Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Fine Line Between Security and Usability

ScuttleMonkey posted more than 6 years ago | from the discarding-old-tech dept.

Security 195

SkiifGeek writes to ask, "Where should vendors be required to draw the line when supporting deprecated file formats and technology? In a recent case independent security researcher cocoruder found a critical bug with the JET engine, via the .mdb (Access) file format, he reported it to Microsoft, but Microsoft's response came as a surprise to him — it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications."

Sorry! There are no comments related to the filter you selected.

the fine line between linux and rimming (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21414187)

A few years ago, while browsing around the library downtown, I
had to take a piss. As I entered the john a big beautiful all-American
football hero type, about twenty-five, came out of one of the booths.
I stood at the urinal looking at him out of the corner of my eye as he
washed his hands. He didn't once look at me. He was "straight" and
married - and in any case I was sure I wouldn't have a chance with
him.

As soon as he left I darted into the booth he'd vacated,
hoping there might be a lingering smell of shit and even a seat still
warm from his sturdy young ass. I found not only the smell but the
shit itself. He'd forgotten to flush. And what a treasure he had left
behind. Three or four beautiful specimens floated in the bowl. It
apparently had been a fairly dry, constipated shit, for all were fat,
stiff, and ruggedly textured. The real prize was a great feast of turd
- a nine inch gastrointestinal triumph as thick as a man's wrist.

I knelt before the bowl, inhaling the rich brown fragrance and
wondered if I should obey the impulse building up inside me. I'd
always been a heavy rimmer and had lapped up more than one little
clump of shit, but that had been just an inevitable part of eating ass
and not an end in itself. Of course I'd had jerk-off fantasies of
devouring great loads of it (what rimmer hasn't), but I had never done
it. Now, here I was, confronted with the most beautiful five-pound
turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy
and one I knew to have been hatched from the asshole of the world's
handsomest young stud.

Why not? I plucked it from the bowl, holding it with both
hands to keep it from breaking. I lifted it to my nose. It smelled
like rich, ripe limburger (horrid, but thrilling), yet had the
consistency of cheddar. What is cheese anyway but milk turning to shit
without the benefit of a digestive tract?

I gave it a lick and found that it tasted better then it
smelled. I've found since then that shit nearly almost does.

I hesitated no longer. I shoved the fucking thing as far into
my mouth as I could get it and sucked on it like a big brown cock,
beating my meat like a madman. I wanted to completely engulf it and
bit off a large chunk, flooding my mouth with the intense, bittersweet
flavor. To my delight I found that while the water in the bowl had
chilled the outside of the turd, it was still warm inside. As I chewed
I discovered that it was filled with hard little bits of something I
soon identified as peanuts. He hadn't chewed them carefully and they'd
passed through his body virtually unchanged. I ate it greedily,
sending lump after peanutty lump sliding scratchily down my throat. My
only regret was the donor of this feast wasn't there to wash it down
with his piss.

I soon reached a terrific climax. I caught my cum in the
cupped palm of my hand and drank it down. Believe me, there is no more
delightful combination of flavors than the hot sweetness of cum with
the rich bitterness of shit.

Afterwards I was sorry that I hadn't made it last longer. But
then I realized that I still had a lot of fun in store for me. There
was still a clutch of virile turds left in the bowl. I tenderly fished
them out, rolled them into my handkerchief, and stashed them in my
briefcase. In the week to come I found all kinds of ways to eat the
shit without bolting it right down. Once eaten it's gone forever
unless you want to filch it third hand out of your own asshole. Not an
unreasonable recourse in moments of desperation or simple boredom.

I stored the turds in the refrigerator when I was not using
them but within a week they were all gone. The last one I held in my
mouth without chewing, letting it slowly dissolve. I had liquid shit
trickling down my throat for nearly four hours. I must have had six
orgasms in the process.

I often think of that lovely young guy dropping solid gold out
of his sweet, pink asshole every day, never knowing what joy it could,
and at least once did, bring to a grateful shiteater.

Re:the fine line between linux and rimming (-1, Offtopic)

damn_registrars (1103043) | more than 6 years ago | (#21414277)

Can anyone explain what this AC is trying to accomplish? I've seen this post in many different topics, over the course of several months now. I haven't bothered to read it in its entirety, but it seems to always be the same story about eating things in the library that should not be eaten.

But yet the poster doesn't proceed to advertise for a web site or any agenda at the end. Is this just a bot testing the system or some other such nonsense?

Re:the fine line between linux and rimming (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21414355)

Son, you are reading a classic.

Re:the fine line between linux and rimming (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21414393)

Some dipshit thinks it's funny. That's it.
Trolls [wikipedia.org]

Re:the fine line between linux and rimming (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21414521)

His goal was to arouse you. And judging by the way you're gently stroking your three-inch erection, he succeeded!

Re:the fine line between trolling and helping (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21414639)

I've looked into this, and have the answer you're seeking.

He's a librarian who is about to get laid off because not enough people come to the library. You're supposed to be enticed into going there, checking out books or otherwise leaving a papertrail that proves you visited, thereby ensuring his job.

What he doesn't tell you, is that the story is partly a fabrication. The aforementioned events didn't actually happen at the library, and if you go there in search of recreating the experience, you will be disappointed. Except for distorting the setting, though, it's actually a fairly accurate narrative of a true story, but it happened here at KFC.

We're running a special this week, by the way. Come on in and try our chicken fried steak dinner meal on Tuesday. Bathrooms are open to paying customers, hint hint.

Re:the fine line between trolling and helping (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21414869)

But you're lying! I know for a fact that these happenings definitely did not occur at KFC; I was at the DEA headquarters when they took place! Fuck those pathetic shit-eaters with their twisted half-truths and blatant lies.

