|
Yeah actually that problem is in my head for a long time.
for now i don't know what would happen if they copy the config file, then create there own project to read the app.config and show the real string. maybe that is possible, but i don't time to test it for now.
BTW what would you suggest to protect the connection string, while the client doesn't have an internet connection.
any advice?
thank you.
|
|
|
|
|
You can't hide anything from the user. A user can debug your program, or run it through an emulator, or disassemble it and step through it mentally. "Anti-debugging" tricks don't change that - you can choose different code paths but the user can override it, you can have sneaky behaviour depending on self modifying code and so on, but the user can see right through it, no matter what you do the user can override it. The user is essentially a god and your code runs completely at their mercy. You can slow them down or trick them, but at the end of the day you can not stop them. If your program can get its hand on the connection string, so can the user, because the program tells them exactly how to do it - it's literally a list of instructions saying how, which also explains why encryption is in this case just obfuscation: you're also providing the instructions to undo it.
"secure"string doesn't pretend to stop users, it pretends to stop other programs, but there's not much difference. The only thing a program can't do (in theory anyway) is click a UAC dialog, and you don't even need that.
Advice: accept that anything that could be done with the privileges and information of the program, will be done by a user. If they're not allowed to do something, then the program can't be allowed to do it either, and that must be enforced server-side.
|
|
|
|
|
harold aptroot wrote:
If they could read a normal string object
straight from memory, then why can't they read from app.config?
If the string has to be entered, and you have privliges to run whatever you want (unsigned code with admin rights), why not install a keylogger? You're assuming that the system is already compromised.
If the user has to enter something sensitive, I prefer to keep it as much out of reach as possible.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
in your case would you suggest?
As there is no perfect security in cyber world
|
|
|
|
|
Gilbert Consellado wrote: in your case would you suggest? Depends on the environment.
I'm not running as admin on my local machine, UAC is turned on - here I do not worry about keyloggers. The documents-folder is encrypted; anything in there is deemed "safe". I kept passwords in a text-file, since, as Mycroft states, it would not be very usefull to hide them from an application that runs as "me", as it has access to anything I have.
On USB, the data is encrypted. One needs the password to unlock the data - and no, in that case the password isn't stored.
If you're not in control of the environment, you basically cannot guarantee secrets. In that respect, the (local) admin is indeed all-powerfull.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
I haven't. I don't really see the point – if a malicious program has access to your process's memory space, it's already infiltrated onto the system in such a way that it can hook the keyboard (keylogger), file system (read data directly) and API calls (intercept passwords as you pass them to other applications or down HTTPS channels), and it's probably easier to dig a password out from there than from an unknown location in a process's memory.
|
|
|
|
|
I have a C# windows application written in VS 2010 that uses SQL Server Express database as the back-end. I'm finding that I have a need for having different users with different rights, to limit how much damage can be done by careless users. For example, one highly trusted user can mass delete and edit records for modifying large numbers of records while another user can only edit or delete individual records. A highly trusted user can access all of the screens while other users will only access a subset of those screens, etc. AFAIK this doesn't necessarily map very well to the authentication system built into SQL Server which manages user groups read and write permissions for each table. There is the possibility of just rolling your own custom authentication system, to add to the database tables for users, groups, and permissions and managing those accordingly. While this is a new problem for me, my hunch is that this would likely be a very old and familiar problem within windows development. I could certainly roll my own and make something workable if not great, but why not see how others with more experience are doing it.
Does anyone have any thoughts or recommendations on this subject? Any especially good examples that you could point me in the direction of?
(crosspost mea culpa)
|
|
|
|
|
Well I have to say pretty much every system I've worked on has rolled its own. It'd be good if there was a library and a script you could just run to do this.
I guess it depends on where the thing is used. Is Active Directory an option?
Regards,
Rob Philpott.
|
|
|
|
|
Aaron Hartley wrote: AFAIK this doesn't necessarily map very well to the authentication system built into SQL Server which manages user groups read and write permissions for each table. It's configurable. Simply map a Sql-user to an AD-group. Include the "trusted" used in the correct AD-group, and done.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Thank you both for responding. I haven't yet looked at the relevant documentation but I will do so when I get a moment. As such, I had some questions that are possibly naive but I'm going to reach beyond my understanding. I'm not sure how well the rights of an AD user would map to rights within the application. Or is it a hybrid solutions where you rely on AD to manage the users and passwords and make your own table for managing the rights as they relate to your application?
|
|
|
|
|
Aaron Hartley wrote: I'm not sure how well the rights of an AD user would map to rights within the
application. The network-admin may have lots of rights, where he may have none in your app. What you get from Windows is the login (using SSO). A login in Sql Server may be mapped, but that doesn't mean that you "have to" keep a list of who's allowed to do what in there - that's typically something for your app to define. You can use the roles to block them from reading/writing where you don't want them.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Hi we are trying to make a GET request against a REST API of a partner company.
In collaboration with the partner company we have produced the necessary ingredients, but we don't know how to put them together?
This is what we have:
- URL: The URL of the partner REST API
- PRIVATE KEY: privateKey.key
- CERTIFICATE: certificate.pem
- PASSWORD: We have defined some passwords.
We have tried to open the .key and the .pem files with Notepad, and the text there is readable, and goes like:
privateKey.key:
-----BEGIN PRIVATE KEY-----
MIIEvAIBA
(...)
