By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,534 Members | 2,223 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,534 IT Pros & Developers. It's quick & easy.

How often is Access security breached?

P: n/a
Further to 'Security - more complex than I thought'

Has anybody ever seen any studies? Or anecdotal evidence? Done any studies
themselves? Done any lab testing - you know - 10 users asked to get past
Access (or other) security?

It'd be interesting to know. And no, I don't have any prejudices.

Yours, Mike MacSween
Nov 12 '05 #1
Share this Question
Share on Google+
32 Replies


P: n/a
TC
Gawd, do we really have to start this up again?

Prepare for 50 squintillion argumentative posts...

TC

"Mike MacSween" <mi******************@btinternet.com> wrote in message
news:3f***********************@news.aaisp.net.uk.. .
Further to 'Security - more complex than I thought'

Has anybody ever seen any studies? Or anecdotal evidence? Done any studies
themselves? Done any lab testing - you know - 10 users asked to get past
Access (or other) security?

It'd be interesting to know. And no, I don't have any prejudices.

Yours, Mike MacSween

Nov 12 '05 #2

P: n/a
rkc

"TC" <a@b.c.d> wrote in message news:1069033650.907801@teuthos...
Gawd, do we really have to start this up again?

Prepare for 50 squintillion argumentative posts...


Lock & load.
Nov 12 '05 #3

P: n/a
TC

"rkc" <rk*@yabba.dabba.do.rochester.rr.bomb> wrote in message
news:qi********************@twister.nyroc.rr.com.. .

"TC" <a@b.c.d> wrote in message news:1069033650.907801@teuthos...
Gawd, do we really have to start this up again?

Prepare for 50 squintillion argumentative posts...


Lock & load.


Ah'm ready & waitin'!

Nov 12 '05 #4

P: n/a
TC wrote:
"rkc" <rk*@yabba.dabba.do.rochester.rr.bomb> wrote in message
news:qi********************@twister.nyroc.rr.com.. .

"TC" <a@b.c.d> wrote in message news:1069033650.907801@teuthos...
Gawd, do we really have to start this up again?

Prepare for 50 squintillion argumentative posts...


Lock & load.


Ah'm ready & waitin'!


Look what I want to know is how to make an exe out of my mdb..... there's
gotta be a way! ;)
Nov 12 '05 #5

P: n/a
"Deano" <de*********@hotmail.com> wrote in message
news:%L******************@wards.force9.net...
Look what I want to know is how to make an exe out of my mdb..... there's
gotta be a way! ;)


Hah bloody hah. Really witty that.

How tedious it must be for you to read the same questions over and over
again. Tough. I took this out to a new thread because in the other one I've
been told umpteen times - 'Access ain't secure'. OK then, lets find out how
insecure it is. That was the point of the question. If you're not going to
post a useful reply then just SFU.
Nov 12 '05 #6

P: n/a
Mike MacSween wrote:
"Deano" <de*********@hotmail.com> wrote in message
news:%L******************@wards.force9.net...
Look what I want to know is how to make an exe out of my mdb.....
there's gotta be a way! ;)


Hah bloody hah. Really witty that.

How tedious it must be for you to read the same questions over and
over again. Tough. I took this out to a new thread because in the
other one I've been told umpteen times - 'Access ain't secure'. OK
then, lets find out how insecure it is. That was the point of the
question. If you're not going to post a useful reply then just SFU.


Sorry if I offended you mate, just having a laugh at the expense of previous
OPs on that particulary subject.

While I'm not particularly knowledgeable on Access security, despite having
read the FAQ, I will endeavour to cobble some thoughts together and bring us
back on-topic. Mind you I can't guarantee they will be particularly
ground-breaking :)
Nov 12 '05 #7

P: n/a
"Deano" <de*********@hotmail.com> wrote in message
news:kx******************@wards.force9.net...
Sorry if I offended you mate, just having a laugh at the expense of previous OPs on that particulary subject.
That's OK. What's an OP?
While I'm not particularly knowledgeable on Access security, despite having read the FAQ, I will endeavour to cobble some thoughts together and bring us back on-topic. Mind you I can't guarantee they will be particularly
ground-breaking :)


It's not whether Access is or isn't secure, or what secure means and so on.
We've been there, done that, had the full and frank exchange of views. It's
the outcome. OK, we may not agree on whether it's worth it, but what
actually happens in the real world of Access apps that are in use? Do they
get broken into a lot/sometime/hardly ever. By what sort of people, in what
circumstances, with what effects? Has any controlled testing been done? etc.
etc.