Re:the fine line between linux and rimming (0, Offtopic)

The Anarchist Avenge (1004563) | more than 6 years ago | (#21414423)

I've gotta say, it's comforting to see this again. It felt weird to not have to quickly tab down a few times so that bystanders wouldn't think I was reading about eating someone elses fecal matter. I, for one, am glad to welcome back "Mr. eating-shit-troll" back into the Slashdot fold.

Re:the fine line between linux and rimming (-1, Troll)

The Anarchist Avenge (1004563) | more than 6 years ago | (#21415503)

Damn, if you're gonna mod me down, at least use a modifier that makes sense. Offtopic? I'm replying to a troll, and I'm talking about trolls. Sounds pretty damn relevant to me.

In my opinion (4, Insightful)

moogied (1175879) | more than 6 years ago | (#21414205)

Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile. They want money. As every company on earth does. That is where the line is drawn. Exactly where it becomes unprofitable.

Re:In my opinion (5, Funny)

actiondan (445169) | more than 6 years ago | (#21414279)

Microsoft is a company, there goal is profit. ... not making linux geeks smile

Explain Vista then.

Re:In my opinion (2, Funny)

a_n_d_e_r_s (136412) | more than 6 years ago | (#21414373)

Thats not a bug - its a feature!

Re:In my opinion (3, Funny)

fm6 (162816) | more than 6 years ago | (#21414465)

The fact that it's a feature makes it a bug!

Re:In my opinion (1)

squeeze69 (756427) | more than 6 years ago | (#21414817)

Vista? uooops... a "SVista" (more or less an italian wordfor an "error" made by distraction). :-D Sorry, I couldn't resist.. :-D Jokes apart, MS has to make money, like any other company, I don't understand "trolling" and hate against MS. Note: I personally like both *nix and windows worlds (and make some development in both worlds, too). No one if forced to use Windows or other MS products, you can use alternative software any time you like.

Re:In my opinion (2, Insightful)

timeOday (582209) | more than 6 years ago | (#21414345)

Where else should the line be drawn? Unfortunately there is no line nicely "between" usability and security, because the two are in direct conflict. Computers would be so much easier to use in every way if we didn't have to worry about abuse - it's a huge part of the configuration burden that plagues computers today. That's the world we live in. The line has to be drawn somewhere, but "absolute security" isn't it (and neither is "absolute convenience").

Whether Microsoft draws it at the right place is, of course, another question entirely.

In my opinion-Line drawing. (1)

Anonymous Coward | more than 6 years ago | (#21414395)

Maybe the question isn't were the line should be drawn, but who should do the drawing?

Re:In my opinion-Line drawing. (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#21414497)

Your mom.

Re:In my opinion-Line drawing. (1)

timeOday (582209) | more than 6 years ago | (#21415021)

Maybe the question isn't were the line should be drawn, but who should do the drawing?
That sounds good, though I'm trying to imagine quite how it would be done. One of the credos of security is "secure by default." In practice, this makes it very frustrating to get some things, like Cups remote printing, to work. Again and again, you find things intentionally "broken" and have to make an effort to get them to work. I'd rather allow somebody to run my printer out of paper than waste hours on it. (In practice it's always the bugginess of ghostscript and cups that cause the printer to pump out page after page of gibberish, not attackers, but I digress...)

Re:In my opinion (4, Insightful)

jmv (93421) | more than 6 years ago | (#21414531)

That's what really bothers me about the libertarian-neocon view on corporations. You have at the same time:

1) Companies are only there to make a profit and don't have to care about things like environment, security, ...

2) Regulation is evil, let the companies do whatever they like and the market will sort it out.

Logical conclusion from 1) and 2) is that we're pretty much screwed and back to some kind of feudalism. And no, most people do not vote with their wallets and the Market will not sort it out magically (otherwise, CO2 emissions would already be on the way down and there wouldn't be all these environmental problems).

Re:In my opinion (1)

seaturnip (1068078) | more than 6 years ago | (#21415881)

Who the hell is a "libertarian-neocon"? Nice job knocking down that straw man.

Abusers are losers. (0, Flamebait)

Futurepower(R) (558542) | more than 6 years ago | (#21414559)

"Microsoft is a company, their goal is profit." [spelling correction]

In my opinion, that is a common mistake. Microsoft's main purpose is abuse, not profit. Microsoft is not a software company that is routinely abusive, it is an abuse company that uses software as a means of delivering abuse. If you look at it that way, Microsoft is excellent at what it does.

That follows the general rule that what happens over a long period of time is what the people involved meant to happen.

Being abusive may or may not make money, but it always causes harm to the abusers. That's why Bill Gates has trouble with depression. It's easy to guess that a chair-throwing monkey boy is not a happy camper, either.

Abuse is why Sandy Weill, formerly of CitiBank, had heart trouble, I think. That's why Dick Cheney, U.S. vice-president has heart trouble. (Whaaaat, you say. Dick Cheney has a heart???)

We seem to live in a society dominated by abusers. The dollar is being inflated so that the U.S. government will have enough money to fight a war, so that oil and weapons investors can get control of the oil supply.

Re:Abusers are losers. (0, Flamebait)

SpaceLifeForm (228190) | more than 6 years ago | (#21414703)

You forgot about the spying. Windows software exists so it can be used to spy on you. Therefore, they don't want to close those holes.

But... (1)

cromar (1103585) | more than 6 years ago | (#21414589)

Why shouldn't those goals be reflected by our corporate overlords?

Re:In my opinion (4, Insightful)

mrbluze (1034940) | more than 6 years ago | (#21414631)

Microsoft is a company, there goal is profit. Not security, not saving the enviroment, not making linux geeks smile.

