Re: empty variable
One of the problems with #3 and above is the people who want your code will probably spend more money and time figuring out a way to steal the uncompiled code than they would spend trying to hack the code. And they most likely have a lot of corrupt connections and money to spend. JB > On Jan 6, 2020, at 7:52 AM, Bob Sneidar via use-livecode > wrote: > > I agree. It's easy to imagine that one can acheive absolute security, but in > practice it is impossible by nature. Just someone standing over your shoulder > or putting a spy camera in place is all that would be needed. The idea then > is to make it as difficult and impractical as possible given the resources > you have. > > Bob S > > >> On Jan 3, 2020, at 13:59 , Richard Gaskin via use-livecode >> wrote: >> >> Inputs often pose a bigger risk than core dumps. >> >> Where you ask: >> "Any suggestions to make it as secure as possible?" >> >> ...we might instead ask: >> "Any suggestions to make it as secure as *practical*?" >> >> ...or even: >> "Any suggestions to make it as secure as *cost-effective*?" >> >> There are always ways to make things more secure. The hard part is defining >> an appropriate level of effort relative to the importance of the secret. >> >> Consider this scale of 1 to 5, in terms of how hard people work to keep >> things secret: >> >> 1. My app's reg code >> 2. A user-defined password >> 3. A user's social security number >> 4. Nuclear secrets >> 5. Trump's tax returns >> >> If it's #1 I wouldn't spend more than half an hour thinking about it, for so >> many reasons covered in this list before. >> >> #2 is worth spending some time on, but better hashed than encrypted. >> >> #3 or above will require an understanding of the system to provide useful >> guidance. >> >> -- >> Richard Gaskin >> Fourth World Systems > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
I agree. It's easy to imagine that one can acheive absolute security, but in practice it is impossible by nature. Just someone standing over your shoulder or putting a spy camera in place is all that would be needed. The idea then is to make it as difficult and impractical as possible given the resources you have. Bob S > On Jan 3, 2020, at 13:59 , Richard Gaskin via use-livecode > wrote: > > Inputs often pose a bigger risk than core dumps. > > Where you ask: > "Any suggestions to make it as secure as possible?" > > ...we might instead ask: > "Any suggestions to make it as secure as *practical*?" > > ...or even: > "Any suggestions to make it as secure as *cost-effective*?" > > There are always ways to make things more secure. The hard part is defining > an appropriate level of effort relative to the importance of the secret. > > Consider this scale of 1 to 5, in terms of how hard people work to keep > things secret: > > 1. My app's reg code > 2. A user-defined password > 3. A user's social security number > 4. Nuclear secrets > 5. Trump's tax returns > > If it's #1 I wouldn't spend more than half an hour thinking about it, for so > many reasons covered in this list before. > > #2 is worth spending some time on, but better hashed than encrypted. > > #3 or above will require an understanding of the system to provide useful > guidance. > > -- > Richard Gaskin > Fourth World Systems ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
Inputs often pose a bigger risk than core dumps. Where you ask: "Any suggestions to make it as secure as possible?" ...we might instead ask: "Any suggestions to make it as secure as *practical*?" ...or even: "Any suggestions to make it as secure as *cost-effective*?" There are always ways to make things more secure. The hard part is defining an appropriate level of effort relative to the importance of the secret. Consider this scale of 1 to 5, in terms of how hard people work to keep things secret: 1. My app's reg code 2. A user-defined password 3. A user's social security number 4. Nuclear secrets 5. Trump's tax returns If it's #1 I wouldn't spend more than half an hour thinking about it, for so many reasons covered in this list before. #2 is worth spending some time on, but better hashed than encrypted. #3 or above will require an understanding of the system to provide useful guidance. -- Richard Gaskin Fourth World Systems JB wrote: That is a very interesting question! If the user enters the password or did I hardcode a password so what follows can only be executed if it included the text I put into the variable. I am in this case hardcoding it in myself. This could be text that is encrypted but it is still there even before it is put into the variable and that means it is in memory. Any suggestions to make it as secure as possible? JB On Jan 3, 2020, at 1:29 PM, Richard Gaskin via use-livecode wrote: How does the password come into the variable? -- Richard Gaskin Fourth World Systems JB wrote: What if I have secure info like a password stored in a local variable