Security - more complex than I thought

Inline:

dX********@bway.net.invalid (David W. Fenton) wrote in message news:<94***************************@24.168.128.78> ...

mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:

Like David and the 1000s of other developers who apply the
built-in security, and NT permissions, and maybe a few ideas of
their own.

For what it's worth, I have only ever built one fully secured
Access application, ever, and applied security to one application
built by someone else.

I mostly use Jet user-level security only for user identification,
and in turn for enabling/disabling certain features in an
application.

Why?

Because I long ago concluded that the main issues with security are
making sure your network cannot be attacked and then trusting your
employees. Neither of those issues have anything to do with Access.

Hear! Hear!

We have quite frequent conversations with clients (potential and
actual) regarding security, and the first thing I ask is if they have
done background checks on their employees. Amazing how many who ask
extremely detailed questions on application security haven't looked
into the backgrounds of their staff. A number don't even have
physically secure server rooms, or regular password rotation policies,
or regular cleaup of login accounts. Yes, I know these are basic, but
a lot of shops just don't do them...

And in almost all workplaces, there is an enormous amount of data
stored "outside" applications in email, spreadsheets, etc. Once you
are on the network, these are wide open.

Security HAS to be multi-layered, and dynamic. Having said that, I
wouldn't use Access/Jet for app that had to keep data secure. But, and
this is a big but, building an app that is secure to a high level will
add significantly to the cost.

David,

On Sun, 16 Nov 2003 21:51:13 GMT, dX********@bway.net.invalid (David
W. Fenton) wrote in comp.databases.ms-access:

. . . The more weak security features you add to
a system, the more likely (not less) that system is to be
compromised in the long-term - that's my view. You may not agree
with me, but I think the more time you spend thinking about these
sorts of things, the more likely you are to see my point, and even
possibly agree with me.

I don't see how adding a few ultimately crackable barriers in back
end compromises other unrelated security measures. It's only if one
omits the other measures in the hope that the crackable barriers
will be good enough that it is a problem.

And that's clearly not the case in the present example, don't you
agree?

I've already said elsewhere that I don't wish to continue this thread.
This is the last of the unread posts I see at this time, and perhaps a
good place to close because it sums up a key difference between us.

I meant what I said above, and was not forgetting that obfuscation
methods were added to a system that already maintained standard Access
and o/s level protection mechanisms.

I believe weak methods (especially obfuscation techniques) in general
weaken security even in such cases, for two primary reasons. They
tend to make the system creators/adminsitrators/managers feel security
has been 'enhanced' when it has not, and therefore remove a prime
catalyst for proper security review/analysis which is a proper
understanding of the threats faced/addressed. Also, they provide a
candy-trail for attackers. Every time an attacker sees and solves one
of your weak methods, they (a) realize how screwed up your sense of
security is if you decided to employ such a method was part of your
security posture and (b) are one step further 'into', and therefore
engaged with cracking your system. Think about it this way. If you
use strong encryption, one of the first hurdle an attacker faces is a
serious hurdle which is well publicized, and for which there are
no/few solutions (probably limited to brute force attacks or hacks
knows to the signal intelligence orgs onle). But with the sort of
systems you and Mike are talking about, each hurdle is easily
compromised, with no real difficulty. Every time the attacker solves
such a simply puzzle, they are presented with another layer that is
also addressable (perhaps with a little more effort). You are telling
the attacker that they are indeed up to the task, and that you have
not employed very difficult barriers to them reaching their goal.

For a simple example of this sort of enticement, just look at the
gaming industry. Games that are many leveled and involves challenges
starting from very simple ones and building to quite involved ones are
terribly popular, and gamers build skills (albeit useless ones) and
understanding as they work through the layers. A game that has just a
couple of levels and results in virtually everyone losing, every time,
and right off the bat, is not going to have many fans.

Security is not like gaming, sure, but I do think that implementing
weak security measures is ALWAYS a bad idea, and comes back to haunt
you in more ways than one.

With that said, I'm out of this thread.

Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051

"David W. Fenton" <dX********@bway.net.invalid> wrote in message

Er, you've just proved Peter's point. If you don't know the answer
already, you really shouldn't be saying you do.

No. Those clients wouldn't think about 'hacking' the application. It's a
small family business. It's their data. Everybody in the organisation has,
or will have soon, at least read permissions to the data. Some have
read/right permissions. They know they can get at the data to run the
business. The idea of breaking into their own database is ridiculous to
them. If I ask them to do it as a security test they may very well have a
go. And if they succeed or not will simply be a measure of their
determination to complete the test I've set them. As we have said ad
nauseum, somebody who wants to can break into an Access database, no matter
how well secured, given enough x, y and z. So if I say that 'the security of
the system is enough to prevent casual tampering with the database by
unauthorised users' (for instance) and when I ask them to test it they get
it then what has it proved? How casual were they. It doesn't 'prove'
anybody's point atall.

