Very Important Security Feature Missing Of Webyog

[nicmar]

I had a break-in last week and they stole my computer. It was a BIG mess to contact ALL the customers whose FTP and DB logins I had in my machine. Most where saved in Ftp-program and Webyog, and some where in textfiles and email.

Now I bought Flash FXP 3.2 and they have an excellent feature when you start the program, you must enter a password, or you can't start the program. All sites/passwords are encrypted.

This would be a very good function in webyog. You always think “it doesn't happen to me”, and so did I, but i DID happen.. 🙁

For now I will download Truecrypt (open source/freeware?) and encrypt a partition and store webyog, and its data, and all sensitive documents there.

This means that when I turn on my computer, I would need a password to reach it.

Although if I need to transport Webyog to another computer, the built in password function would be superb. I guess truecrypt takes a while to get working, and also uses some CPU/RAM.

Thank you for a great program with great support!

[peterlaursen]

Thanks for your comments …

Myself I use the Paragon Encrypted Disk http://www.paragon.ag for such encrypted storage. With it you generate a fixed-size file on your harddisk and that file can be mounted as a virtual drive. Any attemt to open, move, delete this file etc. will promt for the password and/or the encryption key.

[nicmar]

Ok, TrueCrypt is 100% free and open-source, I will try that now.

Another concern I have is Internet explorer and stored passwords in cookies. It's useful, but is it possible to store these on an encruypted drive? I think that you cant encrypt the SYSTEM (C:) drive?

How about your paragon software?

[peterlaursen]

With WinXP Proffesional (and 2K I think too) you can use the encryption option that is built-in the NTFS file system. I don't like moving for instance the 'documents and settings' folder to a virtual drive – though I read some tweak-tricks on the Internet that could do it.

But as far as MySQL goes: You may point your /datadir in configuration to any drive – also a virtual encrypted drive. If only it shows up in Windows Explorer.

[peterlaursen]

I experimented a little with the Paragon Encrypted Disk -program (I have the older version 2)

Now this is funny:

If you place your /datadir on a USB- or an Ethernet drive (or even a CF-card on a card-reader or a USB-stick), MySQL won't start. It is rigorious about the fact that the /datadir must be a LOCAL folder.

However, if I create a VIRTUAL drive with the Paragon software (and now it does not matter if it is on a local drive, an USB drive an Ethernet harddisk or even a Flash-card/a USB-stick) and put the /datadir inside that virtual drive, then I can use that datadir on any external storage with MySQL! Actually not even a 4 GIGA CF-card is very expensive anymore, so this may be quite a usable trick!

Now … that was actually what I have been after before. I have two computers with MySQL installed. I would like them to share the same /datadir (not running at the same time of course) from my Ethernet Harddisk (Just like my mailprogram data are on my Ethernet Harddisk, so that I will always have it accessible no matter which computer I am using). Actually that is possible with MySQL and a Paragon Encrypted (Virtual) Disk.

You also can place the /datadir on a Paragon Encrypted (Virtual) Disk on a Flash-card or a USB-stick (and the best of them are now as fast as a ATA 100 harddisk). Just plug-in, mount the virtual encrypted drive and start MySQL (MySQL should of course not start with Windows then – you configure that from Administrative Tasks .. Services). When you're finished stop MySQL, unplug the FLASH memory, and put it in your pocket or lock it safe somewhere! For 'ordinary' MySQL usage just edit the configuration file and let /datadir point to an ordinary local folder, and restart MySQL. Or you may simply have more MySQL instances configured on each their port.

Actually my Ethernet harddisk has two USB-slots. I can attach a Cardreader to one on those, plug in a CF-card, Create a Paragon Encrypted (Virtual) Disk on the CF-card, mount this Paragon Encrypted (Virtual) Disk with a drive letter in Windows and use it as /datadir with MySQL!

I don't know if other 'Virtual Encrypted Disk' software lets you do this.

[nicmar]

Interesting..

I created a virtual encrypted file as E: and placed the data in E:mysqldata , i simply copied it. When i connect to the DB using Sqlyog I can see all tables, but there are no tables in it..

When I try to connect using a php script it says DB Selection error : Unknown database 'dbname'

I'm not sure if I corrupted anything cause I tried to demount the virtual file while mysql was still running.. I'll reboot and see what happens..

