'hack' test results

David Kwinter dk42 at mac.com
Sun Apr 21 02:34:01 EDT 2002 

I'm wondering if there any specific security concerns with respect to 
communication using sockets. In my program I have a basic math algorithm 
that scrambles a username/password in different ways, each expiring 
after use. Without this the server ignores requests received. Is this 
justified, could these messages be intercepted? Another technique which 
I question the security of is the possibility for someone being able to 
fudge someone else's ip in the format 24.255.255.0|775158599 in a 
request (which I also look for to validate them).

As far as I can tell the authentication seems solid, but any bug could 
be disastrous.

Also, is there a way to ignore IP's at any level above the RunRev 
environment? (to prevent flooding)

Thanks for any input, and I apologize if I've overlooked this topic 
earlier on the list.

David Kwinter

> John,
>
> Suppose if you have an application that can load any stack that you 
> issue
> "lock messages" before opening the stack. This way, the opened stack 
> won't
> get any messages to start hacking the app. This is a pretty secure way 
> to
> go, IMHO.
>
> Ken Ray
> Sons of Thunder Software
> Email: kray at sonsothunder.com
> Web Site: http://www.sonsothunder.com/
>
> ----- Original Message -----
> From: <JohnRule at aol.com>
> To: <use-revolution at lists.runrev.com>
> Sent: Saturday, April 20, 2002 12:23 PM
> Subject: 'hack' test results
>
>
>>> The only data they should be seeing is the data I want
>>> to show to them.  Other data is all in hidden fields.
>>> Could you be more verbose?
>>
>>
>> I just did another 'hack' test...with MCRipper this time:
>>
>> http://www.inspiredlogic.com/mc/ripper.html
>>
>> It cannot 'rip' password protected stacks (at least I couldn't get it 
>> to)
> so
>> that is a relief.
>>
>> MCRipper will 'rip' invisible objects (including any text or scripts) 
>> even
> if
>> the stack is password protected. So the conclusion...any information in
> text
>> fields (even hidden fields) is not totally safe.
>>
>> Solution:
>>   Load the information from the field into a variable...then delete the
> text
>> from the field. You are still susceptable to any 'prying' if you give 
>> the
>> users the capability to load any stack (i.e. I could load a stack that
>> searches all variables). You may have to go so far as to binaryConvert
> your
>> data to/from the variable, and even further encryption for 110% 
>> protection
>> (maybe break the data into pieces, and put it into multiple 
>> variables). I
>> wish we didn't have to worry about this...it kind of kills the 
>> 'creative'
>> juices.
>>
>> MCRipper looks like a useful tool actually (I think the authors 
>> intentions
>> are honest)...nice work!
>>
>> I wonder if I can 'rip' MCRipper...hmmm.
>>
>>
>> JR
>> _______________________________________________
>> use-revolution mailing list
>> use-revolution at lists.runrev.com
>> http://lists.runrev.com/mailman/listinfo/use-revolution
>>
>
>
>
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> http://lists.runrev.com/mailman/listinfo/use-revolution
>

More information about the use-livecode mailing list