You perhaps also try to come up with a form of words to describe the
security of your systems. Do you then invite the users to break in? There is
no number we can use to describe security. We can't say its 70% secure.

Mike MacSween

"David W. Fenton" <dX********@bway.net.invalid> wrote in message
news:94***************************@24.168.128.74.. .

Actually, I think that wording is part of the problem. You're not
doing anything of the sort. What you are doing is adding some
additional barriers to your application to slow down people trying
to hack it. That's not really "making Access more secure." It's
simply adding some safeguards to your particular application.

Well yes. That's what I meant. I can't do anything to make the product
Microsoft Access more secure. I can do things to make applications I develop
using Microsoft Access more secure.

Mike

"Peter Miller" <pm*****@pksolutions.com> wrote in message
news:c6********************************@4ax.com...

Because you seem to think that the students primary goal is to change
a particular assignment or test score, and not the final score. I
wonder why you would think this. The student would obviously not care
what composite scores are recorded, but rather what final score is
provided. That is, to me, the obvious target.

But you're wrong on this.

This might seem clever Peter and it's not meant to be. But you are a highly
experienced developer and have delved into security deeply. Where will you
find the 'final score' in the back end database? Use your knowledge of
normalisation and data schemas. Now imagine that I do actually go to the
extreme length of using non-obvious or even encrypted table names and field
names. Even encrypted data. What are you now looking for? Imagine you
actually know nothing about database structures. You've managed to crawl
your way through the maze of NT security, Access security (or Access
'security' if you like <g>), Mike's patented highly secret security system,
hidden shares etc. Because you're a student with time on your hands and
you're good at trawling the web for warez sites and stuff. Now you find
yourself at the back end data file which looks like gobbledgook.

YOU might eventually figure out that of course the final score isn't stored
anywhere. I'll bet you most students won't. Unless they're 3rd year
relational database students. It's derived data. Of course. I know we
weren't talking about that, and if you'd taken the time to consider the
actual design YOU would probably have figured that out. They won't. A table
in a back end data file will open as a datasheet, most students will look at
that and think 'spreadsheet', and start looking for a name, and a total,
like you just assumed.

Final score = sum module CATS *(sum(assignment*% of module))* year CATS

Actually it's a great deal more complex than that. There are aggregate
queries feeding crosstabs feeding other crosstabs. I forget the details now,
except it was a bloody nightmare. Obviously I did that because it's good
design. But it's another level they've got to get through. And if they
succeed makes their attempts even more detectable. If you want to get _just_
a first you've got to do some pretty clever stuff with a calculator to make
sure you alter only those marks that won't be obvious, but only enough to
just get past the threshold. Of course it's easy if you've got the FE, where
all the queries. are, but...

Yours, Mike MacSween

"Peter Miller" wrote

A student with time on his hands - go figure.

Oh, one who didn't have to waste time studying because he was going to hack
himself a grade? Hey, I was studying for my grades when I was in school, and
I _still_ had a good deal of time on my hands.

pm*****@pksolutions.com (Peter Miller) wrote in
<c6********************************@4ax.com>:

On Sun, 16 Nov 2003 21:35:28 GMT, dX********@bway.net.invalid
(David W. Fenton) wrote in comp.databases.ms-access:

And it only matters in the first place if the database
application and not the instructor is calculating the final
grade, which is never the case in any academic institution I've
ever seen.

Because you seem to think that the students primary goal is to
change a particular assignment or test score, and not the final
score. . . .

Who turns in the grades to the registrar? In every institution I've
been associated with, the final grade sheet is prepared in
duplicate/triplicate by the instructor, one copy for the
instructor's files, the other two are given to the department, and
one is kept for the department files and one goes to the
registrar's office. These papers are what determine the grade
recorded in the University registrar's computers.

Now, Mike's department appears to keep records of its own in an
Access database application for its own use (my department has easy
access to student grades in the University mainframe via a web
browser application that is able to export selected information to
spreadsheets). Changing that data in the departmental Access
application won't change the grade recorded by the Registrar's
office.
. . . I wonder why you would think this. The student would
obviously not care what composite scores are recorded, but rather
what final score is provided. That is, to me, the obvious target.
The student should be hacking the University computers, not the
Music Department's computers.

