Design protection

[Newman]

I currently have designed an extensive Program using
access as a platform to host it. The front end requires
user login and password to access, and the back end
consist of dozens of MDE databases. The front end is
also being utilized as an MDE. The MDB of all are stored
on a remote server which only I the administrator can
access, and is backed up on CD as well. The database has
a self-protection i built into it, which detects my log-
in. If my login is not sensed within the last 72 hours,
the program ceases to run, and denys all logins, and
shuts itself down. Only my login can initiate the system
override and re-activation for the next 72 hour cycle.
So in other words if i drop dead or get laid off, the
program is rendered useless. My main concern is someone
being able to reconstruct the program or rewrite some of
the macros from an MDE....is it possible if only the MDE
is available? By the way, all the admin forms, macros,
etc. are set up to allow run or read only to all users
but myself. My login only allows design changes even in
the MDB. Let me know if my protection can be over
ridden or undone. Thanks

 

['69 Camaro]

Hello, Newman.

Please don't multipost. Readers have to check other readers' responses in
every other newsgroup where you post the same question in order to make sure
that they don't duplicate others' efforts.

Let me know if my protection can be over
ridden or undone.

Your efforts of protection can be overridden and undone. Anyone willing to
set the computer's system date back or create a login account name identical
to yours after you pass away or lose your job will be able to open your
database. The business operations that depend upon your database system
will still be able to function in your absence.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[Newman]

Partially correct...
First off, someone would have to know what that login
name is, and the login name i use for making mods to the
structure is hidden, protected and different from the one
i use for normal access. Secondly, the scheme isnt
based on the system clock, its based on intervals between
my logins, therfore unless someone first figures out my
login name, then figures out what my password could be, i
doubt that they'd do both, accesss will be denied. My
question was... is there anyway, someone can modify the
code without actually obtaining accesss to the structure
in its original hosting format (access).?

Thanks again.

 

['69 Camaro]

Hello, Newman.

First off, someone would have to know what that login
name is

If you aren't using the login ID that authenticated with the computer's OS
on bootup, then you are either using Access's built-in user-level security
or your own home-grown security methods. A hacker wouldn't even have to
guess your login and password, because tools to break into the built-in
user-level security are available for a reasonable price to anyone who wants
to break into your system.

Home-grown security is likely to be even less secure than the built-in
user-level security, because Access database developers are burdened with
the same limitations that Microsoft's professional designers and programmers
were burdened with, but are far less likely to have the resources that
Microsoft had to put into the design of such a security system. Besides,
your database's startup functions can be easily bypassed if user-level
security isn't used to secure the database, so the lack of a User ID and
password to get past the login screen isn't a show-stopper.

Secondly, the scheme isnt
based on the system clock, its based on intervals between
my logins,

The information that your application is using to compare the time intervals
is stored somewhere, such as in a file or the Windows Registry -- which a
hacker can find, even if it's encrypted. And the time intervals are based
upon a "start time" and "comparison time" of some clock in order to measure
whether 72 hours has passed, even if it isn't the current computer's system
clock -- which a hacker can find and probably alter, too.

My
question was... is there anyway, someone can modify the
code without actually obtaining accesss to the structure
in its original hosting format (access).?

I'm not sure that I understand this question, because your application is
still in its original hosting format, Access, even if it's an MDE file.
MDE's can be altered after being created from the MDB file, but there are
quite a few limitations, including the lack of source code for a person to
read directly. That doesn't mean that some things can't be read indirectly
by an expert or a hacker, though. What specifically are you hoping can't be
modified?

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[Newman]

Thanks, my question was basically answered, and is what i
was hoping for, which is that either an advanced
programmer, or hacker of some sort would be required to
gain access to the program, which is good news since the
company is unlikely to go thru the extent of paying a
programmer all sums of money to "attempt" without
guarantee to hack into the program, nor would they likely
hire the services of a hacker. The most likely scenario
it seems is that they would simply stop using the
program, and have to revert back to the old paper file
system, until someone was paid to write a new program,
and then enter years worth of data back into the system
at best case.

Thanks so much.

 

['69 Camaro]

Hello, Newman.

Your response implies that you would like to hold the application as
leverage against your future dismissal by your employer. This is unwise.
Be advised that it is illegal to sabotage the property or resources owned by
another, and you can be held legally responsible for any damages incurred by
the employer to retreive the data or replace the application. Also,
witholding property from another and preventing the rightful owner from
using that property -- even if you did not physically take that property --
is theft in the eyes of the law in the United States, provided that is where
you or your employer reside. I can imagine similar laws elsewhere.

It appears that you would like to have your employer spend the time and
money to replace all of the data, as well as the application that you built
while employed, should you lose your job. Luckily, this may not be nearly
as expensive an endeavor as you expect. The objects and information
retrievable from the MDE files -- for free or fairly inexpensively -- are:

All tables, their structure and their data.
All macros.
All queries and their structures.
The visual appearance of all forms and their controls.
The visual appearance of all reports and their controls.
The interactions of any of these objects with other objects in the database
or external databases and files, often including logins, passwords and
connection strings.
The database structure, including table relationships, names of all objects,
import/export specifications, and database properties.

I haven't tried it, but I'd guess that custom CommandBars are also
retrievable from the MDE files -- logic, button images, and all.

With all of this available, an Access expert may take a day or so -- or
maybe a few weeks, but it obviously depends upon how complex it is -- to
reproduce the application that you built, sans the extra security measures
you put into it. Which is a _lot_ less time than you put into it, since the
expert won't add anything malicious to the application.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[Paul Overway]

Unless you've got a time bomb in there that actually deletes the data, which
would be pretty stupid, I doubt it would take "all sums of money" to gain
access to the program data. Any person reasonably competent in Access is
likely to gain Access within a matter of a few hours...and would be able to
quickly import the data vs re-entering it.