Yours, Mike MacSween

By the way, you aren't Dean MacDermott are you? If so I apologize with all
my heart and why aren't you booking me for your guitar jobs.
Nov 12 '05 #8

P: n/a
rkc

"Mike MacSween" <mi******************@btinternet.com> wrote in message
news:3f***********************@news.aaisp.net.uk.. .
"Deano" <de*********@hotmail.com> wrote in message
news:%L******************@wards.force9.net...
Look what I want to know is how to make an exe out of my mdb..... there's gotta be a way! ;)
Hah bloody hah. Really witty that.

How tedious it must be for you to read the same questions over and over
again. Tough. I took this out to a new thread because in the other one

I've been told umpteen times - 'Access ain't secure'. OK then, lets find out how insecure it is. That was the point of the question. If you're not going to
post a useful reply then just SFU.


You've already heard from the experts and the highly opinionated on the
value of Access security. That's a done deal.

Seems to me the only real question that remains is whether you are
comfortable
with your home grown solution in the environment you're in. If you are,
implement it. If you aren't, use a more secure product for the back end.

MSDE is free and if you have the Access developers edition you have a
license
to use it in the same way you use Jet. In the long run spending time with
MSDE
can only be beneficial to you.


Nov 12 '05 #9

P: n/a
"rkc" <rk*@yabba.dabba.do.rochester.rr.bomb> wrote in message
news:li*******************@twister.nyroc.rr.com...
You've already heard from the experts and the highly opinionated on the
value of Access security. That's a done deal.
Yes, I know. The point of this 2nd post was - 'we all know what we think of
Access security, does it actually matter?' Put it like this, if people here,
Access developers, are churning out applications using NT permissions and
Access security, with nothing else (like DIY and obfuscation) and aren't
having data nicked/altered without permission very frequently or not at all,
then that gives us some sign doesn't it?

You might think that's completely the wrong perspective. You might be right.
But I'd like to hear what happens.
MSDE is free and if you have the Access developers edition you have a
license
to use it in the same way you use Jet. In the long run spending time with
MSDE
can only be beneficial to you.


Yup, MSDE looks like a good thing to investigate.

Yours, Mike MacSween
Nov 12 '05 #10

P: n/a
Mike MacSween wrote:
"Deano" <de*********@hotmail.com> wrote in message
news:kx******************@wards.force9.net...
Sorry if I offended you mate, just having a laugh at the expense of
previous OPs on that particulary subject.
That's OK. What's an OP?


Original poster - just learned that one recently.
While I'm not particularly knowledgeable on Access security, despite having
read the FAQ, I will endeavour to cobble some thoughts together and
bring us back on-topic. Mind you I can't guarantee they will be
particularly ground-breaking :)


It's not whether Access is or isn't secure, or what secure means and
so on. We've been there, done that, had the full and frank exchange
of views. It's the outcome. OK, we may not agree on whether it's
worth it, but what actually happens in the real world of Access apps
that are in use? Do they get broken into a lot/sometime/hardly ever.
By what sort of people, in what circumstances, with what effects? Has
any controlled testing been done? etc. etc.

For me there are a particular set of competitors who I know will be able to
hack my app to a certain extent, i.e they can rip the tables. Ideally I
wouldn't want this to happen but the way my app works means Access Security
has to be manipulated programmatically and it's all a bit too much to do at
this stage. Time and money and the difficulty involved are the deciding
factors there.
Luckily for me the data isn't really important. It's what I do with it
behind the scenes that is crucial and I wouldn't want anyone seeing the
source code, so i distribute using an MDE.
Re unauthorised user of my app;

Most of my users only have basic pc know-how - no surprise there. Some of
them are advanced but again the best they could do is to rip the tables. I
do supply the program with a password that is unique to each program and I
ask the user to keep that confidential. I view it as avery basic first line
of defence to stop table-ripping. I know it's no stronger than a wet
tissue...

I am interested to see what happens re passwords. The app is complex enough
to justify hardcoded internal passwords that the user doesn't know about and
I'm intrigued to see how far one copy of the app spreads.

I have beta versions of my app and I only get the occasional bug report. As
far as I know no one has hacked it in a meaningful way.
I'm very glad that I haven't got loads of complaints saying my beta app has
messed up lots of machines - that would be more of a nightmare than people
subverting my security since no one would want to buy the damn thing!

I think the most unsettling thing is that once it's out there others will be
inspired to produce their own version of it and that's something you can't
stop.

By the way, you aren't Dean MacDermott are you? If so I apologize
with all my heart and why aren't you booking me for your guitar jobs.


:)
Nah, sorry, I'm not the droid you're after....


Nov 12 '05 #11

P: n/a
And I ask you, how do you know that people have not been breaking in and
getting data that they should not have, exactly? Because they have not been
caught?

