The Daily Parker

Politics, Weather, Photography, and the Dog

Don't do this. Just don't.

It's a general rule of software security that, if I have physical access to your computer, I own it.

I'm analyzing a piece of software so that I can transfer its data to another application. The software runs on a local machine and is written in .NET, with a SQL Express back-end. I have administrator access to the SQL database, the machine, and therefore, to the software.

It took me all of an hour to find the master encryption key in one of the DLLs that make up the software, and another hour to build an applet—using the software's own assemblies—that can read and decrypt every byte in the database.

Good thing I'm covered by a confidentiality agreement and the owner of the data has engaged my company to do exactly what I'm doing. But wow, we really need to migrate this stuff quickly, and get it the hell off this computer.

Comments are closed