Why bother securing?

[JZ]

Hi,

I'm just wondering why I should bother securing my MS Access Database, I
mean you can download tools which will remove all the security?

I'm looking for answer to give to my boss.

Thanks,

 

[Chris Mills]

Because the majority of your customers just have a job to do, they don't have
time or incentive to break your program.

Because the majority of your customers don't know Access, in spite of how easy
it is to break.

Because, sooner or later they'll call up for some advice or other, and you'll
have a list of valid customers.

On a purely technical level, you are right.

(my concern is more ripping-off the program than protecting the data, which is
even harder)(if harder than easy is hard)
Chris

 

[Chris Mills]

and mainly because...it's about all you can do, assuming the use of Access.

 

[Rick Brandt]

Hi,

I'm just wondering why I should bother securing my MS Access
Database, I mean you can download tools which will remove all the
security?
I'm looking for answer to give to my boss.

Thanks,

I can buy a lock pick, but I still lock the doors to my house. A barrier that
is imperfect is still a barrier. It depends on what your expctations of the
barrier are to determine whether it is worthwhile to have.

 

[JZ]

OK, thanks for these comments.

What about reasons why we would secure a MDB that would be distributed.
Mainly to clients, but could be for public access.

We are commited to MS Access due to the time spent on development and
in-house knowledge.

 

[Keith Wilby]

Hi,

I'm just wondering why I should bother securing my MS Access Database, I
mean you can download tools which will remove all the security?

I'm looking for answer to give to my boss.

The answer is a question - do you need a padlock or a bank vault? If the
latter then Access is no good, you need to upsize to a service such as
Oracle.

Keith.
www.keithwilby.com

 

[Rick Brandt]

OK, thanks for these comments.

What about reasons why we would secure a MDB that would be
distributed. Mainly to clients, but could be for public access.

We are commited to MS Access due to the time spent on development and
in-house knowledge.

Personally I wouldn't bother securing a distributed app in most cases. I would
distribute a split app with the front end being an MDE so the code couldn't be
tampered with, but the back end would not be anything special. At the most I
would give it a different file extension so that it wasn't obviously an Access
file.

 

[JZ]

Hi,

Again, thanks for the further comments.

What would you guys suggest for program developers who are distributing
their program and an MDB. Any extra steps which would add to the security?

e.g. Rename MDB.

Obviously using Oracle isn't practical for small distribution.

Any further comments greatly appreciated.

Thanks,

 

[Joan Wild]

First you asked why bother securing, since you can hack it, but now you are
looking for anything you can do to add barriers.

Renaming the file is much easier to get around than hacking the security,
but if you want more...

Implement security
Create custom menus/toolbars for use throughout your application.
Create a startup form (a main menu form if you have one) that is opened on
startup.
Use the features in Tools, Startup to limit menus, db window, special keys,
etc.
Disable the shiftkey bypass
http://www.mvps.org/access/modules/mdl0011.htm
and
http://www.mvps.org/access/general/gen0040.htm

You can also create a MDE from your database, which will prevent changes to
forms, reports and modules.
Rename the mdb
Put it in a hidden folder

 

[Chris Mills]

There's a number of add-in security products like www.sagekey.com

I'm not in a position to say how good they are. But something along these
lines is essential on top of Access security, that is, at least some level of
copy protection.

Chris

 

[Michael Skelton]

Hi everyone,

I also can't verify that any of these products truly are secure but I can
verify that all of my encounters with Access databases have been met with
very few walls or challenges.

Unfortunately to my knowledge there really isn't any way you can 'truly'
secure your data from third party access.

Michael

 

[Chris Mills]

The strangest thing is...there seem a heck of a lot of
people..."programmers"...who dont seem to have a handle on Access ULS, hence
the majority of questions in this newsgroup! Of course, this is hardly a
statistic, since those who do have a handle don't post questions!

I did try data encryption at one stage (NOT the inbuilt Encrypt/Decrypt),
together with hopefully suppression of virtually all copy/paste out of forms
(prevent legitimate users), though never actually implemented it. I'd just say
that, since a straight mdb has $0 of security, these things at least had $0.02
or more!

And a good puzzle, even for the writer of it, might be to take out the "keys"
at the top of each column (the nice English field names replaced with guano).
I haven't actually done this coz then it would be too difficult for ME to
maintain.

....back to sleep...
Chris

 

[Chris Mills]

Sorry, couldn't sleep...the bogeys got to me!

What's this?

Expr001 Expr002 Expr003
¾½ºÏÇÏ ¾š‘š‹—†ß×­ŒŒÖß³žˆß°™™–œš ¯°ß½‡ßÊÍÇÌ
¾½­ÏÍÏ ²ž–‘ß­ß¾ž’Œ ¯°ß½‡ßÍÊÏÈË


That's right. All converted to "unprintable characters" as well, so it
probably hasn't even transcribed correctly.