and then I clear that info by putting empty into that local variable. How secure is that procedure? I understand a local variable does not retain the info after the code finishes but I am concerned about any info left in memory. In the c language to clear the memory you set all of the blocks to null. That is because it is more secure than doing something like putting empty into the variable. So the question is when I put empty into a local variable I know when you access that variable it will return empty but if it has not been set to null then is it possible for someone to read the blocks of memory and get anything back. In c if you set all of the blocks to null and not just the first block then you have eliminated the chance of someone recovering the info. Is there a secure way to clear a variable in Livecode? JB ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
That is a very interesting question! If the user enters the password or did I hardcode a password so what follows can only be executed if it included the text I put into the variable. I am in this case hardcoding it in myself. This could be text that is encrypted but it is still there even before it is put into the variable and that means it is in memory. Any suggestions to make it as secure as possible? JB > On Jan 3, 2020, at 1:29 PM, Richard Gaskin via use-livecode > wrote: > > How does the password come into the variable? > > -- > Richard Gaskin > Fourth World Systems > > JB wrote: >> What if I have secure info like a password stored >> in a local variable and then I clear that info by >> putting empty into that local variable. >> How secure is that procedure? I understand a >> local variable does not retain the info after the >> code finishes but I am concerned about any >> info left in memory. >> In the c language to clear the memory you set >> all of the blocks to null. That is because it is >> more secure than doing something like putting >> empty into the variable. >> So the question is when I put empty into a local >> variable I know when you access that variable it >> will return empty but if it has not been set to null >> then is it possible for someone to read the blocks >> of memory and get anything back. In c if you set >> all of the blocks to null and not just the first block >> then you have eliminated the chance of someone >> recovering the info. Is there a secure way to clear >> a variable in Livecode? >> JB > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
How does the password come into the variable? -- Richard Gaskin Fourth World Systems JB wrote: What if I have secure info like a password stored in a local variable and then I clear that info by putting empty into that local variable. How secure is that procedure? I understand a local variable does not retain the info after the code finishes but I am concerned about any info left in memory. In the c language to clear the memory you set all of the blocks to null. That is because it is more secure than doing something like putting empty into the variable. So the question is when I put empty into a local variable I know when you access that variable it will return empty but if it has not been set to null then is it possible for someone to read the blocks of memory and get anything back. In c if you set all of the blocks to null and not just the first block then you have eliminated the chance of someone recovering the info. Is there a secure way to clear a variable in Livecode? JB ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
It seems I really do not need to worry too much because if I understood it correctly the memory of the variable at the end of the execution of that code is not only released but it is also deleted. Since the variable I am concerned about is used at the end of the code it does not exist after I use it because the code is finished and the memory is automatically freed and deleted. JB > On Jan 3, 2020, at 12:58 PM, Bob Sneidar via use-livecode > wrote: > > Well its really about what is going on under the hood. Memory dump for Macs > is not trivial from what I read. Apparently it involves turning off system > integrity and then booting into a special mode. At that point I stopped > reading. Not something I care to do with a production system. > > Bob S > > >> On Jan 3, 2020, at 11:58 , JB via use-livecode >> wrote: >> >> I have it figured out. >> >> You use it to delete each element of the array and >> that is the same as writing null to each element of >> the variable. >> >> I think they mean if you do not delete each element >> using this method all you are doing is putting empty >> into the variable and that would be the same as if >> you only write a null to the first element of the array. >> >> In other words putting empty into the variable is not >> secure. >> >> JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