By your descriptions paragon sounds to work just like truecrypt..

brb

EDIT: Sorry never got time to test it, i'll try again tomorrow, Do you know if i have to do anything special more than to move the files in mysqldata to a new folder and change my.ini?

[peterlaursen]

Did you specify the new /datadir in the MySQL configuration file?

[nicmar]

Yes, the problem was that i dismounted the encrypted drive while mysql was running, so it freaked out. But it all works now.

I have a bat file on startup:

“mount truecrypt disk” (actually the real parameters;)

net start mysql

net start apache2

This way it wont try to start mysql/apache2 until after the disk is mounted.. Works like a charm!

I got a problem though, I moved SQLYog from C:program to e:program (encrypted disk), but all the favorities got lost. Where are they?

When I moved it back to C: they are still gone.

I checked this path but it's empty:

C:Documents and SettingsNiclasApplication DataSQLyogFavoritesPersonal

Is it some kind of security function or something, or are my favorites still on the disk somewhere?

I wanna store the favorites on E:, the encrypted disk, not Documents and settings. All files in that folder are impossible to protect, as far as I know.

Any clue on this Peter?

[peterlaursen]

1) favorites gone … I don't have an idea .. sounds strange in my opinion.

Did you uninstall the program? Then maybe favorites are deleted – though in my opinion they ABSOLUTELY should not! Or did you just copy/move the installation folder?

Don't you have some kind of backup?

2) “I wanna store the favorites on E:, the encrypted disk, not Documents and settings.”

I don't think you can exactly like this. After all favorites are 'application data'. But your favorites need not be te SQL-files themselves – they may be links to files as well (and HTTP-links are planned!). So you can have the sql-files on E: and the favorites need only be links to the real files. Also with WinXP Proffessional you could encrypt the 'application data' folder itself with the encryption that is built in the NTFS file system.

[peterlaursen]

I have just been experimenting with installing SQLyog on more user accounts.

I did some installs and uninstalls, and the 'Favorites' were not deleted by the uninstaller.

But I did not have any 'Personal' folder in the 'Favorites' folder.

Did you get closer to the problem?

[nicmar]

S**T! Everything i just typed disappeared. While changing a windows setting it reloaded this window.. 😮

Grr, I'll retype, maybe shorter:

---

It might be hard work to change this but the favorites should be in the same folder as the program, or any folder the user want it to be in. It would have these advantages:

– You can store sites on an encrypted drive

– You can run Sqlyog from an USB drive (which could be encrypted)

– You can easily find the favorites to export/backup

I just figured something out. What's the difference between “Saved connections” and “Favorites”?

No wonder my Application Data/SQLYog/Favorites/Personal is empty. I've only been saving everything to “saved connections” (What comes up when you press CTRL-M) and probably that one got lost when I moved the program. But where is the lost data??

The “connections” got lost when I moved the program from C to E, not a proper uninstall/install.

Don't know what the disadvantages are by having all the program settings in the same folder as the program, but programs that have stuff saved in documents and settings, registry etc, are usually harder to use, backup and to move to another computer etc.

The encryption in WindowsXP is bulls–t, cause by using a simple bootable CD, you can change the administrator password and suddenly you have access to everything. I haven't actually tested this on an encrypted disk, but most people think they are secure by having a great admin-password on their WinXP, but it's so easy to “crack”, in case I'm not wrong. 🙂

Also check out FlashFXP and the password system they got. The “sites.dat” file is stored in the program folder and it's encrypted. When you start the program you must enter a password. By storing all this on an encrypted drive it's nearly impossible to find the passwords.

A feature like that would really make SQLYog secure, and I wouldn't worry for my computer to be stolen. I'd also be happy if I would know where it saves all “Saved connections”… 🙄

-nicmar

[Ritesh]

More food for thought for v5.2.

[peterlaursen]

@nicmar:

'Saved connections' are save in the SQLyog ini-file int the installation directory!

'Favorites' are SQL-scripts and are saved in 'Application Data' folder

[nicmar]

Weird, then I have no clue why they disappeared when I moved the program.. But it's good, I can back it up now 🙂

Thanks for the explanation..

[Author]

Posts