As correct as you are, there does not need to be a fine line between usability and security. There needs to be (and of course there will be) an ongoing evolution in software design to offer usability without compromising security. I reckon it won't be a long time before any software program that gets run in userspace (or any space) has to go out on bended knee requesting to do anything - forced to abide by a security policy by default which limits its access. I don't mean the old broad-brush users/groups/device permissions etc. model that is everywhere now, but stuff like "only allowed to read from this folder, only allowed to talk to this or that application, etc." with very low level behaviour controls.

I don't think this needs to result in a "the mouse pointer wants to move, confirm/deny" scenario, but that the software designers need to submit with their product a security policy within which their applicaton has to function. The user should be able to very easily browse this policy and see what the program expects to be able to do, and override things, such as "access the internet using HTTPS at port 3232 to server www.phonehome.net" or sloppy things like "read contents of /etc recursively" instead of "read contents of /etc/mostlyharmlesswidget/config".

I know things like this already exist and there is a limited implementation of it, but to me that just confirms the point that it is the obvious next step.

Re:In my opinion (4, Insightful)

fm6 (162816) | more than 6 years ago | (#21414635)

Microsoft is a company, there goal is profit.
So what? You think there's no connection between security and profit? Next you'll be telling me that Ford's goal is profit, not reliable cars. Of course, nowadays they have neither...

This whole discussion is based on a faulty premise, that MS is leaving its Access users without a fix. They have a fix, and they've had it for some time: stop using MDB format and convert your databases to a data engine that isn't a POS. They've deprecated MDB and Jet Engine. That means they're telling their customers "Don't use that stuff any more, it's faulty." The fact that they continue to support customers who ignore the deprecation doesn't change that.

There is the little detail that Access itself is a POS. But that's designed in — not much they can do about that.

Re:In my opinion (1)

CastrTroy (595695) | more than 6 years ago | (#21415565)

And if people had written their applications with proper database abstraction layers, moving from one database to another wouldn't be all that difficult. The fact is that a lot of programmers did a really bad job when they designed their applications, and now they want MS to fix some ancient technology, just so they never have to upgrade their systems.

I always go with OpenBSD. (0)

Anonymous Coward | more than 6 years ago | (#21414237)

When I put together a system and security is paramount, there's really only one choice: OpenBSD [openbsd.org] .

Their no-bullshit policy with regards to security and high-quality code is what allows them to put together such a stable, secure, and high-quality operating system.

And I always use their security-hardened versions of GCC and Apache, just to ensure that the web sites I'm serving are as secure as possible.

Re:I always go with OpenBSD. (5, Interesting)

TheRaven64 (641858) | more than 6 years ago | (#21415121)

OpenBSD is also one of the most useable UNIX systems I've encountered. It doesn't have oversimplified GUIs, but it does have a remarkably consistent userland feel. Why? Because the team regard usability as part of security. A security system that is so hard to use that people turn it off is a useless security system. The best security system is a competent administrator and a good user interface lowers the bar for competence.

Re:I always go with OpenBSD. (1)

grub (11606) | more than 6 years ago | (#21415371)


I've always been a fan of Windowmaker [gnu.org] which plays nicely on OpenBSD. It's quite lightweight, customizable and doesn't interfere with what I want to do.

Oblig. Dilbert (5, Funny)

damn_registrars (1103043) | more than 6 years ago | (#21414239)

Mordac, the preventer of information services, makes a statement on security versus usability:

http://dilbert.com/comics/dilbert/archive/dilbert-20071116.html [dilbert.com]

Re:Oblig. Dilbert (1)

kc2keo (694222) | more than 6 years ago | (#21414897)

I read that in the paper. Was hilarious. Made my morning before school worthwhile.

This is not news to me... (4, Insightful)

rickb928 (945187) | more than 6 years ago | (#21414281)

... that Microsoft doesn't want to fix Jet.

They'd rather you re-wrote your app and used MSDE, or something with .NET in it.

Not a lot of money in supporting the db engine they give away.

And this is not the first time. Does no one remember they tried to Kill Jet in XP -and- Vista?

A pox on them all. I hope we re-write our app in mySQL.

Re:This is not news to me... (2, Funny)

moderatorrater (1095745) | more than 6 years ago | (#21414321)

I hope we re-write our app in mySQL
Thems're fightin' words around here...

Re:This is not news to me... (1)

argent (18001) | more than 6 years ago | (#21414811)

You prefer PostgreSQL?

Re:This is not news to me... (1)

moderatorrater (1095745) | more than 6 years ago | (#21415223)

I'm MySQL through and through, but honestly, the worst flame wars I've ever seen on the site were mysql vs. postgres. I would say pirates vs. the "thou shalt be honest, even unto the music industry" folks, but there aren't too many of the latter around here...

Re:This is not news to me... (1)

zentigger (203922) | more than 6 years ago | (#21414411)

A pox on them all. I hope we re-write our app in mySQL.

If more people share this attitude it will become "profitable" for Microsoft to fix this.

If not, well, you will have a secure app anyway, and MS can bugger off and die in a gutter somewhere, and all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!

Re:This is not news to me... (3, Insightful)

berzerke (319205) | more than 6 years ago | (#21414931)

...all the dumb bastards that decided to rely on a free piece of software from a company with a horrible reputation for customer support and secure coding practices get what they deserve!

Except with the Internet and massive databases floating around, we are all interconnected. Jet DBs may not be massive, but that doesn't mean the company doesn't have access to other real databases. OK, so the stupid company gets owned. Now, if they have any info on me, that's in the criminal's hands, and good luck getting compensation even if the company admitted full responsibility. Their Internet connection can now be used to spam or DOS me. If they go out of business, think about all the employees who had nothing to do with the IT decisions (and those who opposed this particular one). They get to stand in the unemployment line. Vendors might get shafted on unpaid invoices.