I was going to say also that unless the script was in a protected stack, it WOULD be very trivial to install Livecode, put a breakpoint just before where you delete the variable, then do a memory dump at that point. Bob S > On Jan 3, 2020, at 12:58 , Bob Sneidar via use-livecode > wrote: > > Well its really about what is going on under the hood. Memory dump for Macs > is not trivial from what I read. Apparently it involves turning off system > integrity and then booting into a special mode. At that point I stopped > reading. Not something I care to do with a production system. > > Bob S > > >> On Jan 3, 2020, at 11:58 , JB via use-livecode >> wrote: >> >> I have it figured out. >> >> You use it to delete each element of the array and >> that is the same as writing null to each element of >> the variable. >> >> I think they mean if you do not delete each element >> using this method all you are doing is putting empty >> into the variable and that would be the same as if >> you only write a null to the first element of the array. >> >> In other words putting empty into the variable is not >> secure. >> >> JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
Well its really about what is going on under the hood. Memory dump for Macs is not trivial from what I read. Apparently it involves turning off system integrity and then booting into a special mode. At that point I stopped reading. Not something I care to do with a production system. Bob S > On Jan 3, 2020, at 11:58 , JB via use-livecode > wrote: > > I have it figured out. > > You use it to delete each element of the array and > that is the same as writing null to each element of > the variable. > > I think they mean if you do not delete each element > using this method all you are doing is putting empty > into the variable and that would be the same as if > you only write a null to the first element of the array. > > In other words putting empty into the variable is not > secure. > > JB ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
I have it figured out. You use it to delete each element of the array and that is the same as writing null to each element of the variable. I think they mean if you do not delete each element using this method all you are doing is putting empty into the variable and that would be the same as if you only write a null to the first element of the array. In other words putting empty into the variable is not secure. JB > On Jan 3, 2020, at 11:15 AM, Bob Sneidar via use-livecode > wrote: > > I think a memory dump and search of the contents is about the only thing you > can do to be sure. > > Bob S > > >> On Jan 3, 2020, at 11:11 , JB via use-livecode >> wrote: >> >> Hi Bob, >> >> yeah, I am not sure exactly what it means either. >> Different ways of doing the same thing? >> >> JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
Is there a easy way to do a memory dump in Livecode? Can I read the blocks of only memory for that variable? In c the blocks are a array numbered from 0 to the size of the variable which would be the length of the variable in Livecode and you can access individual blocks and that is how you write a null character to each block. If you need to dump all of the memory on your machine that might help but it would be better to dump only the memory you want to look at. Another thing to consider about dumping the memory is the result are not always predictable. If you did not write a null character to each block of that memory when you dump the memory it may not show up one time but will be there in another dump. That is why in c if you want to put empty into a variable you can set the first block to null and when you check the variable it will be empty but in a memory dump the memory may be empty and it may have some or all of the info in that block range except the first block which is the one you set to null. So the secure method you use bzero or a similar way to set every block to null. JB > On Jan 3, 2020, at 11:15 AM, Bob Sneidar via use-livecode > wrote: > > I think a memory dump and search of the contents is about the only thing you > can do to be sure. > > Bob S > > >> On Jan 3, 2020, at 11:11 , JB via use-livecode >> wrote: >> >> Hi Bob, >> >> yeah, I am not sure exactly what it means either. >> Different ways of doing the same thing? >> >> JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
I think a memory dump and search of the contents is about the only thing you can do to be sure. Bob S > On Jan 3, 2020, at 11:11 , JB via use-livecode > wrote: > > Hi Bob, > > yeah, I am not sure exactly what it means either. > Different ways of doing the same thing? > > JB ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
