[AccessD] Hiding Back End Design

Mitsules, Mark S. (Newport News) Mark.Mitsules at ngc.com
Mon Jul 19 13:12:37 CDT 2004


>> 'Apache' <<

I had that game:)  First of its kind that used nearly every key on the
keyboard.  Never 'cracked' it though;)

Mark



-----Original Message-----
From: Jim Lawrence (AccessD) [mailto:accessd at shaw.ca] 
Sent: Sunday, July 18, 2004 5:30 PM
To: Access Developers discussion and problem solving
Subject: RE: [AccessD] Hiding Back End Design


This whole discussion around security and protection, of code and data
access hinges on one thing. A trainer, when I was taking my CNE, about
fifteen years ago, stated "There is no security if people have access to the
server computer." This was true then, is true now and will be for the
fore-seeable future.

The only security for any application, is limited to the knowledge, desire
and honesty of the client. Microsoft has spent massive amounts on securing
their products and always after a short time, the security is again cracked
and the cycle continues.

There is only a limited amount of security, that can be created for an
application. An individual bent on 'cracking' any product will eventually
succeed. You as a developer, must realize that and not waste time and money
securing a product more than it is worth. There is no point in spending
thousands of dollars, of your time, securing a product that you sell for a
thousand.

A number of years ago, when Commadore64 was king, a company created a
awesome game called 'Apache'. (the helicopter). The designers had stated
that they had spend two years creating the 'State-of-the-Art' security and
copy protection on their product. A short while later, a hacker,
demonstrated on TV, that he could, in fifteen minutes, after pulling off the
cellophane, of the new release, removed all forms of protection. That is
still the reality.

...and that as Arthur has already said is my two cents worth.
Jim

PS I was so impressed with the game that I purchased my copy of the 'Apache'
and have continued to do that, with all worthy application, to this day.

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]On Behalf Of Arthur Fuller
Sent: Sunday, July 18, 2004 11:07 AM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] Hiding Back End Design


If you really want to hide a back end design, then I suggest the
following (which may be incomplete, I grant in advance)....

A) Upsize to MSDE at least, if not SQL 2000.
B) Rewrite your app so that NO ONE (save you) gets direct access to
tables.
C) Replace all the accessing code with sprocs/views/udfs.
D) Encrypt those objects.

There are decryption tools to crack sprocs/views/udfs, and if you
suspect their use, then you may have to take extra steps, but IME, very
few people have these decryption tools. Any fool with a few bucks and a
PayPal account can get the Access-decryption tools, but it will cost
him/her substantially to get the equivalent tools for MSDE/SQL Server.
If your assaulting audience is prepared to spend that kind of money to
get in, then you have to take extra steps.

It all comes down to cost-of-defence v. cost-of-successful-intrusion. No
way to call that argument in advance. If you're storing Al-Kaeda attack
plans or defence plans against Al-Kaeda attacks, you're prepared to
spend a LOT more money than the Mom'n'Pop grocery down the street.

MSDE (which is essentially free) plus "no one but me gets direct access
to tables, and must instead fire sprocs with appropriate args", plus a
role-based security system, plus encrypted sprocs... This gets you 80%
of the way to a secure system whose innards are unavailable to the
unauthorized penetrator. The more skilled your anticipated attacker, the
more money you need to invest in protection.

At the end of the day, if you want to hide the database design, my first
recommendation is to move to MSDE at least and hide all the tables and
allow access only using sprocs and views, whose usability you can
control precisely using roles, and whose code you can hide reasonably
effectively using encryption.

My $.02.
Arthur

-----Original Message-----
From: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of Michael
Brösdorf
Sent: Friday, July 16, 2004 9:42 AM
To: Access Developers discussion and problem solving
Subject: AW: [AccessD] Hiding Back End Design


Well, the MDW _is_crackable! There's a couple of tools out there that
reveal user names and their passwords at an instant.

So if user accounts within the mdw aren't secure, maybe it is an option
to make user x owner of all backend tables. This user should also be the
only one with permission to administer the db. Then remove user x from
the mdw that is used on the production system.

Didn't try it though...

Michael

-----Ursprüngliche Nachricht-----
Von: accessd-bounces at databaseadvisors.com
[mailto:accessd-bounces at databaseadvisors.com]Im Auftrag von
MartyConnelly
Gesendet: Freitag, 16. Juli 2004 06:50
An: Access Developers discussion and problem solving
Betreff: Re: [AccessD] Hiding Back End Design


Well if you were the owner through mdw you could, everyone else would
have to go through a query. This assumes the mdw is crackable.