Just because your system is secure doesn't mean you don't get affected by someone else's insecure system. And no, I don't know what the solution to that problem is.

why do people (1)

sentientbrendan (316150) | more than 6 years ago | (#21414479)

keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.

Re:why do people (4, Funny)

mfnickster (182520) | more than 6 years ago | (#21414647)

> why do people keep using access? It is so dinky as a relational database... I'm not honestly sure what it *is* supposed to be used for.

Microsoft Access is a demo. It's meant to seduce you into thinking that developing your own database applications is easy and fun, and that Access can address your organizational needs adequately. This puts you onto the path that will eventually lead to you buying MS SQL Server.

At least, that's been my experience! :)

Access leads to... (5, Funny)

argent (18001) | more than 6 years ago | (#21414887)

"Access is the path to the dark side, for Access leads to SQL Server, and SQL Server leads to suffering."

Re:why do people (1)

bladesjester (774793) | more than 6 years ago | (#21414909)

This puts you onto the path that will eventually lead to you buying MS SQL

Nah. Most people only used/use Access for smaller stuff. They came out with SQL server lite a while back. Free of charge and embeddable into .net apps (much like cloudscape is for java apps).

Re:why do people (2, Interesting)

domatic (1128127) | more than 6 years ago | (#21414913)

Well, that actually is my problem with FileMaker Pro. It too seduces you into thinking that developing database apps are easy and fun. The difference is that when an FM Pro app starts flaking out (public school systems are just eaten up with FM Pro deployments that got too big for their britches) there isn't a "big brother" product to easily transition to that scales.

Yeah it's true that Access is a gateway drug to SQL Server. But that IS a viable upgrade path for that little workgroup app that some PHP decided to expose to a 10,000 node WAN.

Re:why do people (2, Insightful)

Mr2001 (90979) | more than 6 years ago | (#21415693)

This puts you onto the path that will eventually lead to you buying MS SQL Server.
Or installing SQL Server Express for free?

Re:why do people (4, Insightful)

kelnos (564113) | more than 6 years ago | (#21414675)

Unfortunately, with Access, it's not about the database itself, but about the GUI tools that many people find easy to use...

Re:why do people (4, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#21415145)

Access is not a database, it's a RAD tool for data-drive apps. You use Access when you want to quickly create a GUI for processing data (well, now you'd probably write a web app, but in the '90s it was the thing to use). Once you've done this, you progressively add features to your simple tool. Eventually, you have something that sprawls over thousands of lines of unmaintainable code, depends on Access, and is vital to your company.

Re:why do people (2, Funny)

SCHecklerX (229973) | more than 6 years ago | (#21415435)

I thought it was just a way of keeping a bunch of copies of the same spreadsheet in one file. Not sure why they call them tables instead of spreadsheets though :)

Re:why do people (1)

NullProg (70833) | more than 6 years ago | (#21415841)

Minor correction..

Access is not a database, it's a RAD tool for data-drive apps.
IIRC, Its an single user ISAM database with a separate index. Microsoft tacked on (wrapped) C++/C/VB5/VB6 tools to make it RAD. FoxPro was better (X-Base) at the time IMHO. At the same time I used the Mix C-DATA ISAM database because it worked under OS/2, Unix, DOS, and windows (Truly cross-platform).

Enjoy,

I'm starting to believe the conspiracy theorists (0)

Anonymous Coward | more than 6 years ago | (#21414671)

They completely borked asp support [microsoft.com] in the sp2 release for the otherwise excellent 2003 server.

How could any test plan have missed that little one. Anyone running any kind of real asp app would be dead in the water with this one. Either they were grossly incompetant, or they purposely nuked asp. Months later and you still have to make a special support request for this patch.

Re:This is not news to me... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21414719)

the engine used in .net is given away for free too you fucking tard. oh, and so are the development tools too, unlike access. you have no clue what the fuck you're talking about. just another fucking troll.

Re:This is not news to me... (2, Insightful)

argent (18001) | more than 6 years ago | (#21414877)

I hope we re-write our app in mySQL.

If Jet was adequate, you may be better off using SQLite.

Re:This is not news to me... (2, Interesting)

einhverfr (238914) | more than 6 years ago | (#21415459)

I don't know. It seems to me that whoever did the triage screwed up. This is not unusual. I remember working at Microsoft and running into issues getting a number of issues fixed. However, the organizational structure of the company often makes it impossible to get problems fixed because nobody wants to act as a cost center for the security (passing the buck).

When I worked at Microsoft, I remported what I felt was a serious security flaw. Despite the fact that the exploit I remorted resulted in one of the lead engineers handing me his Hotmail password, this was seen as a user issue and not a security one (it had to do with options for encoding URL's so that the @ sign could be sufficiently obfuscated that nobody could be expected to see what was going on), that is, until a few months later when someone sent out phishing emails appearing to come from Microsoft. (It was then fixed in a hurry).

I have had other experiences at Microsoft suggesting that only when it becomes a PR problem for Microsoft will they fix something which does not fit their ideas of how the software is supposed to be used. Their answer in this case suggests that the feeling is that the solution is not to use untrusted sources of Access dbs. Just wait for someone in a business to show how this can be done using Access with far fewer permissions, and then it might get fixed.

do users care? (4, Informative)

larry bagina (561269) | more than 6 years ago | (#21414303)

a few years back, I started up a software company. Although some of our stuff was open source, starving isn't a hobby, so some of it was closed. One thing we tried was (for a slight increase in price) guaranteeing to fix any critical bugs even if we no longer supported the software. If we couldn't provide a fix, the source code was in escrow so they could access it. There was zero interest in it.