Hi Bob, yeah, I am not sure exactly what it means either. Different ways of doing the same thing? JB > On Jan 3, 2020, at 11:09 AM, Bob Sneidar via use-livecode > wrote: > > I'm not sure what this means. When you use delete variable on a script local, > it clears the contents of the variable, but the variable still exists, that > is if you can use the Script Editor variable watcher as any kind of > irrefutable evidence. > > Bob S > > >> On Jan 3, 2020, at 11:04 , JB via use-livecode >> wrote: >> >> You can't delete local or global variables, using delete you just put the >> value empty in them. >> -- >> >> So it sounds to me from the last line above that putting empty into the >> variable is secure. >> >> JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
I'm not sure what this means. When you use delete variable on a script local, it clears the contents of the variable, but the variable still exists, that is if you can use the Script Editor variable watcher as any kind of irrefutable evidence. Bob S > On Jan 3, 2020, at 11:04 , JB via use-livecode > wrote: > > You can't delete local or global variables, using delete you just put the > value empty in them. > -- > > So it sounds to me from the last line above that putting empty into the > variable is secure. > > JB ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
Hi Tom, Thanks for the fast reply & info! That was an interesting link. Here are a few lines from the link, -- The delete variable command not only removes the contents of the variable, but deletes it entirely from memory. If you delete a key from an array variable, that element of the array no longer exists as part of the variable. Local variables that are used within a handler are automatically deleted when the handler in which they are used exits. You can't delete local or global variables, using delete you just put the value empty in them. -- So it sounds to me from the last line above that putting empty into the variable is secure. JB > On Jan 3, 2020, at 10:55 AM, Tom Glod via use-livecode > wrote: > > A memory dump can reveal everything stored in memory for a particular > process. > > the delete variable command is what you are looking for. > > https://livecode.fandom.com/wiki/Delete_variable > > > > On Fri, Jan 3, 2020 at 1:22 PM JB via use-livecode < > use-livecode@lists.runrev.com> wrote: > >> What if I have secure info like a password stored >> in a local variable and then I clear that info by >> putting empty into that local variable. >> >> How secure is that procedure? I understand a >> local variable does not retain the info after the >> code finishes but I am concerned about any >> info left in memory. >> >> In the c language to clear the memory you set >> all of the blocks to null. That is because it is >> more secure than doing something like putting >> empty into the variable. >> >> So the question is when I put empty into a local >> variable I know when you access that variable it >> will return empty but if it has not been set to null >> then is it possible for someone to read the blocks >> of memory and get anything back. In c if you set >> all of the blocks to null and not just the first block >> then you have eliminated the chance of someone >> recovering the info. Is there a secure way to clear >> a variable in Livecode? >> >> JB >> >> >> ___ >> use-livecode mailing list >> use-livecode@lists.runrev.com >> Please visit this url to subscribe, unsubscribe and manage your >> subscription preferences: >> http://lists.runrev.com/mailman/listinfo/use-livecode >> > > > -- > Tom Glod > Founder & Developer > MakeShyft R.D.A (www.makeshyft.com) > Office:226-706-9339 > Mobile:226-706-9793 > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
Re: empty variable
A memory dump can reveal everything stored in memory for a particular process. the delete variable command is what you are looking for. https://livecode.fandom.com/wiki/Delete_variable On Fri, Jan 3, 2020 at 1:22 PM JB via use-livecode < use-livecode@lists.runrev.com> wrote: > What if I have secure info like a password stored > in a local variable and then I clear that info by > putting empty into that local variable. > > How secure is that procedure? I understand a > local variable does not retain the info after the > code finishes but I am concerned about any > info left in memory. > > In the c language to clear the memory you set > all of the blocks to null. That is because it is > more secure than doing something like putting > empty into the variable. > > So the question is when I put empty into a local > variable I know when you access that variable it > will return empty but if it has not been set to null > then is it possible for someone to read the blocks > of memory and get anything back. In c if you set > all of the blocks to null and not just the first block > then you have eliminated the chance of someone > recovering the info. Is there a secure way to clear > a variable in Livecode? > > JB > > > ___ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > -- Tom Glod Founder & Developer MakeShyft R.D.A (www.makeshyft.com) Office:226-706-9339 Mobile:226-706-9793 ___ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
