I don't think this is the philosophie to follow. If you implement a password scheme for the data base and you market it as secure users don't have to take all the step you talk about. What bugs me more about this "bug" is the little comment you said at the end of your post "for what it was orignally intended for -- keeping out unsophisticated users." I don't think I'm the only one here that think that should think before making comments like that. In other words your saying to all microsoft users , "Microsoft the legion of unsophisticated users". I will let the marketing department of Microsfot sort that out, anyways that is the only department that really work efficiently there. Thinking that way about security is the best way to end up with your panths down everyone second. >From owner-bugtraqat_private Thu Feb 11 10:49:18 1999 >Received: from netspace.org ([128.148.157.6]:40285 "EHLO netspace.org" ident: "TIMEDOUT2") by brimstone.netspace.org with ESMTP id <82888-18926>; Thu, 11 Feb 1999 13:26:47 -0500 >Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8d) with > spool id 712658 for BUGTRAQat_private; Thu, 11 Feb 1999 18:17:39 > +0000 >Approved-By: aleph1at_private >Received: from mail3.microsoft.com (mail3.microsoft.com [131.107.3.123]) by > netspace.org (8.8.7/8.8.7) with ESMTP id VAA08340 for > <BUGTRAQat_private>; Tue, 9 Feb 1999 21:56:26 -0500 >Received: by mail3.microsoft.com with Internet Mail Service (5.5.2524.0) id > <D8VVC8YV>; Tue, 9 Feb 1999 18:56:10 -0800 >X-Mailer: Internet Mail Service (5.5.2524.0) >Message-ID: <CB6657D3A5E0D111A97700805FFE65870B48DD52@RED-MSG-51> >Date: Tue, 9 Feb 1999 18:56:08 -0800 >Reply-To: Paul Leach <paulleat_private> >Sender: Bugtraq List <BUGTRAQat_private> >From: Paul Leach <paulleat_private> >Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext >X-To: Jim Paris <jimat_private> >To: BUGTRAQat_private > >> -----Original Message----- >> From: Jim Paris [mailto:jimat_private] >> Sent: Tuesday, February 09, 1999 2:46 PM >> To: BUGTRAQat_private >> Subject: Re: Microsoft Access 97 Stores Database Password as Plaintext >> >> >> > The following text was posted to USENET, and indexed on a >> Russian cypherpunk >> > site. I found it when I was doing some work with Access 97 >> databses. I >> > think you will agree that this particular "feature" makes the linked >> > database password issue moot. >> >> Most definately! > >No, I claim it was _always_ moot. Even if the password were strongly >encrypted, the rest of the data in the database is not. So, unless you've >used ACLs to protect the database, the data in it _is_ available, it's just >a matter of a some amount of work. > >Unless the programmer went to a lot of work to obscure the password storage, >the following procedure should work on nearly any of that generation of >applications that pretended to "password protect" their files in the absence >of file system security: > >1. Create as small a database/file as possible, with an empty password. >2. Copy it. >3. Change the password on one copy >4. Diff the databases/files -- this will isolate even a strongly encrypted >encrypted blank password. >5. Copy the target >5. Copy the encrypted blank password into the same offset in the copy of the >target database/file. > >On the other hand, if you used ACLs to protect the database/file, then you >could use a blank password, and it wouldn't matter. > >It is a fundamental security principle that effective security checks must >be enforced by something that can _not_ be bypassed. Since, without ACLs or >using the password to encrypt the whole database/file, there is no way to >prevent the password checking from being bypassed, the approach is only good >for what it was orignally intended for -- keeping out unsophisticated users. > >Paul > ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:56 PDT