Re:do users care? (3, Insightful)

cdrguru (88047) | more than 6 years ago | (#21414545)

Source code escrow was far more interesting in the late 1980s when some folks actually believed that if they paid for an application (and often a substantial fraction of its development) that they should have access to the source code if the author wasn't available. Part of this came from companies that got burned by the author abandoning their work for one reason or another. Part of it was also that it was a marketing tool - see, the source code can be gotten...

Today that fantasy has mostly dispersed. Most companies know that if they don't develop an application internally they are at someone else's mercy. There are fewer failures of larger software publishers but even the larger ones sometimes abandon some application leaving the users in a bad spot. But having the source for a 150,000 line (or more!) application doesn't mean a company could compile it, much less fix a serious bug. In general it would take someone a long time to get familiar enough with something like this to be able to work on it with any degree of confidence. Especially a company with a mission-critical application needing a bug fixed - it would take months, often paying a consultant $150+ an hour.

The "new" strategy seems to be:

  1. deal with larger, established companies whenever possible and hope their user base is large enough that they can just keep pushing out updates and have the product remain revenue-positive.
  2. Write off stuff that is abandoned because it is cheaper to switch to something else than try to independently resurrect something dead.
  3. Never ever do anything internally that could possibly be bought as off-the-shelf.

Mostly, this is a lot smarter than the late 80s strategy.

Re:do users care? (1)

whitehatlurker (867714) | more than 6 years ago | (#21415603)

There was zero interest in it.

Until a potentially disasterous bug was found in a system critical piece of software. People don't always have enough vision to see the worth in something like this. Bravo for trying!

Fine line? (0)

Anonymous Coward | more than 6 years ago | (#21414313)

I may have misunderstood, but it seems TFA is not about a fine line, but a chasm?

It's a fine line between madness and genius. Between cool and corny, or even between love and hate.

But there is no point where usability suddenly flips over into security, is there? And they are both good things.

Because it's not mainstream (2, Informative)

arbenin (1191257) | more than 6 years ago | (#21414319)

It's a very old technology. No new projects start with Access in its heart.

Re:Because it's not mainstream (1)

JoeCommodore (567479) | more than 6 years ago | (#21414769)

You haven't been outside much? Access is a part of Office 2003, a lot of people with just enough tech skills to be dangerous make their living off of writing Access dbs in critical situations.

Not to mention MS Access files being used by some electronic voting Cos.

MS Exchange (1)

flyingfsck (986395) | more than 6 years ago | (#21415113)

is not mainstream and not used anymore?

Easy (1)

Jeremiah Stoddard (876771) | more than 6 years ago | (#21414339)

If someone has paid for the software, the vendor should be obligated to fix malfunctions and security risks for as long as the software is in use, or until they release the source. If you pay for something, you have the right to expect it to work; if you're not given the means to correct issues with it, you have the right to expect that the company who took your money corrects those issues.

Re:Easy (0)

Anonymous Coward | more than 6 years ago | (#21414387)

If someone has paid for the software, the vendor should be obligated to fix malfunctions and security risks for as long as the software is in use, or until they release the source.

If that's what you want, then put that in the contract when you purchase the software. But be prepared to pay more, a lot more, for your software.

If you expect that sort of support from off-the-shelf software you get at your local office supply store, then be prepared to pay far more for that software.

Re:Easy (1)

Jeremiah Stoddard (876771) | more than 6 years ago | (#21414609)

Why should I pay more for what any reasonable person ought to be able to expect? If I pay for something, it's my right to expect a functional and safe product in return. Hell, Free/Open Source software gives me that for free, and yet some profit-making enterprise can't afford to do it?

And it doesn't cost the vendor anything more to release the source of an outdated piece of software -- they don't have to use an open source license, just allow me to fix what I paid for.

Re:Easy (1)

wasabii (693236) | more than 6 years ago | (#21414419)

That's stupid. That's not how any other industry works.

All sales are final, ever heard of it? Perfectly acceptable and legal. If you don't do due diligence before you buy the responsibility is yours. It just so happens providing support is USUALLY in the best interests of both parties. Hence why manufacturors offer limited warrenties for certain durations. Fixing 10 year old code is a net negative for the manufacturor: not doing so does not loose them enough sales to offset the cost.

Re:Easy (3, Insightful)

Jeremiah Stoddard (876771) | more than 6 years ago | (#21414551)

No; I know of no industry that works like that other than software. First, if a product is defective, I can return it and get it refunded or replaced. Beyond the warranty period, I still have the ability to alter it myself. Not so with software -- I can't return an opened package, even if the program doesn't work, and the EULA prevents me from making ANY modifications. Also, 10 years from now if it is discovered that my model of car has a "security risk", i.e. it explodes at random without warning, the manufacturer can still be held responsible. In this case, the software companies are trying to ditch any responsibility for their product, and require that the user pay them again for a newer version if they want their problem fixed. What's really stupid is your suggestion that the consumer is obligated to deal with a defective product.

Re:Easy (1)

TheRaven64 (641858) | more than 6 years ago | (#21415165)

Over here in the UK we have such a thing as an expectation of merchantability. If the goods are not suitable for the purpose for which sold, you have a right to a full refund. Unfortunately, this is only valid for one year.

voting (4, Informative)

99BottlesOfBeerInMyF (813746) | more than 6 years ago | (#21414349)

Umm, isn't that the format used in the most popular voting machines to store all our votes?

Exactly the situation that Open Source wins (0, Insightful)

Anonymous Coward | more than 6 years ago | (#21414383)

This is exactly the type of situation that proves why Open Source should exist and be used by any company with a brain and the willingness to retrain or dump their Windows Administration teams.

Well supported and popular technology? Check. Original developer not interested? Oh well, grab the source and fix it. If you can't, someone else will because it's popular.

