP1 for XP, all those that had a cracked version suddenly had a shock because those keys had been banned. I bet that even turned a lot of people to actually buying it. The activation feature did what it was supposed to do, sell more copies.

[Athley]

I think I just have to face it, the security is not as good as I want it to be. Nothing we can do anything about but to make it as hard as possible for the hackers I guess, as Hellswraith suggested.

[adsc]

You can't making a 100% security, but companies keep working on implementing security in deferent ways (Encryptions, Dangles, Bad Sectors on CD’s or FDD, etc..), all these doesn’t stop the hackers, no I thing this was ENCOURAGING them to find ways to break the new security methods because in fact it is a (Challenge).

But also you can’t make an application without at least some security (open application), we should keep the security because this maybe will not stop them from breaking the system but it will delay the (Professionals) and stop the (Beginners).

Don’t you agree with me?

[Athley]

I most definetely agree with you, we should try to make our software as safe as it demands.