Mrcrix 10 Posted November 30, 2012 Report Share Posted November 30, 2012 I was so excited to see the new commands to manage the database connection and I decided to make my next bot using this new feature... and here comes the bad feelings, I mean I feel not confortable to use the data of the main database inside the distribuited exe. Who know if using the database commands there is a way that an user can see those data? You know, usually each customer could have his own username and password stored somewhere or even hard coded in the exe, in that case if someone would be able to get those informations he would be able to manipulate those data (ex to modify the credits or money in his account, or changing his user level) anyway in this case the problem would be limited to only one user that can be blocked changing the login details, the database commands instead is supposed to work using the main data to connect to the whole database not to just one user account, so I think it could be much more dangerous to use it in such way, what do you guys think about it? Would you feel safe to use the databse commands to connect each of your bot customers directly to the main database of your application? Quote Link to post Share on other sites
UBotBuddy 331 Posted November 30, 2012 Report Share Posted November 30, 2012 This is the nature of the beast. Most companies do not even get security certificates for their own web servers and trust me they are doing stuff like this now. If you are concerned about watching the wire then you could pay for the security certificate for your server and then you are safe. Personally, I would rather have the data on a server rather than embedded in an EXE. 1 Quote Link to post Share on other sites
iautomate 0 Posted November 30, 2012 Report Share Posted November 30, 2012 pretty excited with the new MYSQL integration but i have similar doubts like OP. With a remote connection to the server ,we can implement a simple Licence check using the database command. bot will send a request to db and checks if user is valid. But is it safe to do something like this ? Ubot team have definately taken security into consideration while developing a feature like this. ,Maybe someone from the dev team clarify this or provide some input to securely communicate with remote server using DB commands. If people have any other advices on securing the remote DB connection , like one said by buddy - getting a Security certificate , please add. Thanks Quote Link to post Share on other sites
gabel 51 Posted November 30, 2012 Report Share Posted November 30, 2012 well i know for a fact that there are some programs that can "read" the connection so it`s possible to find out the user and pass for the database Quote Link to post Share on other sites
Mrcrix 10 Posted December 1, 2012 Author Report Share Posted December 1, 2012 If using a sniffer software or some other software to check the connection strings of the computer is possible to find the string to connect to the DB it would be really simple to grab the data and connect to the same database with whatever software or script, it would be possible to work with it like the owner could, the hacker would have a complete access to the main DB. I tried to use a sniff software and open ubot studio, well, reading in the outcoming data I can see clearly my username, password, processor ID and all other data about my computer, using the same way I wasn't able to get responses from an exe bot using the DB connection 'cause I'm pretty sure the db connection doesn't use the http method but I'm not an hacker I don't know exactly how everything work but I suppose that someone more advanced than me could be able to read it without problem, so I suppose it is not safe to use the db commands specially if you connect your bot to the main DB where could be stored important data like residual money in an user account (this can be changed by the hacker and use your product for free) or changing the account data of all the users giving infinite credits to all users, or simply deleting all of your db data... i'm talking about money and credits 'cause I'm working in a bot where customers buy credits and use them to get the bot to make some actions... I'm afraid that I will keep using an alternative method to get the data from an online db... Any different point of view would be very appreciated! Quote Link to post Share on other sites
blumi40 222 Posted December 2, 2012 Report Share Posted December 2, 2012 Mrcrix is also a question of your mysql user...if u do a user that only can read from a table even from rows from this table, u can not delete with this userso the part on the serverside with ya userrestriction is also very important point for a secure system. and mysql got the ability to handle user that only can read rows on a database so include this in ya security concept 1 Quote Link to post Share on other sites
Mrcrix 10 Posted December 3, 2012 Author Report Share Posted December 3, 2012 Blumi40 yes, you're right I didn't think about the user access level, it could be a good way to limit possible damages to the main DB anyway it would possible to see the sensitive data of all users so I think it is not too safe to use the db commands, I will keep using my usual way to connect to the main DB, thank you for your opinion Uniquebot, well I didn't think about decompiling since the sniffing should be enough to spot sensitive data but decompiling would even add more securities problems even for the hard coded data into the exe infact as I said I will not use the DB commands for now, I prefer keeping using the usual online login connected to my main DB without to store any important data in the exe itself, thank you for the post! Quote Link to post Share on other sites
jason 101 Posted December 3, 2012 Report Share Posted December 3, 2012 The database connection isn't a secure connection, so if I'm understanding you all correctly, you'd have to setup a secure connection link (ssl) to your mysql database. Let me see what the Devs think. Quote Link to post Share on other sites
blumi40 222 Posted December 3, 2012 Report Share Posted December 3, 2012 as a theoretical example to give ya bit brainfoodu can create a mysql functionfor sending the needet licdata to this functionthe function it self will check the licences serverside and if the licences is okay the function returns a valid INT A cryptcode is a part of ya bot and ya server so bot knows and server knowsthe server is sendet back a cryptet key and u can decrypt with ubot so as example u cryptcode from Ubot is X² (very simple) cryptcode to Ubot is X³ (very simple) so u send INT 16 in ya SQLstring to server and the function knows thats a trusted connection and it will give also back another crypted code ubot knows (X³) [X = 4] ubot sends 16 server sends 64 to ubot <- licence okay[X = 3] ubot sends 9 server sends 27 to ubot <- licence okay[X = manipulated by hacker] ubot sends 7 server sends 7 to ubot <- licence fail because 7 isnt a valid INT so thats only a very simple example cryptcode for ubot is X*X and for the Server X*X*X write a mysql function who needs name email licstring cryptint if some of this infos are wrong server will allways give a wrong encryptetInt back so ubot knows lic not valid with this methode u can handle querys without select the function on serverside is doing the select and brings a return for hackers not easy to handle.. hope the brings u ideas for your licsystem Quote Link to post Share on other sites
UBotBuddy 331 Posted December 3, 2012 Report Share Posted December 3, 2012 Are you referring to a stored procedure rather than a function call? Quote Link to post Share on other sites
blumi40 222 Posted December 3, 2012 Report Share Posted December 3, 2012 i not sure yet was only a idea but i thing u can work with both of them Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.