The undertone of security concern in the media is on viruses and worms, both
of which fail to account for the real basd cases where someone just keeps
breaking in and being careful not to get caught. In a world where someone
might steal just one $20 our of your wallet now and again rather than taking
all your money at once, do you really feel more secure if you do not notice
anything missing? Do you really feel that leaving your wallet out for such
things to happen is in your best interests?

Using Access/Jet security is a LOT like leaving your fly unzipped. It might
be good to think about that a bit before you keep coming here and waving
your "privates" err..... "private solutions" around.
--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.
"Mike MacSween" <mi******************@btinternet.com> wrote in message
news:3f***********************@news.aaisp.net.uk.. .
"rkc" <rk*@yabba.dabba.do.rochester.rr.bomb> wrote in message
news:li*******************@twister.nyroc.rr.com...
You've already heard from the experts and the highly opinionated on the
value of Access security. That's a done deal.
Yes, I know. The point of this 2nd post was - 'we all know what we think

of Access security, does it actually matter?' Put it like this, if people here, Access developers, are churning out applications using NT permissions and
Access security, with nothing else (like DIY and obfuscation) and aren't
having data nicked/altered without permission very frequently or not at all, then that gives us some sign doesn't it?

You might think that's completely the wrong perspective. You might be right. But I'd like to hear what happens.
MSDE is free and if you have the Access developers edition you have a
license
to use it in the same way you use Jet. In the long run spending time with MSDE
can only be beneficial to you.


Yup, MSDE looks like a good thing to investigate.

Yours, Mike MacSween

Nov 12 '05 #12

P: n/a
Deano wrote:

<big snip>

One other important point is that my app is not networked (yet). That's one
enormous layer of complexity that I deliberately removed and that I suspect
is more pertinent to your question.

From my point of view I see security as issues of my intellectual property
and ensuring authorised use. The internal security of the app that I
provide for the user is as stated (i.e proper Access security is not
implemented), but I also provide a login form so that different users can
alter different data. That will be subject to how they choose to organise
it. As a default I allow them complete control and they can lock down as
they see fit.
Nov 12 '05 #13

P: n/a
"Michael (michka) Kaplan [MS]" <mi*****@online.microsoft.com> wrote in
message news:3f********@news.microsoft.com...
And I ask you, how do you know that people have not been breaking in and
getting data that they should not have, exactly? Because they have not been caught?
Yes, I'm aware of that. The question was obviously asking for general
experiences. But presumably security breaches will be detected sometimes. I
wasn't asking for peoples experiences of security breaches that they weren't
aware of. I'm not that much of a cretin.
The undertone of security concern in the media is on viruses and worms, both of which fail to account for the real basd cases where someone just keeps
breaking in and being careful not to get caught. In a world where someone
might steal just one $20 our of your wallet now and again rather than taking all your money at once, do you really feel more secure if you do not notice anything missing? Do you really feel that leaving your wallet out for such
things to happen is in your best interests?
NOT 'leaving my wallet out' is EXACTLY what David and I have been saying is
an acceptable approach to security, sometimes.
Using Access/Jet security is a LOT like leaving your fly unzipped. It might be good to think about that a bit before you keep coming here and waving
your "privates" err..... "private solutions" around.


Wouldn't be the first time! Are you saying I'm making a fool of myself?
Because I'm naive enough to ask a straightforward question and make it clear
that I am unsure of some of the issues here? Or is it just an unwillingness
to go along with the 'accepted widsom' without question that is considered
such a gaff.

If you mean the other thing then there's been at least one technique which
I've hinted at but not actually revealed, precisely to avoid the attentions
of a particularly savvy hacker who types 'Access, security, Mike MacSween'
into a search engine.

Yours, Mike MacSween
Nov 12 '05 #14

P: n/a
mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:
"rkc" <rk*@yabba.dabba.do.rochester.rr.bomb> wrote in message
news:li*******************@twister.nyroc.rr.com.. .
You've already heard from the experts and the highly opinionated
on the value of Access security. That's a done deal.


Yes, I know. The point of this 2nd post was - 'we all know what we
think of Access security, does it actually matter?' Put it like
this, if people here, Access developers, are churning out
applications using NT permissions and Access security, with
nothing else (like DIY and obfuscation) and aren't having data
nicked/altered without permission very frequently or not at all,
then that gives us some sign doesn't it?


Actually, I don't think it does.

What matters is not the frequency of it, but the seriousness of the
breach when it happens. And if it has not happened to any of us and
it happens to you, that becomes infinitely more important than the
fact that nobody else has experienced.

You're also assuming that the hacking would be detected in every
instance. You know, of course, that somebody can take a copy of the
files and hack it and use the data that way and the original
developer would never know about it.

So, I'm not sure there's any utility in even asking the question,
since the answers won't really mean anything for your particular
application.