As for the source code, that is another matter. But if there is any way for
a person to gain access to the original MDB, they'll be able to get the
source code. So, if you've stored it on a server or PC in their facility,
they can get the source.

In any case, if the program was developed while employed by the company,
your ethics are questionable...and you could be found liable in a lawsuit.
So, in the end, you may in fact wish your were dead.

 

[Tom Wickerath]

Amazing logic Newman....

Even if you weren't fired, what would your employer think of you if you were incapacitated, or
otherwise unavailable, for 72 hours? You'd likely be fired once they caught on to your scheme.

Tom
_________________________________


Hello, Newman.

Your response implies that you would like to hold the application as
leverage against your future dismissal by your employer. This is unwise.
Be advised that it is illegal to sabotage the property or resources owned by
another, and you can be held legally responsible for any damages incurred by
the employer to retreive the data or replace the application. Also,
witholding property from another and preventing the rightful owner from
using that property -- even if you did not physically take that property --
is theft in the eyes of the law in the United States, provided that is where
you or your employer reside. I can imagine similar laws elsewhere.

It appears that you would like to have your employer spend the time and
money to replace all of the data, as well as the application that you built
while employed, should you lose your job. Luckily, this may not be nearly
as expensive an endeavor as you expect. The objects and information
retrievable from the MDE files -- for free or fairly inexpensively -- are:

All tables, their structure and their data.
All macros.
All queries and their structures.
The visual appearance of all forms and their controls.
The visual appearance of all reports and their controls.
The interactions of any of these objects with other objects in the database
or external databases and files, often including logins, passwords and
connection strings.
The database structure, including table relationships, names of all objects,
import/export specifications, and database properties.

I haven't tried it, but I'd guess that custom CommandBars are also
retrievable from the MDE files -- logic, button images, and all.

With all of this available, an Access expert may take a day or so -- or
maybe a few weeks, but it obviously depends upon how complex it is -- to
reproduce the application that you built, sans the extra security measures
you put into it. Which is a _lot_ less time than you put into it, since the
expert won't add anything malicious to the application.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[w.f.josifina]

Hello, Newman.

Your response implies that you would like to hold the application as
leverage against your future dismissal by your employer. This is unwise.
Be advised that it is illegal to sabotage the property or resources owned by
another, and you can be held legally responsible for any damages incurred by
the employer to retreive the data or replace the application. Also,
witholding property from another and preventing the rightful owner from
using that property -- even if you did not physically take that property --
is theft in the eyes of the law in the United States, provided that is where
you or your employer reside. I can imagine similar laws elsewhere.

It appears that you would like to have your employer spend the time and
money to replace all of the data, as well as the application that you built
while employed, should you lose your job. Luckily, this may not be nearly
as expensive an endeavor as you expect. The objects and information
retrievable from the MDE files -- for free or fairly inexpensively -- are:

All tables, their structure and their data.
All macros.
All queries and their structures.
The visual appearance of all forms and their controls.
The visual appearance of all reports and their controls.
The interactions of any of these objects with other objects in the database
or external databases and files, often including logins, passwords and
connection strings.
The database structure, including table relationships, names of all objects,
import/export specifications, and database properties.

I haven't tried it, but I'd guess that custom CommandBars are also
retrievable from the MDE files -- logic, button images, and all.

With all of this available, an Access expert may take a day or so -- or
maybe a few weeks, but it obviously depends upon how complex it is -- to
reproduce the application that you built, sans the extra security measures
you put into it. Which is a _lot_ less time than you put into it, since the
expert won't add anything malicious to the application.

HTH.

Gunny

See http://www.QBuilt.com for all your database needs.
See http://www.Access.QBuilt.com for Microsoft Access tips.

(Please remove ZERO_SPAM from my reply E-mail address, so that a message
will be forwarded to me.)

 

[Niklas Östergren]

What is it you want to achive Newman?
And why have you built this application to start with?

To me it seams that you wish to be the only one and just the only one with
the "power" of knowing how your application works. The "power" of beeing the
only one that can access the data! Isn´t that a little bit selfish? Isn´t
that abuse of knowledge for the people who don´t have your skills?

Why not use your skills for something good all the way so you, when ever you
pass away, will be remembered for beeing the good guy instread of beeing
remembered as the guy who didn´t wanted to share knowledge?

Think againg Newman, unless this isn´t a bad joke! That´s my advice!

// Niklas

 

[AcerTravelmate630]

I had faced a similar problem with one of the departments in the company where I work. The department used a complex fund flow analysis software built using Access 2002. The software had been packaged and deployed by its constructors, as a MDE file.
It took me about 3 hours off my holiday just to decipher the entire logic and workings of the program. Although I may be termed as "more than a novice", with the help of various informative websites and newsgroups around, it did not take much to understand the innards of this particular MDE.

I am in complete and total agreement that knowledge should be shared. In fact knowledge shared is actually knowledge earned, retained and gained all rolled into one!

 

[LASSE M.KARLSEN]

"AcerTravelmate630" <[email protected]> skrev i en meddelelse I had faced a similar problem with one of the departments in the company where I work. The department used a complex fund flow analysis software built using Access 2002. The software had been packaged and deployed by its constructors, as a MDE file.
It took me about 3 hours off my holiday just to decipher the entire logic and workings of the program. Although I may be termed as "more than a novice", with the help of various informative websites and newsgroups around, it did not take much to understand the innards of this particular MDE.

I am in complete and total agreement that knowledge should be shared. In fact knowledge shared is actually knowledge earned, retained and gained all rolled into one!