Saturday, 14 January 2012

Hacking MS Access for fun and profit

Once you realise that hacking isn't a black art - that's it's simply about knowing your subject matter - it becomes frighteningly easy but no less fun.

I spent a great many years of my early career making amazing things with MS Access databases and VBA.  I've lost most of these skills nowadays, but I remember a lot about how things are constructed internally and how I used to go about securing things.

And it turns our that this knowledge is pretty useful in figuring out how to un-secure things.

There's a database that I needed access to.  One table, actually.  A table that I needed to keep my team running, that I'd had access to for 3 years previous and that I'd only had access removed because a new contractor came in and decided that he wanted to build himself an empire.  And an ego.

Not to be a complete killjoy, he provides everyone with locked down versions of his new database front end that they can use to access the tables he's created for us.  To summarise, he's removed some essential functionality and added nothing.  Thanks for that.

I decided that I would have a sniff around.

Firstly, he'd disabled the shift-key bypass restriction.  This is obvious database security for MS Access.  It's also trivially easy to disable.  Most tutorials give you the code to do it within a database to which you have VBA capabilities.  This is the code, taken from here:


Sub EnableShiftKey()
    Dim db As DAO.Database
    Dim prp As DAO.Property
    Set db = CurrentDb
    db.Properties.Delete "AllowBypassKey"
    Set prp = db.CreateProperty("AllowBypassKey", dbBoolean, True, True)
    db.Properties.Append prp
    db.Properties.Refresh
    Set prp = Nothing
    Set db = Nothing
End Sub


A simple modification (that I haven't seen anywhere else so far) allows you to run this from a database that you own and have access to on a database that you don't.  Here's the modified code:


Sub EnableShiftKey()
    Dim db As DAO.Database
    Dim prp As DAO.Property
    Set db = OpenDatabase ("\\PATH\TO\TARGET\DATABASE.MDB")
    db.Properties.Delete "AllowBypassKey"
    Set prp = db.CreateProperty("AllowBypassKey", dbBoolean, True, True)
    db.Properties.Append prp
    db.Properties.Refresh
    Set prp = Nothing
    Set db = Nothing
End Sub


Simply, we're providing a database path to the OpenDatabase command which returns a remote database as the database object, rather than using CurrentDb, which refers to itself.

So, with the shift-key bypass restriction removed, I could open the database properly and take a look around.

There were some linked tables - including the one I wanted access to, but only 1 local table containing version information.

I decided that since I'd unlocked the database now, I would try to link a table to it.  This was dumb because you can't to a linked table - the only info I could see in the link was the version table.  Try again.

I looked at the link table manager and traced the backend tables to the new location that it had been moved to.  After navigating to this database I tried to open it and access the table that way.  Password protected, obviously.

Since Access 97, passwords on database are no longer trivial to remove, and since we're playing with Access 2007, we have a non-starter.

Back to the front end that I do have access to.

I look in the table that I'm interested in and realise that I can see the information within it.  It's pointing to the backend that I don't have access to, but I can see the data.  The password for the back end must be stored somewhere in this front end that I have...

The Linked Table Manager doesn't tell me anything I don't know - I was hoping for some kind of password option.

I turn on visibility of the System tables and have a look in there.  The table MSysObjects contains a list of all the local and linked objects that the database can see.  Most of the information shown is useless, system level information that doesn't help.  But then I see the path for the backend database at the beginning of a connection string.  I expand the field and find that this actually contains the whole database connection string...including the password for the backend database.

Monday, 9 March 2009

Setting up Push Gmail on the iPhone

On the Android phones, gmail works in push mode. That is to say, you don't need your device to periodically check the server for new mail; when there is new mail it is 'pushed' to your handset, much like when you receive an SMS.

On the iPhone however, gmail does not have the option of being set to push. Instead, you need to choose a refresh period at which the phone will check for new messages.

This is less than ideal - the most frequent checking period you can choose is 15 minutes. Now, I'm not trying to imply that I might receive an email that has a time sensitivity of less than 15 minutes and that this heinous oversight is going to lose me the Fisher account, or anything. No, the main problem is that when you want updates to be very frequent, you pay the price in battery life.

Gmail is my main email service - I have used it for years and absolutely love it. I have no intention of changing. The features that it has for a PC user mean that there is no good reason to change.

On the other hand, Yahoo mail does come with push support on the iPhone. Why? Who knows, but we can use this to our advantage.

Solution

Firstly, you will need to set up a Yahoo account. I happened to get a nicely formed address that was still available (first.last@ymail.com), but it turns out that this doesn't matter. Just get yourself any first123456@ymail.com, etc, type address.

You will not being using your Yahoo account for anything other than reading mails on your iPhone, so the address doesn't matter (don't worry, we've got replying to mails covered too a little later...).

Now, add this mail account to your iPhone as you normally would. This is very straight forward and will take less than a minute or two. You will notice that you have the option of push notification on this account immediately.

The problem that we have is that no one knows this address, so getting push notifications is all well and good but there's no mail coming here to be pushed. So, to address that, go into your gmail account on your PC and go into Settings.

I had to tweak the solution slightly here.

If you don't have any pop accounts forwarded to your gmail account then you can simply choose the "Forwarding and POP/IMAP" option. Here, you choose to forward all mail to your Yahoo account, but leave a copy in gmail (we want to still use gmail as our desktop mail service, remember?).

If you do have pop accounts forwarded to your gmail account then you will need to set up the forwarding somewhere else instead. Choose the "Filters" option and create a new filter that picks up all mail (just enter "*" in the To or From fields) and then choose to have that mail forwarded to your Yahoo account. (This achieves the same end result as above, but if you don't do it this way you will not pick up your pop account mail for some reason...).