You're either satisfied with the level of protection you've
implemented for the operating environment in question or you're
not. Reports from other developers won't really change the balance
of that equation.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #15

P: n/a
"David W. Fenton" <dX********@bway.net.invalid> wrote in message
You're either satisfied with the level of protection you've
implemented for the operating environment in question or you're
not. Reports from other developers won't really change the balance
of that equation.


Well we've just had an extremely long thread where I've been told at length
that Access security is very weak.

So if Dan Developer were to say - 'I develop small Access/Jet apps for SME's
installed on 5-50 user LANs concentrating on the widget industry. I've never
heard of any security problems with any of my apps', that sort of comment
might at least let me know whether the discussion we've just had was atall
worthwhile.

I think that something that's been missed is the huge difference between
data theft (but existing data left intact) and unauthorised changes/damage
to the 'real' data. They're obviously related but are a different set of
risks, which will clearly have very different implications depending upon
the nature of the business.

Yours, Mike MacSween
Nov 12 '05 #16

P: n/a
Mike,

I never heard of a security problem with any of the apps I worked on, many
of which were completely unsecured and others of which were secured using
Access security. But, my clients were primarily concerned about the data
and, in most cases, that was secured at the server DB in a Client-Server
environment.

Neither they nor I were particularly concerned with someone stealing the
application -- I worked on "bespoke apps" for specific clients and they
were all used "in-house". And, for the ones (quite a few) done in Access
2.0, there was no way to even minimally secure queries, forms, reports,
macros, and modules. I'm sure Michka, Peter, David and others will verify
that Access 2.0 security had a hole big enough to fly the Mir through. (The
Mir was the very large Soviet space station contemporary with Access 2.0,
now burned up on renetry when its orbit decayed. Access 2.0, though, is
still around, security hole and all.)

Larry Linson


"Mike MacSween" <mi******************@btinternet.com> wrote in message
news:3f***********************@news.aaisp.net.uk.. .
"David W. Fenton" <dX********@bway.net.invalid> wrote in message
You're either satisfied with the level of protection you've
implemented for the operating environment in question or you're
not. Reports from other developers won't really change the balance
of that equation.
Well we've just had an extremely long thread where I've been told at

length that Access security is very weak.

So if Dan Developer were to say - 'I develop small Access/Jet apps for SME's installed on 5-50 user LANs concentrating on the widget industry. I've never heard of any security problems with any of my apps', that sort of comment
might at least let me know whether the discussion we've just had was atall
worthwhile.

I think that something that's been missed is the huge difference between
data theft (but existing data left intact) and unauthorised changes/damage
to the 'real' data. They're obviously related but are a different set of
risks, which will clearly have very different implications depending upon
the nature of the business.

Yours, Mike MacSween

Nov 12 '05 #17

P: n/a

On Tue, 18 Nov 2003 00:07:10 GMT, "Larry Linson"
<bo*****@localhost.not> wrote in comp.databases.ms-access:
I'm sure Michka, Peter, David and others will verify
that Access 2.0 security had a hole big enough to fly the Mir through.


Sure.

Access 2.0's security flaw made use of the security system completely
optional. You could set up security as per the instructions, and it
would appear to work (ie, tests would appear to successfully require
privileged user status for many types of operations), but the security
could be completely bypassed (ie, not cracked, but simply not used at
all) by a certain simple technique. This affected non-data objects
more than data objects, but data objects had their flaws too.

Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051
Nov 12 '05 #18

P: n/a
Oh, also, even though I was not aware of it, those applications could have
been penetrated many times, and both the application and the data stolen.
But, the one on which I did the most work from 1995 - 2000 was so tailored
to the client and the information that was so vital to them was so useless
to anyone else that I can't imagine anyone _would have bothered_.

Nov 12 '05 #19

P: n/a
"Peter Miller" wrote
. . .the security could be completely bypassed
(ie, not cracked, but simply not used at all) by
a certain simple technique. This affected non-
data objects more than data objects, but data
objects had their flaws too.


Yes, the fabled "CopyObject flaw" was what I had in mind -- the one that
wasn't acknowledged until _someone_ got so frustrated that he posted it
right here (1994-1995, I seem to recall). I know I have the code tucked
away, but probably even recall both the technique and code.

I only used it a few times, and even then, just to prove the point to
disbelieving colleagues. It was fun to see their jaws drop when they watched
me get an unsecured copy of all their precious objects that they had gone to
such lengths to protect and that they thought so well protected.

If that code was posted in 1995, it may still be findable in Google; seems
to me that there was a later repost when someone couldn't find the original
in Deja News.

The discussion over that posting was where I first became really acquainted
with Michael Kaplan and Peter Miller -- who had opposing positions on the
subject of whether posting it was the right thing to do.

