The Fine Line Between Security and Usability 195
SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."
In my opinion (Score:4, Insightful)
This is not news to me... (Score:5, Insightful)
They'd rather you re-wrote your app and used MSDE, or something with
Not a lot of money in supporting the db engine they give away.
And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?
A pox on them all. I hope we re-write our app in mySQL.
Re:In my opinion (Score:3, Insightful)
Whether Microsoft draws it at the right place is, of course, another question entirely.
Exactly the situation that Open Source wins (Score:0, Insightful)
Well supported and popular technology? Check. Original developer not interested? Oh well, grab the source and fix it. If you can't, someone else will because it's popular.
End result - a secure platform for your legacy (and current!) applications without costly redevelopment costs.
This doesnt matter (Score:4, Insightful)
Patching one hole in a pegboard (Score:5, Insightful)
Why not just start running installs you find from "somewhere?"
Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?
Security News Flash (Score:3, Insightful)
Re:Exactly the situation that Open Source wins (Score:2, Insightful)
Sounds absolutely great. I wish every business person was as smart, since open source is obviously better in every way than closed source.
End of sarcasm. Yeah, open source is pretty cool, I like it, etc. Does open source guarantee everything wonderful, does open source guarantee a business with a profit? No, it doesn't. Open source is not the answer to everything.
And even open source organizations will stop support for decrepit applications. If you insist on using a 10 year old Linux kernel and demanding that some quirky bug in it be fixed, I'm not sure how much support you'd get :)
Is that an exact analogy, no... but, as a previous poster said, businesses run on profit, not open source feel-good-ness... :)
Re:In my opinion (Score:5, Insightful)
1) Companies are only there to make a profit and don't have to care about things like environment, security,
2) Regulation is evil, let the companies do whatever they like and the market will sort it out.
Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).
Re:do users care? (Score:4, Insightful)
Today that fantasy has mostly dispersed. Most companies know that if they don't develop an application internally they are at someone else's mercy. There are fewer failures of larger software publishers but even the larger ones sometimes abandon some application leaving the users in a bad spot. But having the source for a 150,000 line (or more!) application doesn't mean a company could compile it, much less fix a serious bug. In general it would take someone a long time to get familiar enough with something like this to be able to work on it with any degree of confidence. Especially a company with a mission-critical application needing a bug fixed - it would take months, often paying a consultant $150+ an hour.
The "new" strategy seems to be:
Mostly, this is a lot smarter than the late 80s strategy.
Re:Easy (Score:3, Insightful)
Re:This doesnt matter (Score:2, Insightful)
If it's multiuser or networked, go RDBMS.
Re:In my opinion (Score:5, Insightful)
As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.
I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".
I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.
Re:In my opinion (Score:5, Insightful)
This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.
There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.
Re:why do people (Score:5, Insightful)
Re:This is not news to me... (Score:3, Insightful)
If Jet was adequate, you may be better off using SQLite.
It's not just small businesses (Score:4, Insightful)
Re:This is not news to me... (Score:4, Insightful)
Except with the Internet and massive databases floating around, we are all interconnected. Jet DBs may not be massive, but that doesn't mean the company doesn't have access to other real databases. OK, so the stupid company gets owned. Now, if they have any info on me, that's in the criminal's hands, and good luck getting compensation even if the company admitted full responsibility. Their Internet connection can now be used to spam or DOS me. If they go out of business, think about all the employees who had nothing to do with the IT decisions (and those who opposed this particular one). They get to stand in the unemployment line. Vendors might get shafted on unpaid invoices.
Just because your system is secure doesn't mean you don't get affected by someone else's insecure system. And no, I don't know what the solution to that problem is.
Re:why do people (Score:5, Insightful)
Re:Exactly the situation that Open Source wins (Score:3, Insightful)
The cost of maintaining Free Software follows a curve. You can fairly easily predict how expensive it will be to keep maintaining something you depend on, and how expensive it is to move away. Once it becomes cheaper to move, that's what you should do.
Re:why do people (Score:3, Insightful)
Re:It's not just small businesses (Score:3, Insightful)
"allowing for arbitrary code execution once the victim interacts with a malicious JET-dependent file (such as an Access file)."
It is crazy. Like saying you downloaded a malicious
Re:Access leads to... (Score:2, Insightful)
Yes, you're funny, but SQL Server is a solid, well-done database. In terms of quality of product, I think it's the best thing that MS sells.
an mdb file is already an executable (Score:3, Insightful)
Re:In my opinion (Score:3, Insightful)
I don't believe it's a fundamental problem with capitalism itself. It's a problem with *unregulated* capitalism.
clueless morons who'd rather follow Big Corp's marketing dept. instead of educating themselves about the issues that affect them
Unfortunately, that won't be fixed unless the govt were to spend at least the same amount on advertisement as Big Corps to, which is highly unlikely (and possibly undesirable anyway). Otherwise, it's a lost battle. You've got billions spent on ads telling everyone to eat junk food (just one example) and a couple millions into actually telling people it's bad for you. You can say "people could stop paying attention to ads", but that would be missing the point. The fact is that ads *do* work. Otherwise Big Corps wouldn't be spending billions on it in the first place. If you can't get people to stop buying food that makes them sick, how the hell are you going to stop them from buying from companies that destroy the environment at a global scale. This is why I do not believe "voting with your wallet" will ever work except for a few rare case.
Access/JET/.mdb are enabling software (Score:2, Insightful)
Sure, you can sit in your geek tower and laugh at the dolts that use Access every day to solve thousands of data management issues. A secretary can be trained to use Access to manage moderately complex data (the numbers on all the new telephones, people interviewed for specific positions and letters sent relative to those positions, products bid out and vendor responses and on and on and on).
Do you really propose that she/he write a web application for this? Or just hack up some Perl with mySQL to manage these things? Or whip out a bit of
Access has solved real world problems for real people for a long long time and will continue to do so regardless of how data and/or system design snobs feel about it. It is an empowering piece of software. I think some of the attitudes here are IT centric and not in keeping with the real business end of most companies.
Re:This is not news to me... (Score:3, Insightful)
If JET is adequate for your needs, SQLite is likely to be much better. If you are using SQL Server then you would be better off considering PostgreSQL as a migration path than MySQL.
Re:why do people (Score:3, Insightful)
There, fixed that for ya....
Re:Access leads to... (Score:3, Insightful)
Damning with faint praise.
Enabling the ignorant (Score:3, Insightful)
It has also caused real-world problems.
I have seen *way* more improperly-coded applications in Access and Excel than in any other language or programming system. Why is that? Because people are designing "databases" with no fundamental understanding of data management. People code spreadsheets with no real idea of how to identify and correct bugs. They *only* advantage the user has it knowledge of the data. (Which *is* a good thing, granted.)
Further, an access database represents an island of information. They are difficult to connect to the rest of the business knowledge base. They are usable only to one or a few people. This feeds into recreational empire-building.
And the worst part: businesses make actual *business decisions* based on these flawed islands of data.
But, it's up to management to figure out which data is "business-critical," and try to ensure that data is managed by data management professionals. Sure, not all data needs that kind of care. But I'd wager most *interesting* data does.