Check to see if "GetApplicationVersion = ProAdvance" ?

if yes, take action !

But at that stage you're already logged in and running a script -- according to ann she can avoid any scripts once logged in.

Any internal security measures can only be used after the log in process.

Remember a lot of people even if they have the master password to a DB, they still need yur help to get things done.

As part of your contract when selling your services, place a very high price as a penalty if there is use of decoders or spywares on your design.

Buttom line is that there is alway a way to crack a software, but only very few people would choose to do that !

Xoomaster

Edited April 13, 200718 yr by Guest

Lol,

Three nuclear warheads are aimed at this facility and will be launched should you trigger any of the 9 fail safes attached to my software -- do so at your own risk.

Interesting posts. I too have had issues with the security of my db. I have found a way to secure my db for distribution. I make my db, once tested anf ready to develope, I remove admin privies, then develope. Once done there, I use a program called "Exeshield" on the .exe file. Of course the exe file reads the .usr file or whatever you name the db file and you are done. Exeshield allows for demo mode til paid for. If you try to access any modifications in the .usr file, the privies are removed so it is a futile attempt.

Outcome: Solution ready for sale and secure. Just my 2 cents you see, but thought I would drop it in the bucket :

Interesting posts. :

Hi Kevin, your demo file are totally unlocked.

I suggest you to remove your demos in your web site.

Just my 2 cents :

Ann

I see. I had a so called friend helping me with it and I guess he decided to just open the world up to freebies. I have taken down the site and am fixing the problem. Thanks so much Ann :

Hi Kevin,

No matter what you do I think Ann may find a way in.

Hi Genx

this is not true.

Ann

So post an example... or supply a short note about best practices seeing as you actually seem to be quite knowledgeable in the area.

Simply telling someone that something is insecure really doesn't help them fill the holes does it.

It's like saying you have a leak in this 400,000 tonne cruise liner. There's a hole about the size of a car, the boat will sink in 2 minutes if you don't plug the hole... but i'm not going tell you where it is for your own benefit.

Now I'm not saying reveal all the possible attack vectors to the public, but honestly, a few hint's wouldn't go amiss.

Edited June 11, 200718 yr by Guest

Ok Genx,

in Kevin's file there is Admin Account.

everybody can rename file.usr to file.fp7 and open it with Admin account.

first:

REMOVE ALWAYS ALL [FULL ACCESS] ACCOUNT

Ann :

... sigh

Ok....now that I have seen that changing the password, "admin" to something else is useless, I do thank you Ann for showing me this. I have came up with an idea that just may work. File.usr is no longer a valid tool, and so I have came up with a new way of doing this. I shall get back to you for the "test" in a few days.......I love a challenge.. :

How do these exploits affect a solution that is served over a network? If my solution is being served from a FMP 8 or FMP 9 Server - What weaknesses will there be?

The majority of cracks should work only, if you have direct access to the file.

As we could see, the easiest way to prevent your file from being cracked is to remove all full access accounts. Than passware is not able to spy out the real important accounts, cause they are simply not there.

From that point, your Server hosted file should considered to be safe, but...

I made such a "contest" with a fmp file in 1998 or so. And my file file was hacked within minutes. The one, who did that, was kind enough to explain, how he did that: He simply had a FileMaker Version, that ignores login Dialogs at all! His particular FMP Version startet every file as Administrator, without even asking for Login and without executing any startup script.

I don´t know, how one can modify a FMP Version to behave like that, but I think, such a modified Version is able to open a server hosted solution too.

As I am no hacker, I can´t say, if such a modified version is availabe with todays FMP Version (7 - 9), but I would count with it.

My Solution has a customized login screen but no Full Access Account. Consequentely, I separate DATA from LAYOUT Files. DATA Files have an Admin Account but no "intelligence", that means no Scripts, no functionallity. The LAYOUT files contain the all functions like scripts and the GUI, but no Admin Account.

I don´t think, that my solution is uncrackable, but I think, that most of the "common" attemps to crack it, will fail.

I hope this is true :-)

Hello,

I am interested in using your custom login screen for my solution. I am not enough advanced to crack your file...

If I understood, this file is no longer under development, is it possible to see how it is done ?

Thanks.

Edited August 13, 200718 yr by Guest

Just trust me, stay away from it. The full access accounts were all non-existent in my example and it was still bypassed. I have personally abandoned all attempts at getting this to work and reverted to the standard FM authorization followed by a splash screen.

Hi:

¿How can you perform it? The FMP message says that there must be at least one account with full access privileges.

Tnx.

Hi

you must use FMPro [color:red]Advanced tools to remove last full access account.

Ann

Ok, Ann. Thanks for your attention.

Rafael

Dieu vous bénisse!

Hi Guys,

I've been following this thread with interest and have a question.

With FMP9A you can remove the full access account and it's my understanding once that's done no one can hack your solution. Is this correct?

