This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

How to encrypt your config & script files

Old posts that have not been replied to for several years.
Locked
S
Sinan

How to encrypt your config & script files

Post by Sinan »

As the title says how to encrypt your configuration file, so that IF someone get into your box, he cannot read your configuration file because it is encrypted, but the eggdrop have to read it, otherwise he cannot load the settings :)
User avatar
GodOfSuicide
Master
Posts: 463
Joined: Mon Jun 17, 2002 8:00 pm
Location: Austria

Post by GodOfSuicide »

you cant
use the forum search, you'll find topics on that only a few days old
S
Sinan

Post by Sinan »

GodOfSuicide wrote:you cant
use the forum search, you'll find topics on that only a few days old
I cannot ? Sure I can, I heard alot about it.
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

Then you should have heard why the peoplet hat do this, closly protect there methods.

If they where to become public, then the encryption would be usless.

You have to somehow tell the bot the password to decrypt it

1: If you told it on the command line. People could easily read it.

2: If you specified it embeded into the code, they could easily get the information using common debug tools.

Think about it for a second. How do you tell the bto the password without anybody reading it? You can't!
S
Sinan

Post by Sinan »

ppslim wrote:Then you should have heard why the peoplet hat do this, closly protect there methods.

If they where to become public, then the encryption would be usless.

You have to somehow tell the bot the password to decrypt it

1: If you told it on the command line. People could easily read it.

2: If you specified it embeded into the code, they could easily get the information using common debug tools.

Think about it for a second. How do you tell the bto the password without anybody reading it? You can't!
When you tweak eggdrop, and put the key in the source, it is possible.
K
KevKev
Halfop
Posts: 67
Joined: Fri Oct 03, 2003 5:15 am

Post by KevKev »

ppslim wrote: 2: If you specified it embeded into the code, they could easily get the information using common debug tools.
He already covered embedding it in the source
p
ppslim
Revered One
Posts: 3914
Joined: Sun Sep 23, 2001 8:00 pm
Location: Liverpool, England

Post by ppslim »

Right, I have a little more time on my hands now, so lets go a little more indepth as to why encryption of this kind is silly and impossible.

OK, I conceed there are a few ways to prevent people from getting the password.

One method is to code the bot such that it reacts to being traced. There are two cources of action here.

1: Destroy the de/encryption password key
2: Kill the bot, so there is no longer a process to trace

There is one large flaw here. An attacker only needs to attempt a trace, and they bring your channel to a standstill with regards to protection.

With method 1, it can no longer tell who a bot owner is from an attacker. The user list is usless. With method two, the bot isn't there to do the protection.

Also with method one, you could potentialy put the channel into a deep security mode. Where the bot will not let anybody change a mode, and deop people. The only issue with this, if two bots are attacked, they would not know each other is safe, thus you end up with a shortlived war, then when bots are restarted, a channel without ops.

That covers protections methods. Lets talk about what they are designed to protect the bot from.

Common tools used to trace program execution, are usualy intended for programers to know what data is where and when.

All well and good, but it also allows attackers to know what passwords are where and when.

There are three locations you could specify the password de/encryption key.

1: Within the source code
2: Specified on the command line at startup
3: When you start the bot, you are asked for it before the program continues.

All three will occupy memory once the bot is loaded. You can't just destroy it once the bot has started, otherwise, what password is used to re-encrypt the userfile and such.

The said debug tools noted above will do the following.

1: Trace the code path and store it
2: The attacker then reads back this information.
3: They locate a line relating to decryptiing the data or resaving
4: Bingo, they should have the information needed to further the quest.
User avatar
strikelight
Owner
Posts: 708
Joined: Mon Oct 07, 2002 10:39 am
Contact:

Post by strikelight »

However, with method 2, you must assume there are more than one bot (across multiple machines) guarding the channel.. In which case, a single bot not being there for protection isn't going to hurt any... Assuming of course, only the one machine is comprimised.
[
[SD]Amon

Post by [SD]Amon »

a simple solution (unless your useing a windrop....)
chmod
unless root is trying to access your files, dont worry. you haveto tick someone off alot if they hack a machine, make themselves root, and all they do is look for your bot passwords and settings. Its safe just to restrict access to the file to you.
User avatar
j0n
Op
Posts: 140
Joined: Wed May 07, 2003 5:31 pm
Location: sjn.nb.ca
Contact:

Post by j0n »

Public encryption will only keep your files secure from "good guys".
Your brother decides to log into your shell and play with the files, but because he is an idiot he won`t know know how to decrypt.

This is the same concept of those 3rd party firewall software, it only blocks out people with no knowledge.

If someone really wanted to, they could decrypt your files regardless.
User avatar
Alchera
Revered One
Posts: 3344
Joined: Mon Aug 11, 2003 12:42 pm
Location: Ballarat Victoria, Australia
Contact:

Post by Alchera »

[SD]Amon:
a simple solution (unless your useing a windrop....)
chmod
ppslim:
4: Bingo, they should have the information needed to further the quest.
Once again ppslim has hit the nail on head. :)
Add [SOLVED] to the thread title if your issue has been.
Search | FAQ | RTM
Locked