End result - a secure platform for your legacy (and current!) applications without costly redevelopment costs.

Re:Exactly the situation that Open Source wins (2, Insightful)

CannonballHead (842625) | more than 6 years ago | (#21414477)

Sounds absolutely great. I wish every business person was as smart, since open source is obviously better in every way than closed source.

End of sarcasm. Yeah, open source is pretty cool, I like it, etc. Does open source guarantee everything wonderful, does open source guarantee a business with a profit? No, it doesn't. Open source is not the answer to everything.

And even open source organizations will stop support for decrepit applications. If you insist on using a 10 year old Linux kernel and demanding that some quirky bug in it be fixed, I'm not sure how much support you'd get :)

Is that an exact analogy, no... but, as a previous poster said, businesses run on profit, not open source feel-good-ness... :)

Re:Exactly the situation that Open Source wins (0)

Anonymous Coward | more than 6 years ago | (#21414539)

Hint: you can fix it yourself.

Re:Exactly the situation that Open Source wins (0)

Anonymous Coward | more than 6 years ago | (#21414619)

Hint: Name me one bug you've fixed in the kernel.

Hint: Name me one bug you've even looked through the source and found.

Hint: STFU and GBTW if you're just here drinking the kool-aid.

Re:Exactly the situation that Open Source wins (1, Informative)

Anonymous Coward | more than 6 years ago | (#21415035)

Hint: You don't have to be a programmer to find a bug.

Hint: Just because he haven't fixed any bugs, or even found any, doesn't mean he can't pay someone to do it for him.

Hint: You try that with $PROPRIETARY_VENDOR

Hint: You're an idiot.

Re:Exactly the situation that Open Source wins (1)

cduffy (652) | more than 6 years ago | (#21415803)

You do realize that slashdot is a pretty lousy place to be challenging the crowd to show their kernel hacking creds, right?

(Me, I've fixed PS2 keyboard support on some obscure MIPS subarchitecture, and ported the MPPE driver to Linux 2.4 [think I was actually the first person to do that, though it's someone else's port that made it upstream], and did a little tooling around the input core, and fixed a DSDT bug that was causing the PCI bus on some Hitachi prototype hardware to be initialized wrong... but then, I'm mostly a userspace type).

Re:Exactly the situation that Open Source wins (1)

cduffy (652) | more than 6 years ago | (#21414967)

Stop free support, you mean. If you want a bug in a 10-year-old kernel fixed, you can pay me to do a backport. Sure, I'll charge completely insane rates (my primary job keeps me busy as it is), but there are enough C developers with kernelspace experience that if you have a reason to use a 10-year-old kernel (and in embedded space, that's not a completely unreasonable thing to do), you can find someone who'll maintain it for you.

Open source may not guarantee you profit in your core business, but it does guarantee that you're not held hostage to a single developer who owns exclusive rights to the infrastructure you built on.

Re:Exactly the situation that Open Source wins (2, Insightful)

TheRaven64 (641858) | more than 6 years ago | (#21415217)

If you insist on using a 10 year old Linux kernel and demanding that some quirky bug in it be fixed, I'm not sure how much support you'd get :)
The amount of support you get generally depends on how much you are willing to pay for it. This cost will go up as the product becomes less mainstream. The upper limit (when you are the only organisation using it) is employing a team of people to become familiar with the code and fix bugs. This is likely to cost a couple of hundred thousand dollars a year, but if you are running a multimillion dollar business on some in-house software that depends on something external, then it may be worth it. It's more likely that it will be cheaper to port your code to something newer at this point, however. This is a last resort with Free Software, but it is not even an option with proprietary code. If the proprietary vendor decides it is not in their financial interest to keep developing the software then you are stuck.

The cost of maintaining Free Software follows a curve. You can fairly easily predict how expensive it will be to keep maintaining something you depend on, and how expensive it is to move away. Once it becomes cheaper to move, that's what you should do.

Re:Exactly the situation that Open Source wins (-1, Flamebait)

toadlife (301863) | more than 6 years ago | (#21414641)

You sound very bitter. Did an MCSE take your job?

Re:Exactly the situation that Open Source wins (0)

Anonymous Coward | more than 6 years ago | (#21415593)

Did an MCSE take your job?

Nope. They're still flippin' them burgers.

This doesnt matter (3, Insightful)

hcmtnbiker (925661) | more than 6 years ago | (#21414417)

IMO this potential exploit is useless unless you're doing something with a JET database that you shouldn't be anyways. JET doesn't have database transactions, sure if you want to you can write them in at the application level but that's incredibly costly. If you're allowing people you don't trust to access a JET database something is wrong. JET will screw up if two users try to modify it at the same time, so why would someone you don't trust be using it, they could just as easily cost you enough damage by just modifying the DB while you are. SQL is used for that sort of thing, NOT JET.

Re:This doesnt matter (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21414555)

Jet isn't useless. It's a fairly featureful file-based database which has somewhat decent ANSI support and decent library support via VBA functions. It also does support transactions. Your assessment of Jet is more or less correct, but it's not a failing of Jet as much as it is a failing of any file-based database which lacks a centralized server. Because the client library reads and writes directly to the database files it is possible for write operations to collide. There is no central process in charge of policing the interaction to the database. This is compounded if the database isn't local as the latency for file operations is considerably greater. This is true of all file-based databases, including SQLite.

If it's multiuser or networked, go RDBMS.

Re:This doesnt matter (1)

Vthornheart (745224) | more than 6 years ago | (#21414805)

Exactly. What the hell are websites doing allowing people to upload Jet Databases to publicly accessible folders anyways? Giving out your website's master FTP username/password is a vulnerability as well, but no sane web host would do such a thing. I hope it'd be the same for the former scenario as well as this latter one.

