Just a quick reminder that the Early Bird Special for CIDC 2020 Africa, taking place in Cape Town from April 2 to April 5, runs out this weekend. https://www.cidc2020.com/registerForm . You can join us Onsite or Online. Just don’t delay, save your hard-earned cash today.
Why Cape Town you ask? Well apart from being one of the cheapest holiday destinations to visit, it’s also the best city in the world to visit. But don’t take my word for it, 39000 readers of The Telegraph (https://www.telegraph.co.uk/travel/news/best-city-in-the-world/) voted it as the world’s best city for the 7th year in a row. We’re planning an amazing conference at a great venue.
A host of international presenters are already signed-up, including Mike Hanson, Dave Harms, Dries Driessen, John Hickey, Andy Wilton and Alejandro Elias. I’m sure I’ll be doing a session or two as well, along with some other local presenters.
We’ve negotiated a special room rate in the hotel for those needing accommodation. The Link will be posted onto the web site shortly, but the daily rate is now R1 250 for a single person room, and R1450 for a double person room. (That’s roughly $89 / $97). I’ll post the URL to https://www.cidc2020.com/accomodation.htm as soon as I have it. (To get these rates payment in full is required by mid March.)
For South African’s this is a bargain-basement opportunity to meet some of the most influential Clarion users in the world today, to learn from them, and to discover what is happening in the Clarion world. For non-South-Africans it’s an opportunity to rub shoulders with each other in the most beautiful city on the planet. This really is a one-time opportunity.
Seeing as this got postponed, is the agenda/schedule changing?
I’ve been keeping an eye on the Defcon and Blackhat conferences and I wondered if there might be some side events or games going on like Wall of Sheep and the Voting Machine hacking village?
What are the laws in Capetown for hacking and things, its bad enough we dont get taught law in school, but wouldnt wont to fall foul of the law in South Africa would I?
I remember Bruce giving some us an impromptu lesson in Wireshark when he was hacking Cambridge Uni’s network pulling our email addresses and pwd out of the network at one of the user group meetings, so I wondered if there will be anything else that attendees might get taught?
Yes. Quite a few of the presentations happened during the online phase, so we will be replacing those with something else for the conference in September. We don’t yet have replacements scheduled (submissions are welcome.)
nope. I think it’s safe to say we won’t be doing anything like that.
I talk a fair bit about network security during the NetTalk webinars. And I’m not sure I would describe what I was doing as “hacking” - but yes we did demonstrate the vulnerabilities of using insecure connections between clients and servers. I expect it was just the wi-fi in the room, not quite the Cambridge University Network.
There wasnt wifi in that room, we were plugged into ethernet sockets and the switch was acting like a hub ie there was no isolation which made it possible to pull everyone’s pop3 server address, username and pwd using Wireshark · Download. Of course, now equipment is alot cheaper and hopefully conference venues providing internet access through ethernet wall sockets wont be using a hub but a switch which provides isolation and has the switches default usernames & pwds changed. Wifi back then didnt provide isolation, I dont think it was invented back then but today hopefully wifi access point equipment has the isolation facility switched otherwise its a case of using a VPN back to our own servers or a VPN for general internet anonymity. This one is free Free VPN with no ads and no speed limits | ProtonVPN
So how do people safeguard their Clarion apps besides relying on datatypes and the runtime or is it a case of relying on Windows to provide the security?
It depends what you mean by Clarion App, and what the attack surface is.
Most Clarion folk are writing desktop applications, and if errant code is executing on the desktop (ie the attacker has control of the desktop machine) then they have bigger things to worry about. So I think you would need to define what sort of attack you are wanting to prevent, and then one can discuss the best ways of mitigating that attack.
Of course for web applications it’s a somewhat different story - the attack surface there is much larger, but in that case (presumably) the framework you have chosen to use should be “secure by default” - leans towards TLS support and so on.
For in-app security there are tools like Secwin 7, field and blob level encryption (MyTable) and so on. Presumably the back-end you choose to use is also part of the equation.
Protect in what way? What sort of function in the DLL are you trying to prevent?
First, it should be noted, that if the user has access to the DLL, inside the LAN, then you already have bigger problems than accessing the DLL. So there’s that. But that aside;
I guess generally accessing the DLL would be for one of tow purposes;
a) accessing the database and
b) running some code calculation, which returns a value.
Regarding the database, I’m not sure how well that would work without the initialisation code provided by the Exe. Certainly things that are necessary for the database connection could be implemented in the Exe if you were concerned about this.
Regarding the code calculation - I’m not sure there’s anything in my DLL’s that would need protecting from this, but if there was, it would be trivial to add some exe level code to require the Exe to be in play. (A simple object declaration would be sufficient, with a call to a method of that object in the start of the procedure, if the object isn’t there then it’ll GPF.)
Regardless of the above for access to individual procedures, I’m using Secwin 7, which prevents access to a procedure based on the login, and tests against a global object, so again, that would just GPF.
I think your sling from the hip, willingness to click suspicious links, and oversharing whats in your head are probably the biggest attack vectors you need to deal with.
Armadillo > Software Passport by Silicon Realms got bought by Digital River, nothing shows up for them in the search engines, but the last I heard it wasnt working.
Wifi back then didnt provide isolation, I dont think it was invented back then but today hopefully wifi access point equipment has the isolation facility switched otherwise its a case of using a VPN back to our own servers or a VPN for general internet anonymity. This one is free 
