How to prevent importing tables

[TC]

All security, sooner or later, relies to some degree on a lack of knowledge.

No way. Modern security systems should not depend in any way, shape or
form on any lack of knowledge. They should depend on the key, the whole
key, & nothing but the key. For example, if I encrypt a password, I
should be able to publish the encrypted password, and every detail of
the method that I used to encrypt it, and this should not reduce the
security of the plaintext password at all.

HTH,
TC

 

[Joan Wild]

Remove their ability to create a new database. Details in the Security FAQ.

If they can't create a new database while joined to your secure mdw then how
will they be able to import anything?

 

[Joan Wild]

How would that work exactly? Any new SQL you would run would not have
Owner's permissions so you would get nothing from the table at all
(right?).

No they'd base the query on the RWOP query which does give them permission.

At any rate my response was limited to the question asked
"how do you prevent importing of tables from a secured file?"

As I suggested elsethread, remove their ability to create a new database
while using the secured mdw.

 

[Chris Mills]

In fact an RWOP SQL statement can be placed directly in a recordsource. But it
can't be placed there by code, because then it's not the owner! That's not
bad, except for mde hacking.

 

['69 Camaro]

Hi, Joan.

If they can't create a new database while joined to your secure mdw then
how will they be able to import anything?

I sent you an E-mail discussing how this is done. I don't believe this
should be discussed in public newsgroups.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address so that a message will
be forwarded to me.)

 

[Chris Mills]

Nor via respectable websites ;-)

 

[Chris Mills]

form on any lack of knowledge. They should depend on the key, the whole

key, & nothing but the key.

Precisely. A lack of knowledge. It's still winter in Aus, so you can't blame
the sun TC

 

[TC]

Still winter, /and/, a second fatal shark attack in my home state; and
I am presenting software to a national scuba diving conference :-(((
- and it is not installing correctly on some pc's!
:-((((((((((((((((((((

TC

 

[Guest]

Chris,

P.S. One of my best security methods is nothing to do with Access, it's
recording my customers. The way I write software, they will surely have to
contact me sooner or later! What's this? Not on my list? My next best method,
is to employ Gunny as a security guard

Let's be perfectly clear on one point. It would be Gunny who might hire you
as the security guard, not the other way around. Gunny would stay busy
continuing to creat the great software that that he does.

Tom
_____________________________________

 

[Guest]

But it's also unusual to want to protect data, as against program, for

a "retail sale".

It's not unusual at all. The company that I work for (a major Fortune 500
Company that builds the best damn commercial jet transport aircraft
available) has purchased several licenses to use FTIR spectral search
software with data that is stored in a proprietary format. FTIR is a form of
Infrared Spectroscopy, a technique used for the identification of unknown
compounds. The databases that we have licenced have over 150,000 spectra that
are available for conducting searches against. Basically, the vendor's entire
product is the data. The search software is a much smaller part of the
equation.

There are all kinds of commercial databases (medicine, law, pharmacology,
etc.) where the data is of paramount value.

Tom
_________________________________________

 

[Chris Mills]

Perhaps, but in Connie's case I guessed right, as she confirmed.

 

[Chris Mills]

Well, for security you should wear a wet-suit that looks like a salt-water
croc )

Anyone could have told you MS-Access doesn't work under-water, TC ;-))))

What installer?

 

[Chris Mills]

Then why does your company (QBuilt) piss around with such pathetic things as
Database Password cracking?

 

[Joan Wild]

Funny, that was my first reaction too (and didn't get an email Gunny)

 

[Chris Mills]

His public message can't have been addressed to Joan, since he says he
informed her by e-mail.

So who was it for? Us? Outright skiting that he knows what we don't?

1) He may well do. The purpose of this thread is to secure a database "as best
as possible" (whatever that means). OF COURSE some people can break it. If
Joan's suggestion can be broken by only a select few "shouldn't be discussed
in public newsgroups", then I would venture that suggestion is adequate.

2) Anyone with a while of experience (and not necessarily even technical
expertese) can indeed do what Gunny thinks only he can. I am not saying I know
more than anyone else on this. And I agree that, generally, some things should
not be posted.

Chris

 

[Joan Wild]

His public message can't have been addressed to Joan, since he says he
informed her by e-mail.

I never got her email (probably an over eager filter at play); whatever.

So who was it for? Us? Outright skiting that he knows what we don't?

1) He may well do. The purpose of this thread is to secure a database
"as best as possible" (whatever that means). OF COURSE some people
can break it. If Joan's suggestion can be broken by only a select few
"shouldn't be discussed in public newsgroups", then I would venture
that suggestion is adequate.

Unfortunately, by replying with 'let's not discuss it in public' has only
served to pique people's interest. Something I was trying to avoid - oh
well.

Access Security has always been, and will continue to be security by
obfuscation. Fact is that people do not need to learn the tricks, as $50
will get you in anyway.

I personally don't use ULS for 'securing' anything; I find it a useful tool
to present things to users that they need to *do their job* (most of my
clients consider their databases as tools for their job, and just want it
"to work"). I use it as an application guidance tool.

 

[Guest]

Chris,

First, it is not my company. I am neither an officer nor employee of QBuilt.
This company is owned by a friend of mine and, yes, I do have several tips
and articles that I've wrote that are posted at QBuilt.

Second, the password cracking tools that you so despise (yes, I read your
earlier rant where you jumped all over Jeff Conrad's butt) are made available
only to legitimate owners of database applications, after a password has
either been forgotten, or maliciously changed by a disgruntled employee.

Tom
________________________________________

:

Then why does your company (QBuilt) piss around with such pathetic things as
Database Password cracking?

 

[Joan Wild]

Second, the password cracking tools that you so despise (yes, I read

your earlier rant where you jumped all over Jeff Conrad's butt) are
made available only to legitimate owners of database applications,
after a password has either been forgotten, or maliciously changed by
a disgruntled employee.

That's great, but just how is that proven to you?

 

[Guest]

Joan,

I don't have a need for my friend to prove anything. I gladly accept this
person's statement at face value. I have known the owner/operator of QBuilt
for several years. Do you require that your friends prove every statement
that they make to you? I certainly hope not.

Nevertheless, there are plenty of commercial sites available
(www.lostpassword.com for one) that will sell the password cracking tools, no
questions asked. And, it seems to me that there is a Russian web site (which
I will not post for now) that offers the same tools free. So what is the big
deal?

Your question is akin to asking Lance Armstrong to prove that he never took
performance enhancing drugs! Perhaps there is a future career for you as a
writer at the French sports daily L'Equipe.

Tom
_________________________________________

 

[Joan Wild]

You misunderstood. I didn't ask how your friend proves it to you. I asked
how you get proof from potential users of the password cracking tools that
they are the legitimate owners of the database?