Now, if the Registrar were using an Access application to store
grades, then, yes, I'd agree there's a problem.

But a departmental application is not final, so there's really no
motivation for the student to hack it.
But there's no reason to pursue this further. . .
It never occurred to me that you would you would not know that
academic departments don't maintain their own authoritative grade
records -- the University does that. I wrongly assumed everyone
understood this and would see the data in Mike's app as not being
finally authoritative.
. . . You are comfortable
with employing weak methods in your security toolbox, . . .
I haven't called it "security." I've called it adding barriers to
slow down those trying to get at the data without authorization.
. . . and I am
not. We disagree about the threats faced and the difficulty
involved with thwarting them. . . .
You also don't seem to have a proper estimation of the significance
of the data involved.
. . . We disagree about the
interpretation clients will make of our statements about security
(they rely on our judgements, in security discussions with them,
being technically correct about the inability to secure
applications without instilling a justified concern is I strongly
believe, doing them a disservice).

We're simply not going to agree with each other, and we've both
made our points. I'm quite happy to work with Mike offline as he
pursues development of his security model, but I see no point in
continuing this thread.

Perhaps the reason we disagree is because I understand the
application scenario better than you do.

I'm certainly done here as everything else in your post was
repetitive. You seem to me to have stopped listening to what I'm
saying. I won't bother to correct your mis-statements of my
positions or practices, as it just doesn't seem to matter.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:

YOU might eventually figure out that of course the final score
isn't stored anywhere. I'll bet you most students won't. Unless
they're 3rd year relational database students. It's derived data.
Of course. I know we weren't talking about that, and if you'd
taken the time to consider the actual design YOU would probably
have figured that out. They won't. A table in a back end data file
will open as a datasheet, most students will look at that and
think 'spreadsheet', and start looking for a name, and a total,
like you just assumed.

Er, I'm actually quite shocked at this.

I can't believe there is no method for the instructor to override a
grade that is arrived at via the grading algorithm. I do it all the
time -- a student who starts off slow and improves a lot by the end
of the semester gets bumped a half letter (from B- to B, for
instance) after I've calculated the raw score.

Indeed, what your saying is that your application stores the grade
weighting for every course taught by every instructor. I'm shocked,
as my department leaves that up to the individual instructor,
arbitrary as it may seem.

And is the grade stored in your application the source of
University transcripts? Or is there a Registrar's office to which
grades are actually reported by your department and recorded by the
University?

My department doesn't maintain authoritative grade records -- those
are in a large, University-wide system that individual departments
don't edit (though they can retrieve and view the data). Some
departments do maintain their own systems with student schedules
and student grade histories (I was once approached by the NYU
economics department to do exactly that; I declined because I
didn't feel qualified to write a scheduling application).

I assumed this all along in this discussion, though I never
consciously articulated it.

If these grades in this application of yours are indeed
authoritative (i.e., your application's data store is the source of
grades when a student requests a transcript), then I would say you
should definitely abandon Jet for storing your data -- it is not
secure or reliable enough.

On the other hand, if this is duplicate data collected for specific
purposes determined by the department, then that's a different
story. In that case, I can't see any problem with using Jet, as
it's not mission-critical data.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:

You perhaps also try to come up with a form of words to describe
the security of your systems. Do you then invite the users to
break in? There is no number we can use to describe security. We
can't say its 70% secure.

I mostly don't secure applications at all, on the assumption that
you have to trust the authorized users. I don't even protect most
of my apps from the casual tampering an MDE front end would
prevent.

It has not been a problem in any of the dozens of apps I've ever
produced.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

David,

On Tue, 18 Nov 2003 03:03:08 GMT, dX********@bway.net.invalid (David
W. Fenton) wrote in comp.databases.ms-access:

It never occurred to me that you would you would not know that
academic departments don't maintain their own authoritative grade
records -- the University does that. I wrongly assumed everyone
understood this and would see the data in Mike's app as not being
finally authoritative.

What, is this a ploy to get me to come back to this thread after I'd
said I wouldn't post again? As you can see, its worked, but only
because you're now pretending to know what's in my head, and what I
know and don't know, and you're for some strange reason confusing your
organization's infrastructure with Mike's.

But to clarify, of course I know that if a dept maintains its own copy
of the registrar's grade data that the dept copy is not a real target
for data manipulation. Of course, we have every reason to believe
that's not Mike's case, don't we? He's talked about data manipulation
in his app, which wouldn't be necessary if there was no data
manipulation. I don't know whether his apps's data gets forwarded to
the registrar, or whether its the central data repository itself, nor
do I care. Mike indicated he wished to protect this data from
improper use, and made clear that included modification of the data.
Just because your system has additional safeguards and dept databases
are not targets doesn't mean Mike is in a similar situation.