Larry Linson
Nov 12 '05 #20

P: n/a
mi******************@btinternet.com (Mike MacSween) wrote in
<3f***********************@news.aaisp.net.uk>:
"David W. Fenton" <dX********@bway.net.invalid> wrote in message
You're either satisfied with the level of protection you've
implemented for the operating environment in question or you're
not. Reports from other developers won't really change the
balance of that equation.
Well we've just had an extremely long thread where I've been told
at length that Access security is very weak.


But you already knew that.
So if Dan Developer were to say - 'I develop small Access/Jet apps
for SME's installed on 5-50 user LANs concentrating on the widget
industry. I've never heard of any security problems with any of my
apps', that sort of comment might at least let me know whether the
discussion we've just had was atall worthwhile.
No, because you're developing your application for a completely
different purpose, for an entirely different industry and for a
different client. There is no reason to assume that there's
anything transferrable from the other contexts.
I think that something that's been missed is the huge difference
between data theft (but existing data left intact) and
unauthorised changes/damage to the 'real' data. They're obviously
related but are a different set of risks, which will clearly have
very different implications depending upon the nature of the
business.


One thing that may not be clear is that Peter made a point about
Wayne's advice -- it would be much more valuable if the encoding
took account of data within the record. If, for instance, the PK of
the grade record were used as a seed value for the encryption of
the grade, there could only ever be one correct encoding for each
record in the grade table. You couldn't copy a grade because the PK
would, of necessity, be different, and therefore the result of the
grade calculation would be different.

It might be possible to encode in a manner that made it immediately
obvious that the record had been tampered with, say a check digit
that was calculated using the PK or something like that.

If you go that route (though I wouldn't) I highly recommend that
you consider this issue.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #21

P: n/a
"Mike MacSween" <mi******************@btinternet.com> wrote...
Using Access/Jet security is a LOT like leaving your fly unzipped. It
might be good to think about that a bit before you keep coming here
and waving your "privates" err..... "private solutions" around.
Wouldn't be the first time! Are you saying I'm making a fool of myself?
Because I'm naive enough to ask a straightforward question and make it

clear that I am unsure of some of the issues here? Or is it just an unwillingness to go along with the 'accepted widsom' without question that is considered
such a gaff.
No, not at all. It is more the disdain for the people who point out the
flaws in the nature of the approach, or the "well tell me whats wrong with
it, then" type of response.

If they can get to it at all (which they must, to use it, right? <g>), then
they can get in. And its a lot easier than you are willing to accept. It is
your refusal to believe this than bothers me.

Remember that King Canute *knew* he could not sweep back the tide; he was
just trying to show his advisors that they were not thinking clearly
enough....
If you mean the other thing then there's been at least one technique which
I've hinted at but not actually revealed, precisely to avoid the attentions of a particularly savvy hacker who types 'Access, security, Mike MacSween'
into a search engine.


If it were only that simple to avoid....
--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.

Nov 12 '05 #22

P: n/a
"Michael (michka) Kaplan [MS]" <mi*****@online.microsoft.com> wrote in
message news:3f********@news.microsoft.com...
"Mike MacSween" <mi******************@btinternet.com> wrote...
Using Access/Jet security is a LOT like leaving your fly unzipped. It
might be good to think about that a bit before you keep coming here
and waving your "privates" err..... "private solutions" around.
Wouldn't be the first time! Are you saying I'm making a fool of myself?
Because I'm naive enough to ask a straightforward question and make it

clear
that I am unsure of some of the issues here? Or is it just an

unwillingness
to go along with the 'accepted widsom' without question that is considered such a gaff.


No, not at all. It is more the disdain for the people who point out the
flaws in the nature of the approach, or the "well tell me whats wrong with
it, then" type of response.


I hope that I haven't treated posters with greater knowledge than I with
disdain. However I find blunt 'all I can tell you is you're wrong' responses
unhelpful. If I come up with an idea I DOwant to be told what's wrong with
it.
If they can get to it at all (which they must, to use it, right? <g>), then they can get in. And its a lot easier than you are willing to accept. It is your refusal to believe this than bothers me.
It may well bother you. I think that there is clearly a huge difference
between, lets say, a data file stored on an unsecured Windows 95 machine
with an obvious name in an obviously named directory, perhaps with a desktop
shortcut to it, and a FE/BE split with the BE on a server running under
windows 2000+ with strong passwords enforced, Jet security, some of the
ideas suggested for DIY 'security' etc. etc. It's harder to get unauthorised
access to the latter than the former. That is obvious. And it's all I'm
saying. IT IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem unable to
accept what is to me a clear truth. You can make it harder. That's all. And
that's all I'm discussing here. All I can conclude is we aren't talking
about the same thing.
Remember that King Canute *knew* he could not sweep back the tide; he was
just trying to show his advisors that they were not thinking clearly
enough....


