#80379 - 2001-09-04 08:17 PM
Re: Source file encryption
|
Anonymous
Anonymous
Unregistered
|
RE: Passing passwords to scripts as command line arguments.Unfortunately, users' login scripts are considered "public" information by NT. Despite the fact that this information is stored with the user's account in the domain SAM, ANYONE could view the password argument. Check it out from the command line: net user <username> /domain This procedure would be useful, say, to provide an admin password to use with su.exe. However, any password made visible to the user's security context would be visible to the user, regardless of whether that password were passed as a command line argument, or if it were contained in a file. Again, strong encryption is the only possible solution. Decryption should be handled inside the script, so that it executes in the client's memory space & not transmitted clear text over the network.
|
Top
|
|
|
|
#80385 - 2001-09-13 02:00 PM
Re: Source file encryption
|
Alex.H
Seasoned Scripter
Registered: 2001-04-10
Posts: 406
Loc: France
|
If your users can do "memory attacks", seems that they already have the admin password, no ? I thought about a ramdrive style protection : an exe using a place only in memory to uncompress/store script, and which can be destruct when asked (and if script abort), so nothing can be get. On the other hand, the exe doing all this stuff must : 1) encrypt the added files it store within, or compress it with a modded header (if some players here looked to the old Diablo mpq files, it's nothing else than zip type with another header. Same things with Diablo 2 and Starcraft. Ok, everything is done with an external dll, but at this point, you can have it in the exe)2) it won't allow to "extract" files to change some things within, but only execute them. 3) A "builder" must me created, as it will be needed to create the exe with the specified file, and the command the exe will run 4) find someone to create a such thing Advantage of this one is that it would be completly independant of any scripts language That was my € 4 cents A last thing : before thinking about the size, it should be interesting to see what size it show after an UPX (exe compressor, with an incredible rate. 2 Mb => 150 kb) [ 13 September 2001: Message edited by: Popovk ]
_________________________
? getobject(Kixtart.org.Signature)
|
Top
|
|
|
|
#80386 - 2001-09-13 02:53 PM
Re: Source file encryption
|
Richard H.
Administrator
Registered: 2000-01-24
Posts: 4946
Loc: Leatherhead, Surrey, UK
|
No, you don't have to have the administrator password.If you have a robust operating system which will allow a process to allocate a private area of memory and place security controls on it so that no other process can read it even if the process is spawned by the same user, then you are safe from memory scanning. Unless your smart user forces a crash and preserves a swap file with the information in it of course. If your operating system won't allow this then the memory (including RAM drives) can be read, and possibly changed. The other problem is, if I can read the program I can take a copy to another computer which I have complete control over and fiddle to my heart's content. A quick search at www.download.com gave me WinHack and MemoryBrowser, both of which will allow you to browse your local PC memory and RamDump which will dump the contents so you can play with it off-line. Of course you need to be quite a sophisticated user to think about cracking the encryption that way, or using a debugger to step through the code and interrogate internal buffers. You need to decide whether you simply want to deter accidental disclosure of passwords and the script code, or if you need a highly secure solution.
|
Top
|
|
|
|
#80387 - 2001-09-13 04:17 PM
Re: Source file encryption
|
Les
KiX Master
Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
|
I realize that since KIX is an interpreter and doesn't run compiled code, a good portion of the script would have to be unencrypted and buffered in memory. This leaves the code vulnerable to any memory ripping. Passing of some passwords will allways be too risky. One needs to weigh the risk and decide for themself. If the password only gets you local admin rights, the risk may be worth taking, maybe not. FE, If I stole my HR manager's laptop, got local admin rights, and scoured the HD for say, union negotiations... well, you get the picture.While safeguards could be put in place to test whether KIX is running from logon, whether the speed of execution is reduced by an external debugger, etc., these too could be overridden by a good hacker. I think what is needed is a server-side service that the client-side service sends security requests to.
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
|
Top
|
|
|
|
#80388 - 2001-09-13 09:59 PM
Re: Source file encryption
|
Alex.H
Seasoned Scripter
Registered: 2001-04-10
Posts: 406
Loc: France
|
I think you're asking too much. You have users, not hackers. You are speaking of good (great) user that clearly looking for damaging your company. Even if password is encrypted, it won't stop them at this point
_________________________
? getobject(Kixtart.org.Signature)
|
Top
|
|
|
|
#80392 - 2001-09-14 04:54 AM
Re: Source file encryption
|
Anonymous
Anonymous
Unregistered
|
Perhaps, if it would help, we could have a poll for this feature. I asked about source encryption a while back... so I obviously would like it. Just my 2¢...
|
Top
|
|
|
|
Moderator: Lonkero, ShaneEP, Jochen, Radimus, Glenn Barnas, Allen, Ruud van Velsen, Mart
|
1 registered
(Allen)
and 496 anonymous users online.
|
|
|