That said, clarify this with Mike if you need to but leave me out of
it.

Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051

"David W. Fenton" <dX********@bway.net.invalid> wrote in message

Er, I'm actually quite shocked at this.

Why?

The marks for individual pieces of work are what are used to arrive at the
final score for that module, which are used to calculate the degree. Our
validating body doesn't care how we arrive at module total, but the
calculation method for degrees is prescribed.

Seems like a perfectly valid system to me, educationally. It's transparent
anyway.

I'm not willing to enter into any more detail as the operation of exam
boards is confidential and I'm sure it would be a disciplinary matter if I
discussed it in public.

Yours, Mike MacSween

"Mike MacSween" <mi******************@btinternet.com> wrote in
news:3f***********************@news.aaisp.net.uk:

I'm not willing to enter into any more detail as the operation of exam
Boards is confidential and I'm sure it would be a disciplinary matter if
I discussed it in public.

Why is it confidential?

(a) Might terrorists use it to help plan blowing a professor?
(b) Could entrepreneurs use it to create competitive off-shore exam boards?
(c) Would revealing these secrets result in a world-wide run on toilet paper?
(d) By Jove?
(e) All of the above?

--
Lyle
(for e-mail refer to http://ffdba.com/contacts.htm)

"Lyle Fairfield" <Mi************@Invalid.Com> wrote in message
news:Xn*******************@130.133.1.4...

"Mike MacSween" <mi******************@btinternet.com> wrote in
news:3f***********************@news.aaisp.net.uk:

I'm not willing to enter into any more detail as the operation of exam
Boards is confidential and I'm sure it would be a disciplinary matter if
I discussed it in public.

Why is it confidential?

[]

Because my employers say it is.

Mike

mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:

"David W. Fenton" <dX********@bway.net.invalid> wrote in message

Er, I'm actually quite shocked at this.
Why?

The marks for individual pieces of work are what are used to
arrive at the final score for that module, which are used to
calculate the degree. Our validating body doesn't care how we
arrive at module total, but the calculation method for degrees is
prescribed.

Degrees? Sorry, but I don't understand.

Are you talking about the calculation of the grade for an
individual course or the calculation of a GPA for all grades?
Seems like a perfectly valid system to me, educationally. It's
transparent anyway.

I'm not willing to enter into any more detail as the operation of
exam boards is confidential and I'm sure it would be a
disciplinary matter if I discussed it in public.

Where are you located, Mike? Ooops, I see you're in the UK. I had
completely forgotten that.

OK, my mistake -- I was thinking in terms of the US university
system where the instructor is able to determine for herself
exactly how grades are calculated.

But for transcript purposes, does the data come from your
department or from the University's database? That is, when does
the calculated grade in your department become the last word, if
ever?

In any event, given all of this, well, frankly, if this is being
done at the department level on departmental initiative, it seems
to me that the University doesn't have its act together. If there
are defined grade calculations that are determined outside the
departments, then each department should not be implementing its
own grade calculation system.

And based on this information, I would have to say that I more and
more question the wisdom of even considering storing this data in
Jet.

Sorry, but this one major piece of the puzzle definitely changes my
estimation of the balance of cost/benefit/risk, because I was
assuming data that was not definitive/authoritative.

I certainly wouldn't propose building an application storing data
of this importance in Jet files.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

dX********@bway.net.invalid (David W. Fenton) wrote in
news:94***************************@24.168.128.78:

OK, my mistake -- I was thinking in terms of the US university
system where the instructor is able to determine for herself
exactly how grades are calculated.

I know the rule of thumb is 10 points for each basket but I can't seem to
find where it says if that's woven ... or sunk?

--
Lyle
(for e-mail refer to http://ffdba.com/contacts.htm)

"Lyle Fairfield" <Mi************@Invalid.Com> wrote in message
news:Xn*******************@130.133.1.4...

"Mike MacSween" <mi******************@btinternet.com> wrote in
news:3f***********************@news.aaisp.net.uk:

I'm not willing to enter into any more detail as the operation of exam
Boards is confidential and I'm sure it would be a disciplinary matter if
I discussed it in public.

Why is it confidential?

(a) Might terrorists use it to help plan blowing a professor?

Why would a terrorist wanna... Never mind.

"David W. Fenton" <dX********@bway.net.invalid> wrote in message

[]

I'm sorry David, I'm not willing to comment on any of these issues in a
public forum, nor to explain why I'm not prepared to comment.

Yours, Mike MacSween