Yes, most people get that wrong don't they?

Yours, Mike MacSween
Nov 12 '05 #23

P: n/a
Mike MacSween wrote:
"Michael (michka) Kaplan [MS]" <mi*****@online.microsoft.com> wrote in
message news:3f********@news.microsoft.com...
"Mike MacSween" <mi******************@btinternet.com> wrote...
Using Access/Jet security is a LOT like leaving your fly unzipped.
It might be good to think about that a bit before you keep coming
here and waving your "privates" err..... "private solutions"
around.

Wouldn't be the first time! Are you saying I'm making a fool of
myself? Because I'm naive enough to ask a straightforward question
and make it clear that I am unsure of some of the issues here? Or
is it just an unwillingness to go along with the 'accepted widsom'
without question that is considered such a gaff.


No, not at all. It is more the disdain for the people who point out
the flaws in the nature of the approach, or the "well tell me whats
wrong with it, then" type of response.


I hope that I haven't treated posters with greater knowledge than I
with disdain. However I find blunt 'all I can tell you is you're
wrong' responses unhelpful. If I come up with an idea I DOwant to be
told what's wrong with it.
If they can get to it at all (which they must, to use it, right?
<g>),

then
they can get in. And its a lot easier than you are willing to
accept. It

is
your refusal to believe this than bothers me.


It may well bother you. I think that there is clearly a huge
difference between, lets say, a data file stored on an unsecured
Windows 95 machine with an obvious name in an obviously named
directory, perhaps with a desktop shortcut to it, and a FE/BE split
with the BE on a server running under windows 2000+ with strong
passwords enforced, Jet security, some of the ideas suggested for DIY
'security' etc. etc. It's harder to get unauthorised access to the
latter than the former. That is obvious. And it's all I'm saying. IT
IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem
unable to accept what is to me a clear truth. You can make it harder.
That's all. And that's all I'm discussing here. All I can conclude is
we aren't talking about the same thing.
Remember that King Canute *knew* he could not sweep back the tide;
he was just trying to show his advisors that they were not thinking
clearly enough....


Yes, most people get that wrong don't they?


While I'm enjoying this thread might I interject with this question - should
programmers, be they Access people or whatever, embrace DRM (digital rights
management) and Microsoft's Palladium idea and suchlike, with the view that
it offers developers and publishers *potentially* greater control of who
owns and uses their software?
I reckon most folk would think that DRM is a bad thing if it's forced onto
them but would programmers be seduced if it saved them the grief of trying
to ensure authorised use of their work?
And maybe DRM might be employed to make apps harder to hack into? I have no
idea, just putting the idea out there.

Apparently Microsoft want to make DRM a *core* part of the next version of
Windows. This article on the subject is quite interesting
http://www.theregister.co.uk/content/55/33958.html



Nov 12 '05 #24

P: n/a
"Mike MacSween" wrote
Further to 'Security - more complex than I thought'

Has anybody ever seen any studies? Or anecdotal evidence? Done any studies
themselves? Done any lab testing - you know - 10 users asked to get past
Access (or other) security?

It'd be interesting to know. And no, I don't have any prejudices.

Yours, Mike MacSween


I haven't read the other monster thread on this. But I will pipe in
to give my own perspective.
Access security will fool most of your users into believing it is 100%
secure. Which is fine. Access security will, in many cases, foil
users' attempts to bypass it. However, you should always be wary
about the remainder: those who are NOT fooled, and those who ARE
willing to go to some lengths to bypass your security. It IS possible
to do so, 100% of the time, with any amount of (Access/JET-based)
security.

So, you then ask, should I use Access/JET security or store my data in
a server-based DBMS? Let's go on an example-by-example basis, and
build our rules from the examples:

Contains names and SSN's--probably not. Your users can copy the file
and crack it, gaining all the names/SSNs. Will it profit your users?
Very unlikely. How many SSNs are you storing? A million? A hundred?
Ten? How many users do you have to trust? Two? Fifty? Four
thousand (okay, not with an Access backend, but you get the idea)?

Contains employee salary information--no. Users have too much to gain
by cracking security.

