Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fine Line Between Security and Usability

Posted by ScuttleMonkey on from the discarding-old-tech dept.

SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."

3 of 195 comments (clear)

  1. Re:why do people by domatic · · Score: 2, Interesting

    Well, that actually is my problem with FileMaker Pro. It too seduces you into thinking that developing database apps are easy and fun. The difference is that when an FM Pro app starts flaking out (public school systems are just eaten up with FM Pro deployments that got too big for their britches) there isn't a "big brother" product to easily transition to that scales.

    Yeah it's true that Access is a gateway drug to SQL Server. But that IS a viable upgrade path for that little workgroup app that some PHP decided to expose to a 10,000 node WAN.

  2. Re:I always go with OpenBSD. by TheRaven64 · · Score: 5, Interesting

    OpenBSD is also one of the most useable UNIX systems I've encountered. It doesn't have oversimplified GUIs, but it does have a remarkably consistent userland feel. Why? Because the team regard usability as part of security. A security system that is so hard to use that people turn it off is a useless security system. The best security system is a competent administrator and a good user interface lowers the bar for competence.

    --
    I am TheRaven on Soylent News
  3. Re:This is not news to me... by einhverfr · · Score: 2, Interesting

    I don't know. It seems to me that whoever did the triage screwed up. This is not unusual. I remember working at Microsoft and running into issues getting a number of issues fixed. However, the organizational structure of the company often makes it impossible to get problems fixed because nobody wants to act as a cost center for the security (passing the buck).

    When I worked at Microsoft, I remported what I felt was a serious security flaw. Despite the fact that the exploit I remorted resulted in one of the lead engineers handing me his Hotmail password, this was seen as a user issue and not a security one (it had to do with options for encoding URL's so that the @ sign could be sufficiently obfuscated that nobody could be expected to see what was going on), that is, until a few months later when someone sent out phishing emails appearing to come from Microsoft. (It was then fixed in a hurry).

    I have had other experiences at Microsoft suggesting that only when it becomes a PR problem for Microsoft will they fix something which does not fit their ideas of how the software is supposed to be used. Their answer in this case suggests that the feeling is that the solution is not to use untrusted sources of Access dbs. Just wait for someone in a business to show how this can be done using Access with far fewer permissions, and then it might get fixed.

    --

    LedgerSMB: Open source Accounting/ERP