(UNDOUBTEDLY breakable, but who has the nouse, and who of those has the time
or energy?)

 

[Chris Mills]

As best I can tell (this is from a while ago) it means:

ABE090, A(censored) Law Office, PO Box(censored)
ABR020, Marion (censored) Someone, PO Box(censored)

My greatest difficulty, was NOT recovering this previous encryption of mine,
but having to plug-in a Windows 3.1 disk and try and remember how to use it!!!

I think it's a bit rich of people like Rick Brandt (undoubtedly a technical
expert) and Joan Wild (another one) to purport to give advice on distributing
Access applications. Because, NEITHER of them use it that way!

(Joan is particularly on record as stating she DOES NOT USE Access Security
for such purposes. Also, you can see that her advice is limited only to the
machinations of actual Access Security, which is fine because she has said she
does NOT use Access security in practise. If either of them had, they would be
very aware of advice on add-in products)

Even suggestions to use SQLServer can be a bit suspect.
a) it may not be as suitable or as easy for general remote distribution as
Access.
b) depending on how it's written, Access is inevitably a portal into SQLServer
which might not therefore, as a unit, be secure. (David) had some usefull
interpretations of this within the last year in this newsgroup.

The overall point is that, yes things can be broken by "security experts".
Who's a security expert? and how much incentive do they have? In this
newsgroup, most questions are answered by "security experts". OF COURSE THEY
CAN BREAK IT but can your average customer?

Also, (program copying) is a matter of statistics. A business decision
really. MS has some great schemes (CD-KEY). It does not prevent copying (so I
hear), but it sure goes a long way to upping the business statistics. That's
why I said, in my first post, you need at the least a list of valid customers
(checking methods which are completely outside of Access)

It's never black-and-white. In some respects, it's unfair to rely solely on
MS-Access (or SQLServer or Oracle for that matter, for reasons stated)

The purpose of this newsgroup, I believe, is to advise on what can be done to
secure something, given the tools available. Certainly not how to break it,
though of course they are interrelated.
In Other Words: I don't b.know! All my suggestions are more-or-less equally
questions.
Chris

PS NO Reflections on Rick or Joan! Who are doing their best with an insecure
product. Merely used as illustrations...securing stuff is a right struggle
that's for sure.

 

[JZ]

Hi,



Again thanks so much for these comments.



To lay my card on the table and be completely truthful.



I'm actually the developer of an MS Access Security tool.

It's been around a few years, I've done small tweaks over the years.

But I was surprised to get a few sales recently.



I was thinking about improving the program and adding new functionality.



However a month or two ago someone emailed me to say, "Why bother securing?"
etc.

I didn't really have an answer for him, hence he didn't buy it.



I made this posting to get some other points of view.



There's lots I can do with both my website and the program.

Presently the website is aimed at the developer, I'm told it should be aimed
at the manager.



I think I'm right in saying that the new vista MS Access will blow security
out of the water as we know it and therefore my program will become
obsolete.



But I think the Our versions of MS Access will still be used for a couple
more years at least.



So what do you think, should I put effort into my program?

 

[Chris Mills]

I wouldn't know how much market there is. I wrote my own, as do many people
based on posts for HD serial numbers and such-like, anyway distributed
software usually needs something along these lines.

You can lookup google for software protection and get some idea of various
products. Some of them seem quite expensive, which is good for you of course!

Chris

 

[JZ]

Hi Chris,

Thanks for your reply.
But it doesn't seem to have anything to do with the message I posted?

Thanks,

 

[Chris Mills]

Your question was, should you put in the effort? Presumably to sell it? Some
sort of add-in security product?

Presumably as a business proposition. The sole criteria would be, what market
is there?

To be sure, how would we know if it's worth putting in the effort, when the
only info is "security tool".

If it's just an analysing tool, there's at least one free one.

Cheers
Chris

 

[JZ]

Hi,

Thanks for your comments.

Your question was, should you put in the effort? Presumably to sell it?
Some
sort of add-in security product?

Yes to sell more.
Improve what the program does, provide more flexibility and improve the
website.

Presumably as a business proposition. The sole criteria would be, what
market
is there?

Well I guess there is a market as it does sell a bit.
My main problem is marketing the program, as it doesn't provide 100%
security.

To be sure, how would we know if it's worth putting in the effort, when
the
only info is "security tool".

No it adds the sort of security you could add in MS Access, but without the
user having to know how or why. Thus saving them time and effort.

I guess I have answered some of my own questions.

My main worry was that security can be overiden easily.
I was chatting to a friend and he suggested that I say something like 90%
secure on my website.

Thanks,

Jules.

 

[Chris Mills]

I was chatting to a friend and he suggested that I say something like 90%

secure on my website.

Don't do that.

You can't give a percent. Access is 100% secure to my grandmother, and 0%
secure to some in this newsgroup.

Chris