Rocky Smolin - Beach Access Software wrote:

>Marty:
>
>Why couldn't they just go directly into the back end and open the table

>in design view?
>
>Rocky
>
>
>----- Original Message -----
>From: "MartyConnelly" <martyconnelly at shaw.ca>
>To: "Access Developers discussion and problem solving"
><accessd at databaseadvisors.com>
>Sent: Thursday, July 15, 2004 6:40 PM
>Subject: Re: [AccessD] Hiding Back End Design
>
>
>
>
>>I came across this today under the Access ORK.You might be able to
>>hide the design this way.
>>http://www.microsoft.com/office/ork/2000/three/65t3_9.htm
>>
>>Using the RunPermissions Property with User-Level Security
>>In order for Microsoft Access to display a table or query, it must
>>read the design of that table or query. As a result, in order for a
>>user to read and display the data in a table or query, that user must
>>also have permission to read the design of the table or query. If you
>>dont want your users to see the design of your table or query, you
>>can create a query and set its RunPermissions property to restrict
>>their access to this information. Set it up and test against one of
>>the access reengineering case tools like Sparxs or EZDesign.
>>
>>Rocky Smolin - Beach Access Software wrote:
>>
>>
>>
>>>One of the great advantages of Access is that the user can work with
>>>the data apart from the front end app.  It's transparency is a real
>>>marketing plus.  So I'd like to leave the back end open.  I think it
>>>will be beneficial.
>>>
>>>Rocky
>>>
>>>----- Original Message -----
>>>From: "Andy Lacey" <andy at minstersystems.co.uk>
>>>To: "'Access Developers discussion and problem solving'"
>>><accessd at databaseadvisors.com>
>>>Sent: Wednesday, June 23, 2004 11:36 AM
>>>Subject: RE: [AccessD] Hiding Back End Design
>>>
>>>
>>>
>>>
>>>
>>>
>>>>I'm going to sound a dissenting voice here. I don't understand why
>>>>
>>>>
>Rocky,
>
>
>>>>who's no doubt sweat blood to develop his vertical app, should in
>>>>effect give his system away? Because surely that's what he'd be
>>>>doing? The only
>>>>
>>>>
>>>>
>>>>
>>>way
>>>
>>>
>>>
>>>
>>>>doing a development like this makes sense is to get economies of
>>>>scale
>>>>
>>>>
>by
>
>
>>>>selling lots of copies. Without that incentive vertical apps would
>>>>never
>>>>
>>>>
>>>>
>>>>
>>>get
>>>
>>>
>>>
>>>
>>>>developed at all because, in the main, a single customer can't stand

>>>>all
>>>>
>>>>
>>>>
>>>>
>>>the
>>>
>>>
>>>
>>>
>>>>development costs. And if you're going to put in the graft why
>>>>shouldn't
>>>>
>>>>
>>>>
>>>>
>>>you
>>>
>>>
>>>
>>>
>>>>dream of making money on it, and why should you open yourself to
>>>>being ripped-off by people who can't be arsed to do the hard work
>>>>themselves? Sorry, don't understand.
>>>>
>>>>-- Andy Lacey
>>>>http://www.minstersystems.co.uk
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: accessd-bounces at databaseadvisors.com
>>>>>[mailto:accessd-bounces at databaseadvisors.com] On Behalf Of
>>>>>DWUTKA at marlow.com
>>>>>Sent: 23 June 2004 18:30
>>>>>To: accessd at databaseadvisors.com
>>>>>Subject: RE: [AccessD] Hiding Back End Design
>>>>>
>>>>>
>>>>>'Open source' should pervade into all areas of the information age.

>>>>>Music, programming, videos, etc. Unfortunately it will take a
>>>>>complete change in humanity's driving force....the accumulation of
>>>>>wealth.  As long as people are trying to make a buck, it will be
>>>>>virtually impossible to get them to do stuff simply for the
>>>>>betterment of society.
>>>>>
>>>>>Drew
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>--
>>>>_______________________________________________
>>>>AccessD mailing list
>>>>AccessD at databaseadvisors.com
>>>>http://databaseadvisors.com/mailman/listinfo/accessd
>>>>Website: http://www.databaseadvisors.com
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>--
>>Marty Connelly
>>Victoria, B.C.
>>Canada
>>
>>
>>
>>--
>>_______________________________________________
>>AccessD mailing list
>>AccessD at databaseadvisors.com
>>http://databaseadvisors.com/mailman/listinfo/accessd
>>Website: http://www.databaseadvisors.com
>>
>>
>
>
>

--
Marty Connelly
Victoria, B.C.
Canada



--
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

--
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

--
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com

-- 
_______________________________________________
AccessD mailing list
AccessD at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/accessd
Website: http://www.databaseadvisors.com



More information about the AccessD mailing list