Custom Login Screen [Untested-7+]

[Genx]

Hi Ann,

All your points are taken, but i still don't know how you logged in to the administrator account -- It has nothing to do with the rest of this.

[librone]

Hi Ann,

All your points are taken, but i still don't know how you logged in to the administrator account -- It has nothing to do with the rest of this.

Hi Genx

yes, It has nothing to do with the rest of this.

I use telepathic powers in order to make this . :

Ann

[Genx]

Hmmm yes, welllll

[Genx]

You know what really tells me something here though?... The fact that this topic got 2400 views.

Get your act together FMI and give us the ability to provide decent logins!

[librone]

Hi Genx,

We can have a decent login only if we can stop "passware"!

Can you stop it?

Ann

[Genx]

I don't know if i could stop it, it's not my job to stop it, i don't work at FMI, i don't get paid to fix their software so I wouldn't waste my time... but, i do pay $432.00 AUD per license (thats more than the OS it runs on) for someone else to stop it.

SQL seems to stop it... MySQL seems to stop it... Zipped files are secure...

I wouldn't walk into a clients office and say here, buy my system for $10,000, it's good, but when it breaks down in 1 month because I couldn't do a decent job building it, you fix it, it's not my responsibility.

And just FYI, "passware" isn't stopped even with their current dialog login system... this is a flaw in their product and up to them to address it -- that's why they get paid -- not me.

Stop thinking that I have something against FMI as a whole... I like the product, but the truth is they are a commercial profit seeking company, that needs to be able to match itself to the competition... it can't do this if people like me don't whinge!

Edited March 28, 2007 by Guest

[librone]

Hi Genx,

now it's not possible to have decent logins.

First FMI must stop "passware".

Ann

[Raybaudi]

there is a way to stop "passware"

Try to crack this

Empty.zip

[Raybaudi]

To log:

Account: Admin

Pwd: nopwd

[librone]

Hi Danielle,

I have known this trick in 1999.

You must recover it.

et voilà

remember: only FMI can stop Passware!

Ann

[Raybaudi]

Yes, but the recovered file has this pwd:

FZQTGJ8

[librone]

Hi Daniele,

changes it something?

You can open the recovered file.

Ann

[Genx]

Am i missing something here?

[xoomaster]

Here is some simple advice :

Do not allow your files to be open by FMP Advance !

Also get ride of the option "Recover".

Build in an option that replaces the DB structure in case of illigal entry ! this one you have to work on !

Remeber the golden rule is "if they don't have your file, they can't crack it !" so keep your files safe !

Edited April 5, 2007 by Guest

[Genx]

Do not allow your files to be open by FMP Advance ! ... how does one achieve that?

Also get ride of the option "Recover".

... likewise here?

[xoomaster]

Check to see if "GetApplicationVersion = ProAdvance" ?

if yes, take action !

[Genx]

But at that stage you're already logged in and running a script -- according to ann she can avoid any scripts once logged in.

[xoomaster]

Any internal security measures can only be used after the log in process.

Remember a lot of people even if they have the master password to a DB, they still need yur help to get things done.

As part of your contract when selling your services, place a very high price as a penalty if there is use of decoders or spywares on your design.

Buttom line is that there is alway a way to crack a software, but only very few people would choose to do that !

Xoomaster

Edited April 13, 2007 by Guest

[Genx]

Lol,

Three nuclear warheads are aimed at this facility and will be launched should you trigger any of the 9 fail safes attached to my software -- do so at your own risk.

[Leather Knight]

Interesting posts. I too have had issues with the security of my db. I have found a way to secure my db for distribution. I make my db, once tested anf ready to develope, I remove admin privies, then develope. Once done there, I use a program called "Exeshield" on the .exe file. Of course the exe file reads the .usr file or whatever you name the db file and you are done. Exeshield allows for demo mode til paid for. If you try to access any modifications in the .usr file, the privies are removed so it is a futile attempt.