Now, to re-cap, we should have gmail sending all its mail to Yahoo, who will kindly push notify you of your messages.

On your iPhone, change your gmail account settings to Manual refresh (Settings > Fetch New Data > Manually. And, Settings > Fetch New Data > Advanced > [gmail account] > Manual)

This will stop you getting a push notification to your Yahoo mail and a fetch notification for your gmail a few minutes later.

(Note: It is important that you leave your gmail account activated on your phone, even though we won't be directly using it here any more.)

Now, when you receive a mail, it will be pushed to your phone and you will get a notification of it. When you read the mail, from within the Yahoo account, you might want to reply. And guess what, you can!

Clicking reply brings up the standard email response screen, but you will notice that there is now a From option. Select this and your CC an BCC options expand, as does the From option. Select this From dropdown and choose your gmail account - and there you have it. Push gmail, with all the functionality you might expect. Test it for yourself - but, I have to say, it is important that you trust me.

I might pretty this article up with some pictures later on.

Friday, 16 January 2009

12 Limitations of the iPhone 3G, and other miscellany

I recently bought an Apple iPhone.
This is not like me; having rejected all that is Microsoft on the PC, to opt for Apple is an odd change of direction to say the least.

There are many nice things about this phone. Not to go on at length about them, here is a short list of things the iPhone does exceptionally well:

1. Unrivalled user interface. It really is astonishingly good.
2. Excellent predictive text system - guesses what you meant to type even if what you have typed looks nothing like it - presumably based on key locations.
3. App store. Kind of like moving from Windows to Debian and finding the repositories and thinking, "why hasn't anyone thought of this before?"
4. Connectivity - I wanted a phone mainly for internet access on the move. It really is excellent.

But, there are a number of limitation that I didn't know about, read about or even expect. I can honestly say that had I known about these limitations up front, I might have chose differently. So, herein is the list of things you might want to consider before you buy an iPhone:

1. No Bluetooth. Yes, it has Bluetooth connectivity but only for headsets. That means you can't transfer pictures, files, etc, as you can on almost all other Bluetooth enabled phones.
2. No MMS. You'll have heard about this. Not sure what happens when you receive one either. Fanboys seem to have adopted an "email is better so we don't care" stance. I still see it as an omission in the UK market.
3. No way of sending contacts to anyone else.
4. No "Forward" option on text messages.
5. No custom ringtones, unless you pay Apple for them. Really, no other way (without hacking).
6. If you're going to use it as an iPod, browser and phone, you're really going to need to consider having it plugged in all the time. Didn't last me a working day - listened to a couple of albums, made a phone call and checked the news ocassionally.
7. The Edge network (on O2) is sloooooooow. Actually slow to the point of it being useless. If you get a 3G signal most of the time, you'll be ok. But drop out of a 3G area and that's your browsing suspended...
8. Poor speakerphone. Can't really use it in a car. Odd though, since you can play your albums at really a quite astonishing volume (and quality) through the speaker - just when I try to use it for calling, it might as well not be on speakerphone at all.
9. Notwithstanding number 2 on the pros list, above, the keyboard typing can take a bit to get used to. Having bigger keys (by turning it on its side, for example) would be a major improvement, but oddly isn't an option.
10. Apps appear to be either running (on screen) or closed only. The obvious exception being your iPod functions. But it's quite annoying at times not to be able to run something in the background - like an instant messenger. I don't know why this is the case.
11. Poor contact sync options. The options are: you use a Mac, or you use MS Outlook. I had to manually type in all of my contacts since I don't fit into any of the above demographics. Note, I would have thought Bluetooth might be a nice feature here...
12. Calendar cannot be sync'ed with Google Calendar. Apparently Apple haven't released this functionality yet. Why not is anyone's guess. Having an un-sync'ed calendar pretty much voids its usefulness.

So, there we have it. I would have loved to have found this list before I made my choice - so hopefully it will help someone out there make a more informed choice.

(It is a sweet interface, though.)

Friday, 29 February 2008

Missing Graphic Equalizer in Amarok

I was playing around in amaroK last night when I noticed that sound was actually pretty awful - not particularly loud, but sounding like it was at the limit of what the speakers could deal with. I knew that it wasn't the speakers because I've been using the same ones under Windows and they were fine. I also knew that it wasn't the encoding of my media files, because I'm quite anal about the quality of those.

My first port of call was to try to reduce the pre-amp settings in amaroK. Sadly, the Equalizer menu was greyed out.

Some googling later and I was still not really any wiser; there was talk of support for various engines, but this didn't mean too much to me. Answers within the amaroK forums weren't much help either, littered with ignored requests and blunt dismissals with odd terminology.

I did some more reading, and it appears the crux of my problem is to do with something called aRts. This appears to be some kind of standard or engine - it's not really important what it is - that amaroK doesn't support.

So far as I could tell, the gStreamer engine in amaroK that was enabled by default is something to do with aRts, and aRts not being supported, doesn't allow the Equalizer to run.

The solution, then, was to switch the engine in your amaroK configuration screen to xine.
Immediately, the Equalizer is available and working. Moreover, the sound quality through my system improved immediately meaning that I didn't actually need to adjust the Equalizer to fix my sound issues.

The one significant side-effect of this was that my amaroK no longer had mp3 support. A quick google for "opensuse xine mp3 amarok" or similar, solved that one.

There you have it. If anyone has any more technical clarification of anything I have surmised, then please do send it to me. Likewise if I have made some heinous, erroneous assertions that upset your tech-sensibilities. I hope this comes in useful for someone - hopefully it will save you an evening of googling, reading, tinkering and head-banging - although with linux, surely this is half the fun?