Beta plugin: HidePasswords

Charles Dye

Super Moderator
Staff member
May 20, 2008
3,617
46
Albuquerque, NM
prospero.unm.edu
#1
I'm uploading a test version of a new plugin to obscure passwords in TCMD.INI. If you don't have any passwords in your .INI file, this plugin cannot do anything good for you.

If you'd like to test this plugin, please back up your .INI file first, as the plugin does modify it. Copy the appropriate .DLL file into a subdirectory PLUGINS in your Take Command program directory, so it is always loaded at startup. Then close all instances of TCC. The first time you start TCC after installing the plugin, the passwords in your .INI file should be obfuscated.

For testing purposes I am including a little batch file SHOW.BTM which displays the current values of the obscured directives. This batch file relies on a known (deliberate) security loophole in the plugin; the loophole (and the batch file) will be removed before the plugin is released.

If you'd like to guineapig my code, you can find it here: http://www.unm.edu/~cdye/plugins/hidepasswords.html
 
#2
If you'd like to guineapig my code, you can find it here: http://www.unm.edu/~cdye/plugins/hidepasswords.html
Sorry, your CODE is not there! Dl'd, opened, and found at end the TRUE URL of the plugin. DL'd, it contained the plugin and another copy of the description. Still not the CODE. But you should keep that private anyway.

Question: Does the plugin work with the actual file as reported by %_ININAME, or does it expect the file to be called TCMD.INI? I have NO files using the default name OR the default location!

Question: If I move my mail directives into a temporary .INI file, run a new instance of TCC using the obfuscator, can I move the obfuscated mail directives back to their included file for a future instance of TCC, or does the decoder work only on directives in the primary .INI file (not TCMD.INI!), i.e., you do NOT imitate the way the preprocessors of C compilers work even in decoding? I suspect that I will have to choose between password obfuscation and easy software maintenance...
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
3,617
46
Albuquerque, NM
prospero.unm.edu
#3
Sorry, your CODE is not there! Dl'd, opened, and found at end the TRUE URL of the plugin. DL'd, it contained the plugin and another copy of the description. Still not the CODE. But you should keep that private anyway.
You mean the source? I'll consider it... but honestly, there's nothing very interesting there. It's an unusual idea, I think, but the implementation is actually quite banal. (And the cryptography is perfectly amateurish, basically XORing the string with a random key.)

Question: Does the plugin work with the actual file as reported by %_ININAME, or does it expect the file to be called TCMD.INI? I have NO files using the default name OR the default location!
At startup and after the OPTION dialog is called, it gets the .INI filename via %_ININAME. At shutdown, it uses the saved filename from earlier calls, since %_ININAME is not guaranteed to be available.

Question: If I move my mail directives into a temporary .INI file, run a new instance of TCC using the obfuscator, can I move the obfuscated mail directives back to their included file for a future instance of TCC, or does the decoder work only on directives in the primary .INI file (not TCMD.INI!), i.e., you do NOT imitate the way the preprocessors of C compilers work even in decoding? I suspect that I will have to choose between password obfuscation and easy software maintenance...
I'm only processing the one file. Following INCLUDEd files opens several cans of worms that make my little head hurt: nested INCLUDEs, circular INCLUDEs, directives in more than one file....
 

Charles Dye

Super Moderator
Staff member
May 20, 2008
3,617
46
Albuquerque, NM
prospero.unm.edu
#4
I'm putting up a new build, which changes the obscured text format to correct some structural weaknesses and make obscured passwords harder to crack. This version is not backwards compatible with the first one -- if you tested build 0.90, you will need to restore your original .INI file before installing this one.

http://www.unm.edu/~cdye/plugins/hidepasswords.html