If that is correct and you've built a custom solution for a customer. What's wrong with providing that customer with the solution with "full access removed" and then when you update the solution or make changes, again provide it "full access removed" and import from the old solution into the new?

Wouldn't that stop someone from hacking your solution as far as access to calculation, scripts etc?

Milo

With FMP9A you can remove the full access account and it's my understanding once that's done no one can hack your solution.

This has been available from at least FMP7 Developer.

Wouldn't that stop someone from hacking your solution as far as access to calculation, scripts etc?

Yes, provided none of the privilege sets that you leave in the files have access to these things.

Hi Genx,

I have a solution where I would need to provide several different custom re-logins (dependent on where in the DB the user is). I have looked at the example in this thread for this reason, but am unable to find out how you generated the custom login at all. And I am unable to crack it.

Can you help me and provide an open example of just the custom login?

Best wishes,

Berny

Berny, please read a few back. Genx said it is a futile attempt. No matter what you do with a custom login screen, it will open you up to headaches. I have tried as well, and would love a secure option to do this, but it is not available. It WILL be hacked if you do. I may be wrong at this point, been known to be wrong from time to time, (just ask the wife... ) but if it is possible to achieve a custom login screen and have it secure, Genx and Ann will be the ones to do it...

Lol, surely the number of hits on this topic should tell FM something. Of all the open source solutions ever posted this one has the most hits and it doesn't even work hehehe.

Hi Genx,

we can do more, 16000 hits are possible.

Are you ready?

:

Ann

No matter what you do with a custom login screen, it will open you up to headaches. I have tried as well, and would love a secure option to do this, but it is not available. It WILL be hacked if you do. I may be wrong at this point, been known to be wrong from time to time, (just ask the wife... : ) but if it is possible to achieve a custom login screen and have it secure, Genx and Ann will be the ones to do it...

I thought I would bring this back up again.

You have all talked about cracking a file that you have direct access to. Unless I am wrong, almost any file can be hacked some way if you have direct access to a file...Even through FM's native login. As Ann had shown, with the use of passware.

What about files you don't have access to...sitting on a server. The biggest part of security isn't just the file's security, but the access to the file. Network security is much more reliable than file security.

In a situation like that, how easy is it to break into? Here is a file I haven't seen anyone get into yet. (Note: again not talking about having direct access to the file, because of course then there is a way.) This file is from a well known developer.

Can you crack into it when you don't have direct access to the file?

SecureLogin.zip

No takers???

Can you crack into it when you don't have direct access to the file?

Yes! I crack it without passware.

Ann

Hahahaha... haha.. ha... sigh.

Hi Genx

jmormond's file is more simple to crack that your

file.

Ann

Lol, I don't even remember what i did. I gave up a looong time ago :

You mind telling me how?

Hi Genx

jmormond's file is more simple to crack that your

file.

And the best part is...it's not even my file!!! :girlgiggle:

Some don't agree with me when I tell them that these custom logins don't offer enough security to be useful.

I am trying give them the proof they need.

Edited January 25, 200916 yr by Guest

You mind telling me how?

first you tell me who is "a well known developer."

Ann

I PT who it was.

I kinda semi-challenged his idea on accident. He would probably like to know how it was done. He posted that file on another forum for "analysis".

He would probably like to know how it was done.

He made a mistake, He has left the "secret layout" available to "default account"

He posted that file on another forum for "analysis".

It is not necessary, in this forum there are many developers that can crack "his" file.

Ann

Hmmm... Ok.. How about this idea. Is there a way to have an app that will ask for a login name and password, then record the time and date the user logged in, keeping in mind that security is really not an issue, per say, but the permissions for all users are the same?

IE: User opens up app and the screen pops up asking for a user name and password. If fails, closes app. If passes, opens up the screen. Also users are added easily and all be done from the runtime?

The above thought is smart and doesn’t require any further addition. It’s perfect thought from my side

jack hollow

data entry jobs in london

Okay given that I started this tread, adding my 2c from two years later...

WHY!?!?!

Just use the standard login prompt. I've seen some systems that are very painful to look at since this thread started, and the truth is users DON'T really care... at all... seriously. A good login screen would be awesome, but if you need to go through a whole bunch of convoluted steps to achieve it and compromise security along the way there's no real point.

If you want a custom login screen and anything else that is out of FileMaker's reach, swap to a programming language that gives you the flexibility to integrate one. Otherwise just give up on it until FM integrate it [which I've resolved deep in my soul that they probably won't].

Hmmm... Ok.. How about this idea. Is there a way to have an app that will ask for a login name and password, then record the time and date the user logged in, keeping in mind that security is really not an issue, per say, but the permissions for all users are the same?

IE: User opens up app and the screen pops up asking for a user name and password. If fails, closes app. If passes, opens up the screen. Also users are added easily and all be done from the runtime?

now, there is not a usefull way!

I hope 11...12...13..

Ann