6xz6tGWWdkR4uw==
-----END PRIVATE KEY-----
certificate.pem
-----BEGIN CERTIFICATE-----
MIIEbDCCA (...)
QmliDutXh/BjT0=
-----END CERTIFICATE-----
We are wondering how to make a REST request with these things in C#?
We have been wondering if the PRIVATE KEY and the CERTIFICATE should be converted into another file?
So with OpenSSL, running the command below, we tried to convert those two files into a .pfx file:
openssl pkcs12 -export -out domain.name.pfx -inkey domain.name.key -in domain.name.crt
The resulting .pfx file was not human readable, it was like: " ‚h‚d0‚`0‚ *†H†÷ (...)".
To make the REST GET request is it then necessary to install the certificate?
As you may understand from this post we are quite ignorant on the subject of making a request with certificate, private key and password in C#, looking for some help.
There are many questions and we actually don't know exactly what to do.
|
|
|
|
|
Hey, i am making a program, in which i have load an image in picturebox1. now i want to reduce image size and pixels and want to display in picturebox2.
so how can i do this?
|
|
|
|
|
You could start by not reposting the same lack-of-a-question!
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952)
Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
|
|
|
|
|
|
|
This is not a good question - we cannot work out from that little what you are trying to do.
Remember that we can't see your screen, access your HDD, or read your mind.
Are you trying to reduce the image size and save it? Or reduce it on screen? Please, try to explain in as much detail as you can!
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952)
Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
|
|
|
|
|
Simple one...
0. Click your picturebox (I asssume this has the image?)
1. At the right side of the screen, you will the properties tab.
2. Kindly search for "Size Mode" property on the properties tab.
3. There, you can change the image if you want the Normal size, Stretch image, AutoSize, Center Image or Zoom.
Don't mind those people who say you're not HOT. At least you know you're COOL.
I'm not afraid of falling, I'm afraid of the sudden stop at the end of the fall! - Richard Andrew x64
|
|
|
|
|
It's only a simple one if that is what he's actually trying to do. As it is, you're making assumptions. It's always worth seeking clarification if something could have multiple meanings.
|
|
|
|
|
Pete O'Hanlon wrote: As it is, you're making assumptions.
Yes, I am.
But, I also base my answer on how he asks. I think, he won't construct a question like that if he meant a 'complicated' thing for the picturebox.
At least, his not like the others who say 'I need a program for XXX in XXX languange'. He wants to learn, but lacks the 'curiosity' ability on his chosen IDE.
Give them the simplest idea, and if they don't really ask for the 'simplest' one, then at least they know where to start. That is, IMO.
Pete O'Hanlon wrote: It's always worth seeking clarification if something could have multiple meanings.
Agree. I'll do that next time. Thanks Pete.
Don't mind those people who say you're not HOT. At least you know you're COOL.
I'm not afraid of falling, I'm afraid of the sudden stop at the end of the fall! - Richard Andrew x64
|
|
|
|
|
And this[^] says he wants something more complicated.
|
|
|
|
|
Stop reposting your question
Tim Toady Bicarbonate
|
|
|
|
|
Hi All
I am calling a REST API from my C# Console application and get the following error while calling GetResponse method
"The request was aborted: Could not create SSL/TLS secure channel."
The code has worked before couple of days back , so I am not sure what changed. The cert I am using is valid cert installed on my machine where I run the code, I checked the expiration details and all.
My code is as follows, it fails in the try block below.The uri that I pass is this -https://management.core.windows.net/{0}/services/hostedservices[^] I replace the {0} with a valid id ofcourse.
Code:
public static XDocument GetResponse(Uri uri)
{
HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
request.Method = "GET";
request.Headers.Add("x-ms-version", msVersion);
request.ClientCertificates.Add(certificate);
request.ContentType = "application/xml";
XDocument responseBody = null;
HttpWebResponse response;
try
{
response = (HttpWebResponse)request.GetResponse();
}
catch (WebException ex)
{
response = (HttpWebResponse)ex.Response;
}
}
Exception:
The complete exception is:
System.Net.WebException was caught
HResult=-2146233079
Message=The request was aborted: Could not create SSL/TLS secure channel.
Source=System
StackTrace:
at System.Net.HttpWebRequest.GetResponse()
at StorageAccountsExtractor.AzureService.GetResponse(Uri uri) in e:\StorageAccountsRetriever\StorageAccountsExtractor\StorageAccountsExtractor\Program.cs:line 289
InnerException:
Solution:
I looked on the web and looks like I need to make HTTPS use TLS? how do I do that.Any other ideas that I could look into?
"Every morning I go through Forbes list of 40 richest people in the world. If my name is not in there, I go to work..!!!"
|
|
|
|
|
If it was working a couple of days ago it's almost certainly that something has expired, either your SSL certificate, the server's certificate (though that is unlikely if you're using a hosted service), your user name or API key.
|
|
|
|
|
Hi,
This is my own project, I have an idea, but a litle C# knowledge.
I have a (256 * 256) led panel.
Users have a GUI for loading image or drawing graphic.
GUI will convert this image white and black , using WB filter.
An engine will convert white pixel to "0" , black pixel to "1"
Than each of pixel row will send I/0 card as 256 bit message data.
I want to floating image on led panel.
Any source code ?
And which interface is appropriate for this communication. pc and IO card.
Thanks.
|
|
|
|
|