6 Replies Latest reply on Jan 22, 2016 11:54 AM by siplus

    Developer Caution

      Do you sit down at your users desks when they have a problem and then login as a Developer with Full Access so you can fix the bug?

       

      If so, you've given up any security you might have set up on your own computer. And the user can watch what you type as a password.

       

      Other things to consider is that the user may have installed a key logger or while talking on their cellphone use its camera to take a movie of your keystrokes...

       

      Before 14 I used Roboform to capture you account name and password and I set it to enter those for me in FileMaker's dialog. 14 seems to have killed this or else I can't remember how to set it up. But there are other password managers that might do this.

       

      14 has that little checkbox for remembering the password for Full Access users. If your account name is John Smith and that checkbox becomes checked when you log in at the user's computer (is that posible?) then they only have to open the file and it will open with your account name. Of course, no developer would do that, right?

       

      And, of course, don't forget to logout before you leave the user's workstation...  If you leave the Full Access acount open then anyone can sit at that desk and do anything they want including creating their own full access acount or changing your password, etc.

       

      In other words, sitting at someone else's desk, logging in with your full access account to debug or add something while convenient is not a good idea no matter how many times we have all done this.

        • 1. Re: Developer Caution
          wimdecorte

          JackRodgers wrote:

           

          14 has that little checkbox for remembering the password for Full Access users.

           

          Not if you check it off in the "File Options"...

           

          Your points are well taken as a precaution but nothing what you say should prevent people from logging into a user's machine with a full access account for troubleshooting.

           

          If they have a key-logger going on then they have a much bigger problem in general that should be tackled elsewhere.

          And as a developer you can still change your full access account pw right after the session.

          • 2. Re: Developer Caution

            Your last point about changing the password was the best point and the

            others somewhat argumentative.

             

            Note that even changing the password might not be enough as a really

            dedicated varmint could capture the data during your login, open your

            account on another computer and create a new full access account, etc.

            Let's see, how many accounts can be opened at one time using the same

            account name and passwords? Lots...

             

            We all know how often developers scan the list of user accounts and

            assigned privileges, etc. Everybody, raise your hands if it has been a

            month or more since you glanced at your security dialog!

            • 3. Re: Developer Caution
              wimdecorte

              I get all you are saying, but what *are* you saying really?  That nobody should ever log into any machine with a full access account?  Ever?

               

              Of course my points are argumentative because you seem to be warning people not to do anything.  You are pointing out the obvious security risks, and they are very worthy of repeating. But how do you suggest people go about their business?

               

              Of course environments should be scanned for all malware.  And you should have multiple layers of defence, including retro-actively looking at who logged in with what account,  That should help with both preventing unauthorized access and catching after the fact.

               

              What I don't get from your post is a constructive contribution on how to make it better.  And that's fine.  Warnings are good, the more the better. But at some point we need to translate those in to actionable items that people can do to counter-act them.

               

              So how do you safely log into a user's machine with a full access account?

              • 4. Re: Developer Caution

                You are correct in that my 'Caution' may not have listed useful tools.

                 

                We no longer need to use a users' computer to log in as full access while

                at their desk. A MacBook or laptop using WiFi will do just fine and keep

                our full access accounts private and eliminate the need to lose the exact

                record a user is working on or upset their stasis.

                 

                So, my main recommendation would be to use a MacBook and WiFi with the

                acknowledgement that WiFi isn't that secure or to carry an long Ethernet

                cable and plug into the hub.

                 

                I developed various workarounds since one user was extremely possessive

                about 'their' computer especially if I moved icons on their desktop...

                 

                Note that Windows Pro and Macs allow using the computer as a base station

                which of course raises other security issues.

                • 5. Re: Developer Caution
                  jormond

                  Jack,

                  When I read your posts sometimes...this is what it reminds me of:

                   

                  [FUNNY PRANK] End of the world! - YouTube

                  • 6. Re: Developer Caution
                    siplus

                    what are you afraid of, exactly? Somebody stealing your layouts, field definitions and scripts ? Or the whole solution ?

                     

                    lol.

                     

                    Any developer worth this title would not do that, because it takes more time to understand somebody else's logic than developing from scratch along your own logic, if you are a real developer. If you aren't, be my guest to work out the 9622 scripts, 2061 relationships, 283 tables, 161 layouts and 19930 fields humming in my solution.

                     

                    Moreover, this forum - and others - plus tons of company sites and custom function sites and blogs are actually disclosing the best and most brilliant ideas in FM developing. For free.

                     

                    So what is left ? Well, the client's data is left. That's often the most valuable part, not your solution, which only carries that data in its womb. So it's the client's highest interest to avoid messing up with it.