Storing information that can be externally verified , such as
timesheet info (may be verified by looking at the signed, paper
timesheets)--yes, I don't see what a user can gain by changing their
time, or someone else's time.
Thus the rule: The cost of breaching security SHOULD AT ALL TIMES be
more than the potential benefit of breaching security. If a user can
possibly profit with $1000 (rough guesstimate) worth of information,
don't store the information in Access/JET tables, which can be
breached with the crack program and the cracker's time, let's estimate
$150. If it costs several bajillion dollars' worth of your employee
time to rebuild the backend MDB from a backup after an employee
deletes the backend file, you should consider that a severe (though
unlikely) security risk. Apply this rule to the following (risks) of
using Access/JET security for your backend data:

--Deletion of any necessary file to use the program, specifically:
-The backend MDB file
-The workgroup MDW file

--Unauthorized access to data, such as SSNs or payroll or medical
chart info
-Individual 'targeted' accesses
-Wholesale information stealing

--Unauthorized modifying of production data, e.g. "Computer, give me a
MILLION DOLLARS"

--Disruption of database service for a period of time (calculate the
cost of several employees not being able to complete their tasks, in
employee time and in customer loss/quality of service issues)
Nov 12 '05 #25

P: n/a
de*********@hotmail.com (Deano) wrote in
<4Z******************@wards.force9.net>:
should
programmers, be they Access people or whatever, embrace DRM
(digital rights management) and Microsoft's Palladium idea and
suchlike, with the view that it offers developers and publishers
*potentially* greater control of who owns and uses their software?


I would say NO. If it were not for the way the Digital Millenium
Copyright Act is written, then I would see it differently. The
problem with the DMCA is that it makes too many things criminal
which should not be -- anything that even smells like circumvention
is heavily penalized.

And that's where the problem is, from my point of view. It's not
with digital rights management per se, it's with the way the law
works with DRM to penalize far more acts than should be restricted.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #26

P: n/a
ps********@zombieworld.com (Pete) wrote in
<98**************************@posting.google.com >:
--Deletion of any necessary file to use the program, specifically:
-The backend MDB file
-The workgroup MDW file


Um, this is never a risk if they are stored in an NT folder with no
delete permission for the users.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 12 '05 #27

P: n/a

On Tue, 18 Nov 2003 21:51:19 GMT, dX********@bway.net.invalid (David
W. Fenton) wrote in comp.databases.ms-access:
--Deletion of any necessary file to use the program, specifically:
-The backend MDB file
-The workgroup MDW file


Um, this is never a risk if they are stored in an NT folder with no
delete permission for the users.


I took 'deletion' to mean 'loss of' and not just a file delete
operation.

Two comments to that extent:

1) file loss is limited to loss of data/activity since the last
backup. Any non-trivial database should be backed up at least
nightly, so workgroup loss is a non-issue, and database-loss is very
limited (although still a possibly significant loss - many call
centers use Access/Jet, and even an hours loss is a very significant
amount of irretrievable business lost).

2) file loss can take many forms, of course, including media failure
and the like, but cracker-triggered file loss usually comes from the
file space being trashed. NT permissions do nothing to prevent this.
A user who uses an Access database for normal data entry requires
write permission to the database back-end, and if these permissions
are allowed, it is trivial to overwrite the file with garbage. In
other words, file loss is indeed an important consideration when
discussing potential cracker mischief.

Peter Miller
__________________________________________________ __________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051
Nov 12 '05 #28

P: n/a
I think you should start another thread.

"Deano" <de*********@hotmail.com> wrote in message
news:4Z******************@wards.force9.net...
Mike MacSween wrote:
"Michael (michka) Kaplan [MS]" <mi*****@online.microsoft.com> wrote in
message news:3f********@news.microsoft.com...
"Mike MacSween" <mi******************@btinternet.com> wrote...

> Using Access/Jet security is a LOT like leaving your fly unzipped.
> It might be good to think about that a bit before you keep coming
> here and waving your "privates" err..... "private solutions"
> around.

Wouldn't be the first time! Are you saying I'm making a fool of
myself? Because I'm naive enough to ask a straightforward question
and make it clear that I am unsure of some of the issues here? Or
is it just an unwillingness to go along with the 'accepted widsom'
without question that is considered
such a gaff.

No, not at all. It is more the disdain for the people who point out
the flaws in the nature of the approach, or the "well tell me whats
wrong with it, then" type of response.


I hope that I haven't treated posters with greater knowledge than I
with disdain. However I find blunt 'all I can tell you is you're
wrong' responses unhelpful. If I come up with an idea I DOwant to be
told what's wrong with it.
If they can get to it at all (which they must, to use it, right?
<g>),

then
they can get in. And its a lot easier than you are willing to
accept. It

is
your refusal to believe this than bothers me.