Re:This doesnt matter (1)

Tim99 (984437) | more than 6 years ago | (#21415701)

Access original had page-level locking, so depending on your OS and how big your row size was, the database would apply an edit-lock to a few or hundreds of records. Later versions support row level locking - The subsequent user is given the opportunity to overwrite the previously saved changes (Why would you do that?), or save their changes to the clipboard and then look at the previous changes.

Access was originally written as a file-shareable workgroup level database for about half a dozen concurrent users and up to a hundred thousand rows. It worked fairly well considering its competitor was dBase. The 'high level' Microsoft/Sybase/Borland joint partnership product at the time was SQL Server 4...

Did you know that Microsoft Exchange Server used JET?

Tough times... People are plagiarizing bug reports (1)

AngryDad (947591) | more than 6 years ago | (#21414427)

This (or similar) bug was reported by HexView in 2005 and they also received no word from MS. http://www.hexview.com/docs/20050331-1.txt [hexview.com]

Patching one hole in a pegboard (4, Insightful)

Volante3192 (953645) | more than 6 years ago | (#21414437)

So to fire off this vulnerability, you have to run an .mdb file you found from "somewhere." Never mind these things could have embedded VB macros and other controls that could wreak havoc.

Why not just start running installs you find from "somewhere?"

Access and mdb are insecure as it is when you start running untrusted files; should we expect all of those to go away at the expence of neutering the key selling point: stupid easy to do anything with?

Re:Patching one hole in a pegboard (1)

Savage-Rabbit (308260) | more than 6 years ago | (#21415721)

Why not just start running installs you find from "somewhere?
You would be surprised how many Windows admins (and some *NIX admins as well) will think nothing of running scripts and apps from very dubious sources on highly valuable mission critical servers. I have witnessed any number of messes caused by somebody running scripts they got from a link in some forum thread without bothering to get an idea of exactly what it was the thing did or even simply checking if the thing was compatible with the system version they were running them selves. David Hannum was right.... there is a sucker born every minute.

Security News Flash (2, Insightful)

flaming error (1041742) | more than 6 years ago | (#21414469)

some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection".
Servers could be vulnerable to attack if they allow users to upload and run malicious code? Say it ain't so!

This is the clear case for OSS (1)

DarkOx (621550) | more than 6 years ago | (#21414487)

Almost all other OSS model vs proprietary model arguments are at least somewhat fuzy. Ethics and economics often seem to be in conflict. In many cases neither is tested or clear and we can't even agree on what goes in the pro and what goes in the con columns for each model individually. This case though highlights the fact very clearly that even if all software in your stack is not OSS at least the platform and common libraries should be.

JET is a depreciated platform and is no longer being actively developed or really supported in new projects by Microsoft. *OK* A perfectly reasonable position to take when you do have functionally replacement products being offered, which they do in the form of MSDE.

Every product has a life cycle which eventually is end of life, JET is old obsolete and makes little since for new work on todays more powerful platforms. *OK*

Lots of projects and products are build around JET, many of them are not obsoleted, replaced, and newer versions based on different storeage backends might be quite a ways off. There is a lot of JET stuff out there, lots.

The OSS model in this case would result in somebody fixing it, simplly because so many people use it for so many things. Even if the original authors could not be bothered lots of organizations or individuals out there would have a vested interest in makeing a fix. They would then be prettly likely to share it because there is no reason not to do so. In other words the entire software ecology around JET could be secure while other people and vendors migrate off those depricated platform components, instead everthing is going to remain vulnerable or broken unless Microsoft(insert any other vendor here for other cases) can be shamed into patching it.

Re:This is the clear case for OSS (1)

kelnos (564113) | more than 6 years ago | (#21414753)

They would then be pretty likely to share it because there is no reason not to do so.
Individuals, yes, probably. Organizations? Maybe, maybe not. In my experience, when someone at a company fixes a bug in 'upstream' software, they keep it to themselves[1]. It cost the company money to find and fix that bug, so they figure something like: why should we give that time (money) to our competitors for free?

Not saying I agree or disagree with this attitude... it's just how it is.
[1] Well, except for fixes to GPLed code.

Yet another shameless self-promotion (1)

statemachine (840641) | more than 6 years ago | (#21414491)

The "article" submitter is only trying to drum up hits to his blog. When it's this obvious, I don't even bother clicking through.

Perhaps it wouldn't solve everything, but IMHO not directly linking the submitter's name to a non-slashdot URL would greatly limit the article spam on here. And, of course, not letting someone use slashdot to blatantly toot his own horn would limit the practice further.

Re:Yet another shameless self-promotion (0)

Anonymous Coward | more than 6 years ago | (#21414627)

What bugs me is that it's not even about the proverbial "fine line". That expression implies that too much of one will make it tip over into the other.

Re:Yet another shameless self-promotion (1)

ptbarnett (159784) | more than 6 years ago | (#21415491)

The link on the submitter's name should no longer be an issue. The URL has a "nofollow" attribute -- if a search engines honors it. However, the remaining links in the article summary do not have the no-follow attribute.

Surprise? (0)

Anonymous Coward | more than 6 years ago | (#21414527)

Microsoft's response came as a surprise to him -- it appears that Microsoft is not inclined to fix a critical arbitrary code execution vulnerability with a data technology that is at the heart of a large number of essential business and hobby applications.

Has he been living under a rock for the past 20 years? Why would this come as a surprise to him?

the wide chasm between gooed & evile (0)

Anonymous Coward | more than 6 years ago | (#21414575)

it can be crossed.

consult with/trust in yOUR creators. providing more than enough of everything for everyone without any distracting infactdead personal gain motives, whilst badtolling unprecedented evile, using an unlimited supply of (user friendly, highly secure) newclear power, since/until forever. the lights are coming up all over now. see you there?

