Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • September 01, 2015, 11:24:18 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: NANY 2009 TEASER: SQLite Scrub  (Read 3745 times)

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,079
    • View Profile
    • Read more about this member.
    • Donate to Member
NANY 2009 TEASER: SQLite Scrub
« on: December 10, 2008, 08:14:04 AM »
NANY 2009 Entry Information

Application Name SQLite Scrub
Version not released yet
Short Description Erase sensitive information from FireFox3 form, cookies and history or any other application using SQLite database for storage
Supported OSes all win32 (I hope)
Web Page none yet
Download Link watch this space...
Requirements
  • None, really. The program is only useful if you are using Firefox3 or other applications that store data in an SQLite databse, e.g. Ditto (clipboard extender)
  • In order to browse an SQLite database to see what it contains and what you would rather get rid of, you need a suitable utility. There are many; I recommend SQLite Spy (freeware).
  • No need to speak SQL :)

Description

Firefox lets you fine-tune which passwords you want it to remember, but this flexibility does not extend to other historical data it stores, such as form history. If you choose to let Firefox remember the forms you fill out, it will remember them all, even those on secure (https) websites. For example, if you've ever entered your bank account or credit card numbers on a form, Firefox remembers them. This may or may not be a concern, but I *am* paranoid about a rogue extension that could access FF's form data and deliver it to its maker.

There was once a Firefox extension to browse and edit form data, but it's defunct now and has not been updated for Firefox 3. My NANY 2009 entry is not an extension (I could never figure out how to write one!), but the upside is twofold:

- In Firefox, it can also be used to scrub data from the cookie file and (later) the history file.

- It can work with any application that uses the popular SQLite database for storing session data. One such application is the clipboard extender Ditto, which offers no way to block certain strings from being stored.

Of course, the same effect could be achieved by installing the free SQLite commandline client and writing a few simple scripts. However, that requires some familiarity with writing SQL statements. With SQLite Scrub you don't need to know any SQL, just tell it what pieces of text you want removed from the database.

Attentive readers will have noticed (I hate that phrase, don't you?) that there's a catch: you don't want your CC number stored in Firefox database, but you have to store it in SQL Scrub's configuration of elements to delete. So isn't it rather self-defeating?

It isn't, because you don't have to store the complete string. If your CC number is 12345678, you can configure it as "delete any string that ends with 78" or "delete any string that contains 456". This is much safer.

The idea is that SQLite Scrub will run at Windows startup and perform the cleanup. (It's very fast.) You can run it manually too, but in that case you need to watch for Firefox (or other supported apps) already running, since they will lock their databases and SQLite Scrub will not be able to modify them. I'm planning to add a feature to automatically close the suported application, perform the scrubbing, then restart the app.That would help, but still be suboptimal, because for example in Firefox you would lose your open tabs, etc.

Screenshot

Only a UI mockup for now, but it gives a good idea of what the finished application should look like, as well as the command set. And no, it doesn't seem to need a menu or a toolbar :) (Right-click menus though, yes.)

scrub02.pngNANY 2009 TEASER: SQLite Scrub

Features
  • Currently, it's strictly a manual configuration deal. There is an xml file where you specify what you want deleted from the database. It's easy though and there will be a step by step guidance.
  • At the monent two applications are supported: Firefox3 and Ditto.

Planned Features
  • Log and report the number of entries found and scrubbed
  • Automatically close and restart supported applications to avoid locking conflicts
  • A nice GUI for configuring the items to delete from various databases.
  • I can add support for other applications - tell me what you need. (You can use SQLite Spy, the freeware utility mentioned above, to check if a particular application uses an SQLite database.)
  • It's possible to add generic support for any sqlite database, but that would require a little more user involvement (you'd have to specify detailed information about the database: table and field names, for example. If you can do this, you can probably write your own SQL scripts, so SQLite Scrub may not be for you.)

Interested? Let me know. I probably won't be adding a GUI unless anyone wants to use it besides myself :)

.marek
« Last Edit: December 14, 2008, 06:53:54 AM by tranglos »

justice

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,896
    • View Profile
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #1 on: December 10, 2008, 09:11:51 AM »
Good idea but a GUI and some kind of rulemanagement would add to it imho.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,079
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #2 on: December 10, 2008, 09:39:22 AM »
Good idea but a GUI and some kind of rulemanagement would add to it imho.

Absolutely, that's why I listed it under planned features. I can't decide on what I want it to look like, while being as simple as possible.

The program has a built-in knowledge of the layout of a particular database, so it comes with several "presets", such as "Firefox - Form history" or "Firefox - Cookies". This makes configuring it simpler, since you don't need to manually specify tables and fields; SS already knows what field to match against.

However, for each such preset you can have many rules (many patterns to delete), and for each pattern you can have many conditions (i.e.  delete records that match this condition AND match that condition...). In GUI terms, this becomes a hierarchy of collections. Very easy to express in xml, but somewhat unwieldy in a GUI.

I originally started by designing a GUI, but what I got was stacks upon stacks of dialog boxes: pick preset, create a rule, then within each rule create one or more conditions, then create another rule... So I scratched that for the moment and wrote the engine itself, driven by xml config files. At least this way I already have a semi-working app, and the GUI can come in later when I have a better grip on it.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 34,976
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #3 on: December 10, 2008, 10:30:54 AM »
Tranglos!
Great to have you participating in this years NANY  :Thmbsup: :Thmbsup: :Thmbsup:

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 8,858
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #4 on: December 10, 2008, 11:07:09 AM »
It isn't, because you don't have to store the complete string. If your CC number is 12345678, you can configure it as "delete any string that ends with 78" or "delete any string that contains 456". This is much safer.
This could end up deleting a lot of other data, though. What about "delete strings that have this SHA-512 hash" for really sensitive information?
- carpe noctem

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,079
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #5 on: December 10, 2008, 11:59:42 AM »
It isn't, because you don't have to store the complete string. If your CC number is 12345678, you can configure it as "delete any string that ends with 78" or "delete any string that contains 456". This is much safer.
This could end up deleting a lot of other data, though.

True. I admit I haven't been too concerned about this, because all the form data in Firefox, or the clips in Ditto, are not really critical pieces of information, they're just a convenience. One way to limit the potential for destruction is to have multiple conditions (where clauses) for each item to delete, e.g. text must begin with foo and end with bar. This is already implemented. At the same time, I was thinking of removing this feature and allowing only one condition per deletion rule, since it would simplify the UI greatly.


What about "delete strings that have this SHA-512 hash" for really sensitive information?

Great idea, thanks! It would slow down the operation somewhat, since the program would have to traverse whole tables, without using indexes (the same would apply to regexps) - but then such tables tend not to be very large. This feature probably won't make the initial release, but it's definitely a to-do.

tranglos

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,079
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: NANY 2009 TEASER: SQLite Scrub
« Reply #6 on: December 13, 2008, 09:32:03 PM »
(deleted, screenshot is now in the top post)
« Last Edit: December 14, 2008, 06:55:17 AM by tranglos »