It may well bother you. I think that there is clearly a huge
difference between, lets say, a data file stored on an unsecured
Windows 95 machine with an obvious name in an obviously named
directory, perhaps with a desktop shortcut to it, and a FE/BE split
with the BE on a server running under windows 2000+ with strong
passwords enforced, Jet security, some of the ideas suggested for DIY
'security' etc. etc. It's harder to get unauthorised access to the
latter than the former. That is obvious. And it's all I'm saying. IT
IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem
unable to accept what is to me a clear truth. You can make it harder.
That's all. And that's all I'm discussing here. All I can conclude is
we aren't talking about the same thing.
Remember that King Canute *knew* he could not sweep back the tide;
he was just trying to show his advisors that they were not thinking
clearly enough....


Yes, most people get that wrong don't they?


While I'm enjoying this thread might I interject with this question -

should programmers, be they Access people or whatever, embrace DRM (digital rights management) and Microsoft's Palladium idea and suchlike, with the view that it offers developers and publishers *potentially* greater control of who
owns and uses their software?
I reckon most folk would think that DRM is a bad thing if it's forced onto
them but would programmers be seduced if it saved them the grief of trying
to ensure authorised use of their work?
And maybe DRM might be employed to make apps harder to hack into? I have no idea, just putting the idea out there.

Apparently Microsoft want to make DRM a *core* part of the next version of
Windows. This article on the subject is quite interesting
http://www.theregister.co.uk/content/55/33958.html



Nov 12 '05 #29

P: n/a
This is not a reply to any one poster, so I have cleared all previous
messages.

Today, at the request of one of my users, I have found out some information
that was held in an Access 2000/2002 database (don't know which as it was
password protected).

How did I do this? I opened the MDB file with (or all things!) WordPad. I
used its Find command to find some information that I knew was in the DB,
then Find again, until I had the instance that I wanted. I then read the
information (in plain language!) from the screen.

Obviously if it had been encrypted, then I would not have been able to read
the data (at least, I hope not!)

Security? What security!

Nick
Nov 12 '05 #30

P: n/a
TC
The db used to be encrypted when it was secured by the wizard. I gather that
in current versions, that is not the case. Does anyone know the reason for
that change?

TC

"Nick Marshall" <Nick Ma******@NOSPAM.COM> wrote in message
news:vr************@corp.supernews.com...
This is not a reply to any one poster, so I have cleared all previous
messages.

Today, at the request of one of my users, I have found out some information that was held in an Access 2000/2002 database (don't know which as it was
password protected).

How did I do this? I opened the MDB file with (or all things!) WordPad. I used its Find command to find some information that I knew was in the DB,
then Find again, until I had the instance that I wanted. I then read the
information (in plain language!) from the screen.

Obviously if it had been encrypted, then I would not have been able to read the data (at least, I hope not!)

Security? What security!

Nick

Nov 12 '05 #31

P: n/a
As far as I know, it it still done.
--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.
"TC" <a@b.c.d> wrote in message news:1069374530.547717@teuthos...
The db used to be encrypted when it was secured by the wizard. I gather that in current versions, that is not the case. Does anyone know the reason for
that change?

TC

"Nick Marshall" <Nick Ma******@NOSPAM.COM> wrote in message
news:vr************@corp.supernews.com...
This is not a reply to any one poster, so I have cleared all previous
messages.

Today, at the request of one of my users, I have found out some

information
that was held in an Access 2000/2002 database (don't know which as it was password protected).

How did I do this? I opened the MDB file with (or all things!) WordPad.

I
used its Find command to find some information that I knew was in the DB, then Find again, until I had the instance that I wanted. I then read the information (in plain language!) from the screen.

Obviously if it had been encrypted, then I would not have been able to

read
the data (at least, I hope not!)

Security? What security!

Nick


Nov 12 '05 #32

P: n/a
TC
Ok, thanks. I saw another post recently which suggested that it was not
done.

TC
"Michael (michka) Kaplan [MS]" <mi*****@online.microsoft.com> wrote in
message news:3f********@news.microsoft.com...
As far as I know, it it still done.
--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.
"TC" <a@b.c.d> wrote in message news:1069374530.547717@teuthos...
The db used to be encrypted when it was secured by the wizard. I gather

that
in current versions, that is not the case. Does anyone know the reason for
that change?

TC

"Nick Marshall" <Nick Ma******@NOSPAM.COM> wrote in message
news:vr************@corp.supernews.com...
This is not a reply to any one poster, so I have cleared all previous
messages.

Today, at the request of one of my users, I have found out some

information
that was held in an Access 2000/2002 database (don't know which as it was password protected).

How did I do this? I opened the MDB file with (or all things!)
WordPad. I
used its Find command to find some information that I knew was in the

DB, then Find again, until I had the instance that I wanted. I then read the information (in plain language!) from the screen.

Obviously if it had been encrypted, then I would not have been able to

read
the data (at least, I hope not!)

Security? What security!

Nick



Nov 12 '05 #33

This discussion thread is closed

Replies have been disabled for this discussion.