Results 1 to 2 of 2

Thread: Take care who has access to your .RA2 project files

  1. #1
    Senior Member
    Join Date
    Oct 2013
    Posts
    421

    Take care who has access to your .RA2 project files

    In dealing with a couple of problem devices not getting transfers, I happened to look into the contents of my .RA2 project file for it.

    It'd be nice if the .RA2 zip files weren't just a binary blob of data. XML, text, JSON, SQL (of which there's some in there) would be nicer, at least for debugging.

    What I discovered was the passwords I've set for the telnet logins are stored as plain text in the file. It took knowing what to search for, but there they all were. I'd imagine all it would take for someone else to find them would be to search on the lead-in hex characters from a project of their own. Find that and you'd find where they all start in any project file.

    Lots of configuration databases get stored this way. After all, some kind of method needs to be used to get the passwords over to the devices. But it's considered good practice to at least obfuscate them to some degree. Not just leave them with no encrypting at all.

    Granted, they can just as easily bring up the whole list from the Settings->Integration window. But leaving them 'in the clear' in the config files makes it possible for anyone else not having the software to see them. So don't go leaving them on unsecured websites or shared drives.

    My advice is don't share your customer .RA2 files with anyone you wouldn't also share the usernames and passwords with. Likewise, don't put any of YOUR OWN commonly-used passwords in there, otherwise you'd be exposing them for abuse elsewhere.

  2. #2
    Senior Member
    Join Date
    Dec 2014
    Posts
    252
    Quote Originally Posted by wkearney99 View Post
    My advice is don't share your customer .RA2 files with anyone you wouldn't also share the usernames and passwords with. Likewise, don't put any of YOUR OWN commonly-used passwords in there, otherwise you'd be exposing them for abuse elsewhere.
    I agree with advice and a general sentiment, and I can also add that no one should be exposing HWQS/RA2 on the internet without VPN protection.

    ...but I have to ask. There are a few accounts with fixed, non changable passwords in each and every repeater, so why would anyone would want YOUR password? :)

Similar Threads

  1. Corrupt project file
    By acculite in forum Troubleshooting - RA2
    Replies: 0
    Last Post: 09-07-2015, 03:24 PM
  2. MyLutron.com MyProjects .RA2 files
    By Lukeetal in forum Troubleshooting - RA2
    Replies: 1
    Last Post: 06-23-2015, 06:42 AM
  3. Extracting project from 2 HW 8series interconnected
    By techniquesmethodes in forum Troubleshooting - Legacy HW
    Replies: 6
    Last Post: 06-19-2015, 09:50 AM
  4. extract project
    By iControl in forum General Discussion - RA2
    Replies: 2
    Last Post: 01-30-2015, 10:26 PM
  5. Extracting Files from Multiple Original HomeWorks Processors
    By Armando B. in forum Programming - Legacy HW
    Replies: 0
    Last Post: 05-08-2014, 11:36 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •