Accessing MDW security without the passwords
Kris Krogstad
the user doesn't remember her password and I don't know who created it or
whatnot. I found the MDW that the file is linked to, but am unable to still
get access. Are there any suggestions as to how I can find out the list of
usernames and passwords. Even if I have to purchase an app to do so,
although I am not happy about that... MS hasn't been very helpful.
Brendan Reynolds
setting up security if MS went around telling people how to break it, now
would there! :-)
If the app has been properly secured, you're out of luck. Many apps,
however, are not properly secured. If you download the security FAQ and
White Paper from www.microsoft.com and study all the steps necessary to
properly secure an app, you can work back from there to see if the original
developer omitted any of those steps.
Only you and your client can answer the question: if this information was of
so little importance, and so seldom used, that the user can not remember the
password, is it important enough to justify expending this much time and
effort, with no guarantee of success?
BTW: All of the above applies to user and group level security only. For
database password protection, see www.trigeminal.com - however, the presence
of an MDW file would seem to imply that user and group level security has
been implemented.
--
Brendan Reynolds
bren...@indigo.ie
http://www.fortunecity.com/skyscraper/susumi/433/
Kris Krogstad <k...@wff-law.com> wrote in message
news:888vns$14$1...@ffx2nh5.news.uu.net...
Pete B
website.
--
Pete B
Brendan Reynolds <bren...@indigo.ie> wrote in message
news:MZUp4.10953$J9....@news.indigo.ie...
Michael (michka) Kaplan
you thought about the legal ramifications if they did not? Sheesh.
I think in the future you need to just stop having people try to use
security. If they are not willing to handle the responsibility then they
should not be allowed to use the feature.
--
?MichKa
(insensitive fruitarian)
random junk of dubious value, a multilingual website, the
54-language TSI Form/Report to Data Access Page Wizard,
and lots of replication "stuff" at http://www.trigeminal.com/
?
Pete B
would not do so anymore. But ads for PK seem to say different, and I have
seen posts here by the co occasionally since then offering such help. From
their website re their data recovery service:
"AWarranty/Certification form must be completed in order for serviced
databases to be returned. We will fax this form with our quote, and return
your database upon receipt of the signed form. If the database you forward
contains copyright information from any other party, you will need to
provide proof to us that this other party agrees to your contracting of our
services."
I think they just want proof that it is legally yours to do so. But you
may be right.
--
Pete B
Michael (michka) Kaplan <forme...@spamless.trigeminal.spamless.com> wrote
in message news:uAL#r3wd$GA.255@cpmsnbbsa02...
> Pete, they do not break into databases.
>
> --
> ?MichKa
> (insensitive fruitarian)
>
> random junk of dubious value, a multilingual website, the
> 54-language TSI Form/Report to Data Access Page Wizard,
> and lots of replication "stuff" at http://www.trigeminal.com/
>
> ?
> "Pete B" <bar...@datatek.com> wrote in message
> news:sagb74...@news.supernews.com...
Peter Miller
On Mon, 14 Feb 2000 10:27:13 -0600, "Pete B" <bar...@datatek.com>'s machine
spontaneously emitted the following random collection of characters:
>If it gets really desperate, they can try PK Solutions, they have a
>website.
Pete,
I know you're trying to be helpful, but we really don't want this sort of work.
Sure, its easy to get them into their files technically, but for legal reasons,
we don't pursue this type of work. If people have an inadequately secured file,
there are publicly available sources of information (the whitepaper and
dejanews) that provide the necessary info to desecure these files. If the
security is properly enforced, it is still quite breakable, but they will not be
able to use our expertise because we don't offer such services.
I know that one of my pet peeves - debunking the supposed reliability of the Jet
security model - is common knowledge, but the notion that we will provide
de-securing services to folks is incorrect. Please don't refer such work to us,
unless there is a corruption angle, or the client is looking to stengthen
(rather than dismantle) the security in force.
For what its worth, you may want to sound out Larry Linson on this issue. He
used to do some security stuff a while back, but even so, I would not recommend
refering work to him without discussing the matter with him directly first.
Cheers,
Peter Miller
PK Solutions
_____________________________________________________
For Microsoft Access related tools and services,
including our Data Recovery Rescue Service for
Microsoft Access, please visit our site (below)...
_____________________________________________________
www: www.pksolutions.com
e-mail: pmi...@pksolutions.com
Tel: +1 (858) 613-0284 x7 Fax: +1 (858) 613-0283
_____________________________________________________
Michael (michka) Kaplan
And fwiw any time I am confused on someone's actual position, I just ask
them privately instead. "Please don't refer such work to us" tells it like
it is.... and we now explicitly know the focus is on corruption issues.
I think this is a valid way to feel. The tools I use to recover from data
errors write to system tables and could easily be perverted into something
that would crack security.... but I would never do that. I won't even work
on corruption stuff, as I think PK Solutions has this area covered well and
I do not think I would be able to contribute more to the situation.
But a replication problem? I am all over that puppy!
--
?MichKa
(insensitive fruitarian)
random junk of dubious value, a multilingual website, the
54-language TSI Form/Report to Data Access Page Wizard,
and lots of replication "stuff" at http://www.trigeminal.com/
?
"Pete B" <bar...@datatek.com> wrote in message
news:sah0fh8...@news.supernews.com...
> > > If it gets really desperate, they can try PK Solutions, they have a
> > > website.
> > >
Bob W
Peter Miller <pmi...@pksolutions.com> wrote in message
news:m71hasgdhiklohlki...@4ax.com...
[snip]
> Please don't refer such work to us,
> unless there is a corruption angle, or the client is looking to stengthen
> (rather than dismantle) the security in force.
Peter,
Do you mean that you can improve upon user-level security? While I do
not generally see a need for this in my case, it would be a useful tidbit to
tuck away in case I ever need to.
Bob
Trevor Best
news:sagb74...@news.supernews.com...
> If it gets really desperate, they can try PK Solutions, they have a
> website.
Peter Miller's more into corrupt data retrieval than cracking security,
you'd have to really convince him that the app was yours.
--
Trevor Best - tre...@besty.org.uk
http://www.besty.org.uk
http://www.trevor.easynet.co.uk
Trevor Best
keyboard. Look on the floor in case it fell off.
;-)
Kris Krogstad <k...@wff-law.com> wrote in message
Larry Linson
> For what its worth, you may want to sound out Larry Linson on
> this issue. He used to do some security stuff a while back, but
> even so, I would not recommend refering work to him without
> discussing the matter with him directly first.
Nope, sorry. The only kind of security work I ever did was to secure
databases, and felt like nine kinds of fool when it turned out that
Microsoft had hidden the Access 2.0 security flaw. Well, I guess I did
have a long discussion, mostly private, with michka over whether your
posting the code was goodness or badness but that's not really "work".
We agreed to disagree, but came away friends from the discussion. Well,
electronic friends, as our physical paths haven't yet crossed.
I fired your Access 2 "unsecure" code in anger only a few times, first
to demonstrate to myself that it worked; then to demonstrate to
some "unbelievers" that it did -- made "believers" out of them in a
hurry. What I did find was that with a little extra code to handle
tables, it is great code to create an unsecured copy of a database to
which you _do_ have access; I've used it or similar to do that with
A97, as well.
My response to this kind of question is "the only person I'd trust to
break security in one of my databases doesn't do this kind of work
anymore because of potential legal liablity". Guess who I mean by that?
<G> The only thing I refer to you now is "data salvage jobs".
I think there may be a company around who'll break security for a fee,
but haven't seen a post from them here in quite a long while, and I
don't know anything about them, anyway, other than that they have
posted here.
--
L. M. (Larry) Linson
Access example databases at http://homestead.deja.com/user.accdevel
New: Book reviews, previously published in North Texas PC News
Script execution must be enabled and Windows set to Small Fonts
Sent via Deja.com http://www.deja.com/
Before you buy.
Kris Krogstad
Tha helped, it was right there in front of us, on the creen, and it
even had the admin password on the back of it. J/K Anyway, a little bit
more on this problem of mine. I am pretty sure I at least know one
password. I still am unable to get into the database. The error is as
follows on my workstation, when trying to use the users login and password
(for MS Access, not Novell or Windows). Not a valid account name or
password. When I try to login on her workstation, I get the message: "You
do not have the necessary permissions to use the ***.MDB object. Have your
system administrator or the person who created this object establish the
appropriate permissions for you."
So, now I am wondering if this has anything to do with actual computer name
in the network settings, or something else. I am pretty sure of at least
the one users password. Let me just explain how this all started. This
user (Office manager) had a corrupt version of Access, I installed 2000, and
now she can't access the MDB file. I linked it to the MDW file, but still
nada. Still need help....
Trevor Best <tre...@besty.org.uk> wrote in message
news:88b2ie$2l5p$8...@quince.news.easynet.net...
Pete B
this discussion and dissension, no such stuff intended.....
:=)
--
Pete B
Peter Miller <pmi...@pksolutions.com> wrote in message
news:m71hasgdhiklohlki...@4ax.com...
>
> On Mon, 14 Feb 2000 10:27:13 -0600, "Pete B" <bar...@datatek.com>'s
machine
> spontaneously emitted the following random collection of characters:
>
> >If it gets really desperate, they can try PK Solutions, they have a
> >website.
>
> Pete,
>
> I know you're trying to be helpful, but we really don't want this sort of
work.
> Sure, its easy to get them into their files technically, but for legal
reasons,
> we don't pursue this type of work. If people have an inadequately
secured file,
> there are publicly available sources of information (the whitepaper and
> dejanews) that provide the necessary info to desecure these files. If
the
> security is properly enforced, it is still quite breakable, but they will
not be
> able to use our expertise because we don't offer such services.
>
> I know that one of my pet peeves - debunking the supposed reliability of
the Jet
> security model - is common knowledge, but the notion that we will provide
> de-securing services to folks is incorrect. Please don't refer such work
to us,
> unless there is a corruption angle, or the client is looking to stengthen
> (rather than dismantle) the security in force.
>
> For what its worth, you may want to sound out Larry Linson on this issue.
He
> used to do some security stuff a while back, but even so, I would not
recommend
> refering work to him without discussing the matter with him directly
first.
>
Brendan Reynolds
even I would never contemplate installing it under those circumstances, and
never, ever, without doing a back-up first!
--
Brendan Reynolds
bren...@indigo.ie
http://www.fortunecity.com/skyscraper/susumi/433/
Kris Krogstad <k...@wff-law.com> wrote in message
news:88bkk2$iqm$1...@ffx2nh5.news.uu.net...
Peter Miller
On Tue, 15 Feb 2000 08:05:59 -0600, "Pete B" <bar...@datatek.com>'s machine
spontaneously emitted the following random collection of characters:
>Whatever. It was just an offhand comment, didn't mean to instigate all
>this discussion and dissension, no such stuff intended.....
>
>:=)
No problem. Its just that every time someone publibly suggests us as a solution
to security lockouts, we get a dozen or so posts from others folks with lockouts
who think we may be a good lead. I'm just trying to head off that sort of stuff
at the source.
Michael (michka) Kaplan
> No problem. Its just that every time someone publibly suggests us as a
solution
> to security lockouts, we get a dozen or so posts from others folks with
lockouts
> who think we may be a good lead. I'm just trying to head off that sort of
stuff
> at the source.
Admirable. But never understimate the power of human stupidity (I think
Woodrow Wilson Smith said it originally).
duken...@hotmail.com
security. I'm still learning this stuff but I had a thought about this
problem:
Since the woman working in the office has a valid account the original
.MDW file recognizes would this theory work? Could she create a blank
database under her Access account. Then, she could import all the
objects from the original database into her new database. Since she
would be the creator of the new database and its objects, wouldn't
Access give her Owner's rights to all the objects in her new copy of
the database regardless of what level of user-security her account has?
Please don't flame me if I'm off base here. I'm just trying to pay my
debt for what I'm learning from the newsgroup.
Dennis DeLuca
In article <w_dq4.11099$J9....@news.indigo.ie>,
Eric G. Miller
I missed part of the thread, but you'all might be able to answer this
question (which is sort of related). Has anyone heard of a tool/hack
that captures a user's Access logon screen --> sending the username/password
somewhere? I don't want one, but recently my logon screen has been behaving
oddly (and let's just say I have reason to be paranoid). It may just be
standard Windows corruption, but the screen sometimes blinks or doesn't take
the username/password pair the *first* time (this is why I suspect foul play).
I'd appreciate a cc: for answers to the affirmative.
--
+----------------------------------------------------+
| Eric G. Miller eg...@jps.net |
| GnuPG public key: http://www.jps.net/egm2/gpg.asc |
+----------------------------------------------------+
Michael (michka) Kaplan
--
?MichKa
(insensitive fruitarian)
random junk of dubious value, a multilingual website, the
54-language TSI Form/Report to Data Access Page Wizard,
and lots of replication "stuff" at http://www.trigeminal.com/
?
"Eric G. Miller" <fe...@calicocat.homeip.net> wrote in message
news:877lg4h...@calico.local...
Dimitri Furman
something in background
(http://www.scottandmichelle.net/scott/program/swru.html)
Well, at least theoretically...
On Feb 17 2000, 12:50 am, forme...@spamless.trigeminal.spamless.com
(Michael \(michka\) Kaplan) wrote in <Ox7mttQe$GA.296@cpmsnbbsa02>:
--
(remove a 9 to reply by email)
Pete B
permits. Doing otherwise would constitute a devastating breach of
security. As a matter of fact, that type of process was the "hole" in
Access 2.0 security.
--
Pete B
<duken...@hotmail.com> wrote in message
news:88fbs4$1u2$1...@nnrp1.deja.com...