Securing secure FTP



  • I found a most excellent method of hiding hostnames, usernames and passwords from developers today in some consultant-brewed code. This code is responsible for connecting to an SFTP server. The hostname, username and password is hard coded in the most clever way the consultant could think of (I'm guessing). The code is anonymized. Let's pretend I work for "Initro" and the SFTP server we're connecting to is "cool-guys". (I sure hope I didn't mess up any of the indexes when I anonymized this...)

    boolean flag = false;

    String enter_name3 = "initrnosecurefiletransferuatdownlaodcool-guyslaserzsconbm";

    String enter_name2 = "initroinitrolaserohcompany%q2";

    String enter_name1 = "inintroguysinitrcomggcompany";



    String enter_h=enter_name3.substring(7,25) + "." + enter_name3.substring(36,45) + "." + enter_name3.substring(52,54) + enter_name3.substring(56,57);

    String enter_val=enter_name1.substring(11,16) + enter_name1.substring(19,21);

    String enter_cred=enter_name2.substring(6,12) + enter_name2.substring(16,18)+ enter_name2.substring(27,29);



    filter="INI0.*";



    SFTPDownload sftp_object = new SFTPDownload();



    flag = sftp_object.doDownload(enter_h, enter_val, enter_cred, filter);

    Pretty secure, right? It's practically impossible to break such a strong encryption technique. "enter_h" is the hostname, "enter_val" is the username and "enter_cred" is the password.



  • Why bother with SSH key exchange, that's way too hard to understand easy to break for hackers. Let's hard-code the password. Yeah!



  •  Man that's a pretty good one.  Nobody is every going to figure that out.



  • Although I almost never have to hard-code passwords, when I do I just base64 'em.  Just to keep someone from reading it over my shoulder, really.

     

    Also: Welpog thread!  Yay!



  • I should make it clear that when I anonymized the code, I only messed with the contents of the strings to make sure you guys can't use our SFTP credentials. The poor variable names ("enter_h"), along with their stupid numbers ("enter_name1"), and all of the substring indexes are exactly the same as they were when I found it. I just replaced references to real companies and passwords with generic equivalents. I left the typos in the strings, like "downlaod" and "inintro". Yeah, those were really there, supposedly to throw me off the path of what the hostname really is.

    I have never met the consultant who wrote this, though apparently it was written while I was employed at this company. It's too bad, as I would have liked to smack this person in the head with a thick textbook.



  • Let's just hope the terrorists don't get a hold of this kind of encryption, otherwise we're screwed.

    I suspect that a finishing touch of ROT13 would make this provably unbreakable.



  • @morbiuswilters said:

    Also: Welpog thread!  Yay!

    What's the deal with substituting 'b's with 'p's?  I've noticed that Welbog becomes Welpog and bstorer becomes pstorer.  Is your keypoard proken?



  •  Reminds me of an internal web app I was working on years ago. It was used by the entire company. One of the techs would routinely use Konqueror to view it so I added a bit of code to make it say "Konqueror sucks" whenever the browser was detected. He would then change the code to "Konqueror rules". It started as a simple echo, then it was base64 encoding to stop him from search/replacing, then it was taken from the database and so on and so forth. By the time we gave it up, the PHP page would connect to a java app via socket and get the message from there.

    That was the only Rube-Goldberg code I've ever written.



  • @upsidedowncreature said:

    What's the deal with substituting 'b's with 'p's?  I've noticed that Welbog becomes Welpog and bstorer becomes pstorer.  Is your keypoard proken?

    There once was a troll who went so far as to sign up accounts that looked similar to certain other forum members, IIRC bstorer was the first and the resulting account was "pstorer", it was immediately mocked with the comment "How'd you get that upside-down 'b', bstorer?", or something to that effect.



  • @DOA said:

     Reminds me of an internal web app I was working on years ago. It was used by the entire company. One of the techs would routinely use Konqueror to view it so I added a bit of code to make it say "Konqueror sucks" whenever the browser was detected. He would then change the code to "Konqueror rules". It started as a simple echo, then it was base64 encoding to stop him from search/replacing, then it was taken from the database and so on and so forth. By the time we gave it up, the PHP page would connect to a java app via socket and get the message from there.

    That was the only Rube-Goldberg code I've ever written.

    I feel like I've heard that before.


  • @belgariontheking said:

    feel like I've heard that before.
    What the... I didn't remember having posted that... damn, you type it once and it stays there forever. Ok, I'm definately not telling you guys about that time in Amsterday with the transexual


Log in to reply