Errors, bugs, questions - page 1515

New comment
 
Renat Fatkhullin:

The policy has not been changed.

Passwords are encrypted hardwired and the password files can be moved around within the computer. They are not decrypted when transferred to another computer/hardware.

Above I gave an example when the owner of someone else's computer gets access to the trading account:

If I insert a flash drive with my terminal into someone else's computer, and after logging in a bad person steals some files from the folder. He will have access to the trading account.

It is interesting that if you use someone else's computer at all, as iron - to download and OS from his flash drive. The owner of the computer will still have access to the trading account, if he can get to the files of the terminal.

 
zaskok3:

Above is an example of the owner of someone else's computer gaining access to a trading account:

Interestingly, if you use someone else's computer at all, as an iron - to boot and OS from your flash drive. The owner of the computer will still have access to the trading account if he gets to the terminal files.

Let's take it one step at a time.

1. You insert a flash drive into someone else's computer. Run the terminal with the /portable flag.

2. You have finished working with the terminal, take the flash drive out of someone else's computer and put it in your pocket.

3. How can someone steal your password?

 
Can you tell me where in metatrader 4 to view the margin for each open order separately and not in total ? Thank you
 
Slawa:

Let's take it in order.

1. You insert the USB stick into someone else's computer. You start the terminal with the /portable flag

2. You finish working with the terminal, take the flash drive out of someone else's computer and put it in your pocket.

3. How could someone steal your password?

There are several options:

  1. As long as the flash drive is inserted, data is copied from it in the background.
  2. If the intruder knows that the flash drive was used to log on to his computer, but didn't have time to copy it. Then he has an opportunity/excuse to offer to copy me some data (e.g. family photos) on any other computer. It's enough to quietly run bat-nik, and transfer one or two files to myself on a flash drive, which already contains the hardware of the intruder's computer.
  3. I don't know if it is possible to emulate your own hardware. You are making hardware queries via system functions. If these are intercepted and slipped to you with my computer's data, the terminal will be sure it's running where it always is.
 
Isn't anyone going to help me with the XPoints indicator? You guys! Where are you? (((( Help me with the alert!
 
zaskok3:

There are several options:

  1. As long as the flash drive is inserted, data is copied from it in the background.
  2. If the intruder knows that his computer has been logged in from the flash drive, but has not had time to copy it. Then he has an opportunity/excuse to offer me to copy some data (e.g. family photos) on any other computer. It's enough to quietly run bat-nik and copy one or two files to myself on a flash drive, which already contains the hardware on the intruder's computer.
  3. I don't know if it's possible to emulate your computer's hardware. You are making hardware queries through some system function. If you intercept them and slip you my computer's data, the terminal will be sure to start where it always does.

Give proof of your assertion.

I, in turn, can offer you a full-scale experiment.

1. Form a flash drive, run the client terminal from it, make sure everything works.

2. Plug that flash drive into another computer, run the client terminal and make sure everything works.

3. Copy all the data from this flash drive to another flash drive.

4. Run the terminal from the new flash drive and make sure the password (which the intruder doesn't know) is asked for.

5. And don't get fancy

 
Slawa:

Give proof of your assertions.

I, for my part, can offer you a field experiment.

1. Generate a flash drive, run the client terminal from it, make sure everything works.

2. Plug that flash drive into another computer, run the client terminal and make sure everything works.

3. Copy all data from this flash drive to another flash drive.

4. Run terminal from new flash drive and make sure the password will be asked for (which intruder doesn't know).

No password requested, full connection to trading account! Step by step:

  1. Only terminal.exe and config folder were copied to flash drive. There is nothing else.
  2. On another computer terminal.exe /portable is running. It asks for a password, I enter it and connect.
  3. I close terminal and copy as in step 1, to a temporary drive.
  4. Removing original flash drive from USB.
  5. Insert another flash drive.
  6. I copy everything from the temporary drive to the flash drive.
  7. Run terminal.exe /portable on it.
  8. I connect to my trading account.

Original (not virtual) machine is Windows7 SP1 x64. Alien (not virtual) machine - Windows XP SP3 x32.

5. And don't get fancy.

Unfortunately, none of the developers saw the security hole even when the full method was described. Reproduced - for some reason not lazy. You have a HOLE!

SPY

zaskok3:

Above gave an example where the owner of someone else's computer gets access to a trading account:

The interesting thing is that if you use the other person's computer altogether, as an iron - boot the OS from your flash drive as well. Then the owner of the computer will still have access to the trading account if he gets to the terminal files.

This is lazy to reproduce.
 
zaskok3:

Above was an example where the owner of someone else's computer gains access to the trading account:

It's interesting that if I use another computer as a hardware - to boot and OS from my flash drive. The owner of the computer will still have access to the trading account if he gets to the terminal files.

It is not the host who gets it, but you yourself who gives him all your hardware.

When transferring with a flash drive to another computer, you will definitely be asked for passwords again and you may not check the "save passwords linked to the current computer" box. As a result, no passwords will be saved and no one will steal them.


And don't pretend that the item "yes, I saved the password myself by selecting the save checkbox" is not there:

On another computer, terminal.exe /portable is launched. It asks for a password - I enter it and connect.

 
Renat Fatkhullin:

It is not the host who gets it, but you yourself who transfers all your hardware to it.

Stop pretending that you don't understand anything: Background can be dragged off a flash drive. There are plenty of other ways. The main thing is to drag it out. You don't even have to do it on someone else's computer itself.

When you transfer with a flash drive to another computer, you will definitely be asked for your passwords again and you may not check the "keep passwords linked to the current computer" box. As a result, no passwords will be saved and no one will steal them.

And don't pretend that the "yes, I saved the password myself by selecting the save checkbox" is not there:

That checkbox is by default...


I had no doubt that you especially would not publicly admit to having a hole. Just as there is no doubt that you will work to fix it...

It remains for me to ask the community what they think about it. But since no one will speak out anyway, we can close the thread.

Familiar guys warned just in case, that with their mobile terminals (flash drive) were poakkuratelno. I warned the guys I knew before that transferring the folder would reset the login data to zero.

 
Renat Fatkhullin:

The policy has not changed.

I don't know if the policy was changed or not, but I've had passwords reset before when transferring to another drive. Was this a bug?
1...150815091510151115121513151415151516151715181519152015211522...3191
New comment