topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 5:36 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: IDEA: Temporary Access  (Read 7793 times)

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
IDEA: Temporary Access
« on: October 13, 2008, 04:05 PM »
40Hz was wondering where I was headed with my "Self destruct" idea. Seeing that he put us onto the very useful "Dead Man's Switch" app I thought it only fair to share the next step in my project with everyone.
The idea for this project came from two other projects: Keepass portable and Keeform. Keepass portable has a very useful feature that enables you to drag and drop hidden passwords. You can drag and drop a password onto a web page input field for example. Keeform lets you do the whole thing automatically.
There are times when you would like people to access password protected resources but also limit the time they can access the resource.
Keepass and Keeform don't cater for this very well for a number of reasons:
1. You need the entire applications plus the master password to make use of these features
2. Keeform only works for IE.
3. Once you get into Keepass you can "unhide" the password.
My idea is that a program that includes a selection of the features in Keepass and Keeform, runs off a USB drive and "self destructs" after a preset time would overcome these problems. The user would simply click on an icon on the USB drive. The app would then take the browser to the specific web page and automatically log in.
Keepass uses CSecureEditEx code to secure edit controls and CodeProject shows how it could be used in a project.
I've been tempted to give it a go but I figure I will die of old age b4 I get it working.

 
« Last Edit: October 13, 2008, 04:09 PM by Uncle John »

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #1 on: October 13, 2008, 04:29 PM »
"Self destruct" will never work - there will always be a way to bypass it. Refusing to activate based on time is also trivial to bypass. And even contacting a server for decryption keys (which will grant or refuse based on time/whatever) can be bypassed, although that's a bit trickier.

Depending on your exact needs, some of these problems might be acceptable, though.
- carpe noctem

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #2 on: October 13, 2008, 05:00 PM »
Any thoughts on CSecureEditEx?

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #3 on: October 13, 2008, 05:35 PM »
Any thoughts on CSecureEditEx?
Good idea not using the default EDIT control, but I would probably have done things differently implementation-wise... Also, I'm a big fan of being able to "show contents instead of asterisks" for password controls, but obviously in the way that enabling the feature clears the current contents of the control.
- carpe noctem

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #4 on: October 14, 2008, 05:08 AM »
There might be a much easier way to achieve what I'm after. I noticed the following article that describes a simple program: herley-poster_abstract. It would seem much easier than implementing edit controls.

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
Re: IDEA: Temporary Access (Restricted Access is a better description).
« Reply #5 on: October 14, 2008, 04:23 PM »
Easier still is what I'll call the three steps forward three steps back method (see: non-technological methods in Keystroke logging ).
Auto Form Filling would be nice but Auto Field filling would be sufficient.
I'd suggest that the Autohotkey program that does the field filling should first check whether "Dead man's switch" is present before executing. This would help prevent the use of the password by anyone other than the holder of the USB drive.
I hope someone (Skrommel perhaps?) has a go at this.
After I test the device and see that it works as intended I'd like to share part 3 of my project with everyone.   
« Last Edit: October 14, 2008, 05:16 PM by Uncle John »

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #6 on: October 18, 2008, 06:32 PM »
Oh. Silly me :-[ keystroke logging is only a problem when the keyboard is used to enter the password. Since my idea is to enter the password automatically I don't have to worry about methods for defeating keystroke logging.
I've found an Autohotkey program that will do most of what I'm after at AutoFiller all that is needed now are a few modifications....
 

Uncle John

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 38
    • View Profile
    • Donate to Member
Re: IDEA: Temporary Access
« Reply #7 on: October 29, 2009, 03:28 PM »
I'm glad I put the pursuit of this project on hold for a while. I've found that someone else has already done what I was hoping to accomplish: How to pwn with U3 Hack