quote:
Originally posted by aat
Guys, it’s a very well known issue …
At least since your posting [;)]. Just tried that. It works. [8D] Save the password from your workmate in a table, change it, log in (under his name), make some changes, log out, write the password back! IMHO a serious security issue! bye André
But you need to have object designer rights to do this - and usually, only admins should have this right, and they can play around with user IDs and passwords anyway. So it boils down to the question “do you trust your admins?”, and if you don’t - well, in this case the admin should not be one [;)] Same goes for vendors whose objects (which could contain Trojan horses of this kind) you import into your database…
Hi Heinz
quote:
Originally posted by xorph
But you need to have object designer rights to do this - and usually, only admins should have this right, and they can play around with user IDs and passwords anyway. So it boils down to the question “do you trust your admins?”, and if you don’t - well, in this case the admin should not be one [;)] …
Ok. You are right! But with this method as well as with a cracked password is it possible to make changes in the database with your password. And you don’t notice it! bye André
I agree with you, Andre. But if I - as admin - wanted to make changes in the database under a different user ID and without leaving any traces pointing to myself, I could do so without having to resort to security holes, even without having to resort to coding… [}:)] Of course, a full developer license would come in handy [;)]
Heinz, I was wrong about the spec of my machine. It is in fact a Dell Precision 220 - 2 x PIII 600MHz processors with 756MB RAM. -------------------------------------------------------------------- Quote: As an example, computer chess programs use a wealth of heuristics to prevent them from searching all possible move combinations, and they are quite good at it. With respect to cracking passwords, one could think of trying “more promising” passwords first. It will probably be unlikely for a user to have “aaaaa” as his password. Same for “aaaab”, “aaaac” and so on. Yet with a straightforward password generation routine, you will be trying exactly these passwords first. The password you chose will be found quicker if you move from lowercase letters to uppercase. If you first try uppercase letters, your program will need more time. Generally, having some reasonable assumption about the “general structure” of your password will enable you to speed up the search. In any case, though, you will have to make sure that your program is able to generate and test all possible combinations, just in case all your assumptions turn out as invalid. --------------------------------------------------------------------- I assume you mean “educated guesses”?! For instance I try a couple of things first - DOB, initials (from the Employee record). This of course assumes the User setup is in-line with actual Employee records! [;)]
Connull, if your PC with 600 MHz is so much faster than mine with 1.7 GHz, I wonder what’s wrong with my program [B)]. Well, maybe the reason is that I had a status dialog open, and used a counter that was displayed in the status window once every 10,000 password comparisons. With ~ 50,000 comparisons per second, this caused an update of the status window every 1/5 second - possibly slowing down the process dramatically. I guess I will retry the whole thing with the counter showing only on every 500,000th comparison… I also think I should move the character from the beginning to the end of the character list - it doesn’t make much sense to first check passwords starting with 3 or 4 blanks [xx(] Another difference is that I included the German umlauts, which you probably did not. Regarding the technical issues: You are correct that a heuristic could well be considered an “educated guess”. Trying a dictionary first, for example, is still brute force, but a bit more intelligent than simply generating a “stupid” list programmatically. However, in (graph) searching algorithms (of which chess is one), heuristics are usually of the mathematical/algorithmic nature, therefore a bit stronger than merely guessing or trying certain solutions by chance. I should stop here before I get carried away [:D]. I gave algorithm lessons during my time as a university assistent, and wrote my dissertation about certain aspects of and search methods in computer chess, and once I get into talking, it’s hard for me to stop [;)]
Heinz, First of all, my PC has two 600MHz P4 processors - probably a reason why my program is faster than yours!!! [:D] --------------------------------------------------------------------- Regarding the technical issues: You are correct that a heuristic could well be considered an “educated guess”. Trying a dictionary first, for example, is still brute force, but a bit more intelligent than simply generating a “stupid” list programmatically. However, in (graph) searching algorithms (of which chess is one), heuristics are usually of the mathematical/algorithmic nature, therefore a bit stronger than merely guessing or trying certain solutions by chance. I should stop here before I get carried away . I gave algorithm lessons during my time as a university assistent, and wrote my dissertation about certain aspects of and search methods in computer chess, and once I get into talking, it’s hard for me to stop --------------------------------------------------------------------- I agree that it’s probably a good thing to stop you there, but can you point me to some resources regarding these heuristics!!! A book or books for example. I am interested in this. [:)]
Are you sure that both CPUs are used by Navision for the computation? One place to start your search for heuristics are the publications of Hermann Kaindl, who was one of my thesis reviewers. He has been publishing papers and books about heuristic search for over 20 years. If you search for him on Google, you will find several pointers to his papers. The books were originally published in German, I don’t know if a translation is available. The papers, having been published in international journals, are in English. If you are specifically interested in computer chess, you can look at http://www.cs.unimaas.nl/icga/ , but they provide only the abstracts on their web site. An introduction to Alpha-Beta search (the standard searching algorithm in chess) is on http://www.seanet.com/~brucemo/topics/alphabeta.htm Searching algorithms in general are described in Don Knuth’s book “Searching and Sorting”, but it’s 90% mathematics and every student’s nightmare [;)]
This one is also a very good introduction to a few standard algorithms: http://rajiv.macnn.com/tut/search.html
Heinz, I’ll take your word that these sites have useful information (they go right over my head!) [:D] I need something a little more basic than that! [:)] I’ll do some searching via Google. Thanks anyway.
Connull… search for the unix password crackers… the ones working fine use a brute force algorigthmic and most of them are having different “improvements” for speeding up the search (some of them combine brute force and dictionary). Regards
In fact… one that usually worked fine was John the Ripper… the link is: http://www.openwall.com/john/… it’s open source… so it will probably help you A LOT… [;)]
Alfonso, Thanks for the link - I’ll look into it later! [:)]
Sorry Connull [:I] - searching algorithms are generally a bit sophisticated, and any improvement only adds to the complexity… The algorithm course I mentioned covers only searching and sorting routines for half a year, and still teaches only the very basics [:0]
Connull, I modified my routine as described previously. No umlauts, dialog updates only evry 500,000 iterations, blank character moved to the end. Runtime is now 1:25, which is 1 hour faster than the previous version.
Heinz, Sounds like my routines then, were running OK. [?] The only problem I now have is the drive I had the functionality on, has gone down and is irretrievable! [:(] So I’ll have to recreate the code! Aaaagggghhhhhhhhh [}:)]
quote:
Originally posted by CMDunbar Sounds like my routines then, were running OK. [?] The only problem I now have is the drive I had the functionality on, has gone down and is irretrievable! [:(] So I’ll have to recreate the code! Aaaagggghhhhhhhhh [}:)]
Irretrievable??? Are you sure?? Unfortunatelly i’m starting having a little practice on recovering my files/harddrives (in fact right now my desktop is running disk commander for more than 6 hours trying to recover the main partition of my main hard disk… considering that it was a 200 GB hard disk and it was having just 80 GB free… you’ll understand why i’m spending that much time on it’s attempt of recovery…). It looks bad as i’ve already killed the MBR while trying the standard Windows XP methods… but… hope is never lost. Going to where i’m was… If the hard disk is not working at all there are few chances of recovering… but if the problem is different, (like having NTFS and not being able of starting the computer) there are several programs that can allow you to recover the files inclusively if the computer is not bootable right now…
It was a USB hard drive and what the problem was, the hard drive was unable to be spun! Apparently it was going to cost loads if at all possible, so I decided to just have a replacement and to in future, back my work up on a pc, as I go along! [:)]