THIS FP FOR GNAA (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21414621)

do antd doing wHat

Why MS did this (1)

Thinboy00 (1190815) | more than 6 years ago | (#21414677)

Microsoft no longer cares about most markets because the only one that doesn't have major competition is the PC. Microsoft can't deal with the Pandora's Box of updating critical, widely used things when Linux is slowly gaining ground. If they lose the PC, they lose their only near-monopoly. So they don't care about other issues because they aren't as important to the incentive of making a profit as maintaining a near-monopoly. Hopefully everyone understands the previous sentence... it basically summarizes the rest of the comment.

Not a big deal... (4, Informative)

Vthornheart (745224) | more than 6 years ago | (#21414781)

They're making a big deal of the following in both of the links in the article, repeating the same phrase over and over: "some web servers could be at risk if users upload a malicious .asp / .mdb file and then execute it via calls to "ADODB.Connection"." They say this twice in one paragraph at one point. But what does that really mean? That means a server running ASP, that also is allowing end users to upload .mdb databases to it (???), AND to expose them from whatever location they've been uploaded to so that Connections can be made to them, will be vulnerable. That's a pretty hefty list of "ifs". If you're letting your users upload .mdb databases to your webserver at all, let alone to a publicly accessible folder, you're already asking for severe trouble. I can't imagine a website out there that would allow such uploading/public exposure to happen that doesn't already have severe security flaws merely by the amount of freedom its given its users in what they can do on the site. This is definitely a vulnerability, but the impact to ASP/ASP.NET servers is minimal if the hosts are implementing common sense security practices/user restrictions already.

SharePoint ? (1)

justdrew (706141) | more than 6 years ago | (#21414907)

wouldn't they be talking about sharepoint?

Re:SharePoint ? (0)

Anonymous Coward | more than 6 years ago | (#21415327)

Sharepoint runs on MSDE/MSSQL, not JET.

Basically this is saying that you could call this JET exploit IFF you uploaded mdb file and could write some asp files on the remote site and call them, or otherwise own the box to setup the ODBC connection and activate it.

My issue with this is once you have your scripts/executables upload ready folder why bother putting some shitty jet exploit up when you can do whatever you want.

Also, you can disable use of JET/MSSQL, etc in your web directories, which you should be doing on user writable areas.

Security != Inconvenience (1)

flaming error (1041742) | more than 6 years ago | (#21414797)

That convenience and security are at odds is a flawed premise.

Secure software doesn't have holes. User-friendly software is intuitive and does what it should.

No reason the two can't happily co-exist.

If the product is defective, they must fix it (1)

thogard (43403) | more than 6 years ago | (#21414827)

Consumer protection rules are very clear on this. If the product is defective, its still covered under a warrantee and must be repaired or replaced at Microsoft's expense.

It gets very interesting when the problem starts to cause other people problems under "innocent third party" laws. The only draw back is that it too nearly 30 years for these laws (and an act of congress) to take out the lawn darts so I don't think this has any of the legal team at Microsoft losing sleep.

I don't understand... (1)

certain death (947081) | more than 6 years ago | (#21414923)

I kinda RTFA, but I don't see how you came up with the title for this article. Have you been using the Bullshit Generator again? You did not, in my opinion link usability and security with your words...get some more words please.

It's not just small businesses (4, Insightful)

RipSlider (923376) | more than 6 years ago | (#21414927)

No matter what is written above, it's not just "Small business" which use Jet. I'm under an NDA(s), so won't name names, but lets say that, in the course of the last 18 months, I have worked in 1x Top 5 Bank and 2x top 10 financial services houses, in the UK, that would collapse if they loose their Access Databases within one week. ( Guess what my firm was brought in to do?) It's a similar situation to the household name that most people in the UK and US have some direct or indirect monies held in that currently has more than 700 staff in my company working 24 hours a day, 7 days a week to get all their data into a new data ware house after a rather worrying period where their main DB went down. What was the DB? It was a massively hacked about version of a CRM package that a developer got off a coverdisc ( PCPro magazine to be exact ), 6 years ago. Here's the thing: Big companies get into the same messes as small companies. If you truely believe that ALL of the top companies are using Oracle DB's, SOA architectures and data warehouses for mining purposes, your living in a dream world. Working as a solution architect that is meeting 2-3 major, as in top 250, clients a month, and looking at their issues, and the mess that they've got in to, I would be suprised if Microsoft manage to hold their "We're not going to fix it" position for long. Fact is, as soon as CIO's get stressed, they start to shout, and they'll shout at Microsoft if they feel that there is an issue. Remember that a lot of the major firms have 10 and 15 year support contracts with Microsoft, each of them bespoke. If one of them demands a fix, it will immediately be made available to all of the others on bespoke support contracts. At which point there is little reason to hold it back from the other major buyers, and so it cascades down the chain.

mandatory open-source unless supported (1)

wikinerd (809585) | more than 6 years ago | (#21415231)

My proposal is that, at least for security-sensitive products, closed-source software vendors must be forced by law to release their products as open-source after X years from the moment they stop properly handling user complaints. So, if you release a product used in sensitive installations and you stop supporting it after 3 years, you should be expected to open-source it as to allow the user community to maintain it.

This should solve abandonware, which is a very serious problem in security-sensitive software. Releasing closed-source commercial software and then stopping supporting it is bad, especially when it comes down to security. At least, they should give out the code and allow the users to do their best themselves.

Another idea (a bit more extreme) is that, just like patents, closed-source vendors should open-source their stuff X years after the initial software release. Some companies do this voluntarily and it has helped, rather than negatively affected, their sales.

Even though I dislike having too many laws and too much government, I would feel positive about such laws if any lawmakers would be willing to consider them.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?