Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Fine Line Between Security and Usability

Posted by ScuttleMonkey on from the discarding-old-tech dept.

SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."

18 of 195 comments (clear)

  1. In my opinion by moogied · · Score: 4, Insightful

    Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.

    --
    So basically, -1 troll/offtopic is really slashdots way of saying "I hate that you thought of something before me."
    1. Re:In my opinion by actiondan · · Score: 5, Funny

      Microsoft is a company, there goal is profit. ... not making linux geeks smile

      Explain Vista then.

    2. Re:In my opinion by jmv · · Score: 4, Insightful

      That's what really bothers me about the libertarian-neocon view on corporations. You have at the same time:

      1) Companies are only there to make a profit and don't have to care about things like environment, security, ...

      2) Regulation is evil, let the companies do whatever they like and the market will sort it out.

      Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).

      --
      Opus: the Swiss army knife of audio codec
    3. Re:In my opinion by mrbluze · · Score: 4, Insightful

      Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile.

      As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.

      I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".

      I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.

      --
      Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
    4. Re:In my opinion by fm6 · · Score: 4, Insightful

      Microsoft is a company, there goal is profit.
      So what? You think there's no connection between security and profit? Next you'll be telling me that Ford's goal is profit, not reliable cars. Of course, nowadays they have neither...

      This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.

      There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.
  2. Oblig. Dilbert by damn_registrars · · Score: 5, Funny

    Mordac, the preventer of information services, makes a statement on security versus usability:

    http://dilbert.com/comics/dilbert/archive/dilbert-20071116.html

    --
    Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
  3. This is not news to me... by rickb928 · · Score: 4, Insightful

    ... that Microsoft doesn't want to fix Jet.

    They'd rather you re-wrote your app and used MSDE, or something with .NET in it.

    Not a lot of money in supporting the db engine they give away.

    And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?

    A pox on them all. I hope we re-write our app in mySQL.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
  4. do users care? by larry+bagina · · Score: 4, Informative

    a few years back, I started up a software company. Although some of our stuff was open source, starving isn't a hobby, so some of it was closed. One thing we tried was (for a slight increase in price) guaranteeing to fix any critical bugs even if we no longer supported the software. If we couldn't provide a fix, the source code was in escrow so they could access it. There was zero interest in it.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  5. voting by 99BottlesOfBeerInMyF · · Score: 4, Informative

    Umm, isn't that the format used in the most popular voting machines to store all our votes?

  6. Patching one hole in a pegboard by Volante3192 · · Score: 4, Insightful

    So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.

    Why not just start running installs you find from "somewhere?"

    Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?

  7. Re:why do people by mfnickster · · Score: 4, Funny

    > why do people keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.

    Microsoft Access is a demo. It's meant to seduce you into thinking that developing your own database applications is easy and fun, and that Access can address your organizational needs adequately. This puts you onto the path that will eventually lead to you buying MS SQL Server.

    At least, that's been my experience! :)

    --
    "Slow down, Cowboy! It has been 3 years, 7 months and 26 days since you last successfully posted a comment."
  8. Re:why do people by kelnos · · Score: 4, Insightful

    Unfortunately, with Access, it's not about the database itself, but about the GUI tools that many people find easy to use...

    --
    Xfce: Lighter than some, heavier than others. Just right.
  9. Not a big deal... by Vthornheart · · Score: 4, Informative

    They're making a big deal of the following in both of the links in the article, repeating the same phrase over and over: "some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection"." They say this twice in one paragraph at one point. But what does that really mean? That means a server running ASP, that also is allowing end users to upload .mdb databases to it (???), AND to expose them from whatever location they've been uploaded to so that Connections can be made to them, will be vulnerable. That's a pretty hefty list of "ifs". If you're letting your users upload .mdb databases to your webserver at all, let alone to a publicly accessible folder, you're already asking for severe trouble. I can't imagine a website out there that would allow such uploading/public exposure to happen that doesn't already have severe security flaws merely by the amount of freedom its given its users in what they can do on the site. This is definitely a vulnerability, but the impact to ASP/ASP.NET servers is minimal if the hosts are implementing common sense security practices/user restrictions already.

    --
    -Vendal Thornheart
  10. Access leads to... by argent · · Score: 5, Funny

    "Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."

  11. It's not just small businesses by RipSlider · · Score: 4, Insightful

    No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.

  12. Re:I always go with OpenBSD. by TheRaven64 · · Score: 5, Interesting

    OpenBSD is also one of the most useable UNIX systems I've encountered. It doesn't have oversimplified GUIs, but it does have a remarkably consistent userland feel. Why? Because the team regard usability as part of security. A security system that is so hard to use that people turn it off is a useless security system. The best security system is a competent administrator and a good user interface lowers the bar for competence.

    --
    I am TheRaven on Soylent News
  13. Re:why do people by TheRaven64 · · Score: 4, Insightful

    Access is not a database, it's a RAD tool for data-drive apps. You use Access when you want to quickly create a GUI for processing data (well, now you'd probably write a web app, but in the '90s it was the thing to use). Once you've done this, you progressively add features to your simple tool. Eventually, you have something that sprawls over thousands of lines of unmaintainable code, depends on Access, and is vital to your company.

    --
    I am TheRaven on Soylent News
  14. Re:why do people by ronabop · · Score: 5, Informative
    The difference is that when an FM Pro app starts flaking out (public school systems are just eaten up with FM Pro deployments that got too big for their britches) there isn't a "big brother" product to easily transition to that scales.

    I've scaled FMP out quite nicely, actually. I think the problem you're more likely running into is one where poor database design and implementation does not scale, regardless of the engine used. Since you mentioned school systems, here's some examples of particular design and implementation mistakes I've run into in that environment.
    • Keeping all student records in one table, in perpetuity, so the engine has to slog through records from 10 years ago to find today's current students.
    • Keeping all records, for all tasks, on one DB machine, in one set of tables, rather than using separate machines (why should the student attendance records *always* be on the same machine as the cafeteria menu, the janitorial schedule, the PTA newsletter, and the 2001 teacher vacation sign-up sheet?)
    • The BigTable. Everybody who's worked in cleaning up poor DB design knows this one, the freaking huge table that stores *everything*. As text fields, of course. With no relational links.
    These simple design gotchas can be made with *any* db engine, and are often made by inexperienced designers. Easy and fun is setting up the basics, and when it gets slow, paying some geek (or finding a young volunteer who needs to pad their resume) to re-engineer the system.

    Of course, there are an awful lot of inexperienced db admins out there, who have only worked with scaling one or two kinds of db engines, and thus lack the history of "scaling" back when 30Hz and 64Mb of RAM was the maximum per desktop (and thus lack the tao of partitioning zen), or are used to using their "clustering tools" (and thus lack the tao of systems connections zen), or any other number of failings which prevent them from understanding how to actually scale something really big.

    If you're applying for a job as a DBA (or are the chief teacher/DBA for a school system), and you don't understand how DNS scales, well.... there ya go. ;)