Re: The SA Mess
From: Russell Stevens (rustyprogrammer_at_online.nospam)
Date: 03/18/05
- Next message: DavidH: "Re: SQL Ports Open to questionable Remote address"
- Previous message: Mike Epprecht \(SQL MVP\): "Re: The SA Mess"
- In reply to: Mike Epprecht \(SQL MVP\): "Re: The SA Mess"
- Next in thread: Ross Presser: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Mar 2005 20:01:07 -0500
Mike,
<<If the DB password is hard coded in your application, any 1/2 geek with 3
minutes of access to the .EXE will figure out the password.>>
The password and user id is encrypted, stored in a config file. The windows
app reads it then must decrypt it to create a connection string. A hacker
with access to the machine could get it with a debugger but then, he has the
machine anyway <g>. The app is obfuscated. The hacker can't get it going
down the wire, he can't get it out of the config file, and it would be
pretty difficult to get out of machine memory - he would have to find where
it is decrypted - doable but I think it will take more than 3 minutes....
But that also applies to any password whether it is the one you are
connecting to a firewall with, connecting to a web server with, etc. (I read
today that Microsoft is getting away from passwords in the next OS).
<< look at a middle tier, and use something like HTTPS and web services to
supply functionality to your application.>>
SSL is used for sensitive stuff. Another layer (web service) is getting
pretty deep - ie - a VB6 app talking to an Access db on the local network is
pretty hot. Shift to .NET talking to a SQL db on the local network, and you
have a dog (not due to SQL). Put the db on a remote server and you have a
sick dog. Go through a web service on top of all of that, and you probably
have a dead dog (in addition to having to rewrite your app).
Anyway, maybe we are off topic here - the same problem exists on the LAN
even without the Internet. Why should a hacker on the local network be able
to attempt to sign on as sa (or any other login) 10 million times in a row
trying different passwords. Does anyone think that is a good design <g>?
Thanks
Russ Stevens
- Next message: DavidH: "Re: SQL Ports Open to questionable Remote address"
- Previous message: Mike Epprecht \(SQL MVP\): "Re: The SA Mess"
- In reply to: Mike Epprecht \(SQL MVP\): "Re: The SA Mess"
- Next in thread: Ross Presser: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