Outcome: Solution ready for sale and secure. Just my 2 cents you see, but thought I would drop it in the bucket :

[librone]

Interesting posts. :

Hi Kevin, your demo file are totally unlocked.

I suggest you to remove your demos in your web site.

Just my 2 cents :

Ann

[Leather Knight]

I see. I had a so called friend helping me with it and I guess he decided to just open the world up to freebies. I have taken down the site and am fixing the problem. Thanks so much Ann :

[Genx]

Hi Kevin,

No matter what you do I think Ann may find a way in.

[librone]

Hi Genx

this is not true.

Ann

[Genx]

So post an example... or supply a short note about best practices seeing as you actually seem to be quite knowledgeable in the area.

Simply telling someone that something is insecure really doesn't help them fill the holes does it.

It's like saying you have a leak in this 400,000 tonne cruise liner. There's a hole about the size of a car, the boat will sink in 2 minutes if you don't plug the hole... but i'm not going tell you where it is for your own benefit.

Now I'm not saying reveal all the possible attack vectors to the public, but honestly, a few hint's wouldn't go amiss.

Edited June 11, 2007 by Guest

[librone]

Ok Genx,

in Kevin's file there is Admin Account.

everybody can rename file.usr to file.fp7 and open it with Admin account.

first:

REMOVE ALWAYS ALL [FULL ACCESS] ACCOUNT

Ann :

[Genx]

... sigh

[Leather Knight]

Ok....now that I have seen that changing the password, "admin" to something else is useless, I do thank you Ann for showing me this. I have came up with an idea that just may work. File.usr is no longer a valid tool, and so I have came up with a new way of doing this. I shall get back to you for the "test" in a few days.......I love a challenge.. :

[Brian C]

How do these exploits affect a solution that is served over a network? If my solution is being served from a FMP 8 or FMP 9 Server - What weaknesses will there be?

[GalainHH]

The majority of cracks should work only, if you have direct access to the file.

As we could see, the easiest way to prevent your file from being cracked is to remove all full access accounts. Than passware is not able to spy out the real important accounts, cause they are simply not there.

From that point, your Server hosted file should considered to be safe, but...

I made such a "contest" with a fmp file in 1998 or so. And my file file was hacked within minutes. The one, who did that, was kind enough to explain, how he did that: He simply had a FileMaker Version, that ignores login Dialogs at all! His particular FMP Version startet every file as Administrator, without even asking for Login and without executing any startup script.

I don´t know, how one can modify a FMP Version to behave like that, but I think, such a modified Version is able to open a server hosted solution too.

As I am no hacker, I can´t say, if such a modified version is availabe with todays FMP Version (7 - 9), but I would count with it.

My Solution has a customized login screen but no Full Access Account. Consequentely, I separate DATA from LAYOUT Files. DATA Files have an Admin Account but no "intelligence", that means no Scripts, no functionallity. The LAYOUT files contain the all functions like scripts and the GUI, but no Admin Account.

I don´t think, that my solution is uncrackable, but I think, that most of the "common" attemps to crack it, will fail.

I hope this is true :-)

[domb]

Hello,

I am interested in using your custom login screen for my solution. I am not enough advanced to crack your file...

If I understood, this file is no longer under development, is it possible to see how it is done ?

Thanks.

Edited August 13, 2007 by Guest

[Genx]

Just trust me, stay away from it. The full access accounts were all non-existent in my example and it was still bypassed. I have personally abandoned all attempts at getting this to work and reverted to the standard FM authorization followed by a splash screen.

[Rafita]

Hi:

¿How can you perform it? The FMP message says that there must be at least one account with full access privileges.

Tnx.

[librone]

Hi

you must use FMPro [color:red]Advanced tools to remove last full access account.

Ann

[Rafita]

Ok, Ann. Thanks for your attention.

Rafael

Dieu vous bénisse!