1984 (Big Brother)
in [General]
|
Prev: How to handle a submitted form with no changes -- bestpractices sought
Next: Counting Children!
From: tedd on 12 Sep 2010 17:48 At 4:05 PM -0500 9/12/10, Tamara Temple wrote: >Sounds like there are some security concerns here. > >On Sep 12, 2010, at 11:32 AM, tedd wrote: >>I have a client who wants his employees' access to their online >>business database restricted to only times when he is logged on. >>(Don't ask why) > >I do wonder why, though. Perhaps this is an opportunity to educate >someone about security and privacy and web applications? Does he >feel that by being logged in, he can control every aspect of >connection to the data base? Or even be aware of every access to the >data base? What is he hoping to accomplish be being logged in? Does >he propose to actively monitor the data base transactions in real >time while he's at work? What is he hoping to avoid by requiring his >logged in state before anyone else can access the data base? Just >being logged in won't dissuade a cracker from attacking his data if >they so choose, nor will it prevent a disgruntled employee from >damaging the data while he's logged in if they have the expertise >and means. Tamara: I said "Don't ask why" You see, people often have strange notions about "their" business or unusual ideas about how to do things, That goes with consulting. While many may find that odd, but some of the most revolutionary ideas come from such unusual thinking. For example, take a look at Henry Ford at his investigation and research to control not only what people work on, but how they perform their work. Without his efforts, I would think the idea of the assembly line would have surfaced many years later by someone else with similar ideas. I'm sure that many people would look upon Steve Jobs and what he expects from his employees and think that odd, but look at the results. I don't pass judgement. I simply advise (based upon my limited understanding of things) and let the client make the calls. After all, he's the one paying the bills and he has answers for the remainder of your questions. Cheers, tedd -- ------- http://sperling.com/
From: Tamara Temple on 12 Sep 2010 19:07 On Sep 12, 2010, at 4:48 PM, tedd wrote: > At 4:05 PM -0500 9/12/10, Tamara Temple wrote: >> Sounds like there are some security concerns here. >> >> On Sep 12, 2010, at 11:32 AM, tedd wrote: >>> I have a client who wants his employees' access to their online >>> business database restricted to only times when he is logged on. >>> (Don't ask why) >> >> I do wonder why, though. Perhaps this is an opportunity to educate >> someone about security and privacy and web applications? Does he >> feel that by being logged in, he can control every aspect of >> connection to the data base? Or even be aware of every access to >> the data base? What is he hoping to accomplish be being logged in? >> Does he propose to actively monitor the data base transactions in >> real time while he's at work? What is he hoping to avoid by >> requiring his logged in state before anyone else can access the >> data base? Just being logged in won't dissuade a cracker from >> attacking his data if they so choose, nor will it prevent a >> disgruntled employee from damaging the data while he's logged in if >> they have the expertise and means. > > Tamara: > > I said "Don't ask why" Wondering isn't asking. I don't personally care why. It's not my client, not my business, not my problem. > You see, people often have strange notions about "their" business or > unusual ideas about how to do things, That goes with consulting. > While many may find that odd, but some of the most revolutionary > ideas come from such unusual thinking. I've been in business and technology consulting for years and years, and very successful at getting customer's desired outcomes. I don't think their notions "strange" or "unusual" -- just that without further elicitation, one cannot understand what they are truly desiring, and to find out what they don't want as an outcome of their up-front stated goals. > I don't pass judgement. I simply advise (based upon my limited > understanding of things) and let the client make the calls. After > all, he's the one paying the bills and he has answers for the > remainder of your questions. It's not a question of passing judgement on someone's ideas. It's a question of finding the best solution for the customer's actual needs and desires. It's almost always the case that further exploration of the customer's concerns behind their thoughts has proven to give them a much more robust and useful solution and gets them what they are really after. Most people aren't aware of the assumptions and conclusions they have. Eliciting more information can lead to better solutions for all. Blind faith in the customer's stated requirements can lead one to a disastrous conclusion. It's been said all over the net that customers don't really know what they want until they see it. Further, that they don't know what they don't want until it happens to them. I believe in delivering the most value to the customer for their money, and that means understanding their needs as best as possible, and that is done by exploring their business models, assumptions, and needs.
From: Paul M Foster on 12 Sep 2010 23:47 On Sun, Sep 12, 2010 at 06:07:57PM -0500, Tamara Temple wrote: <snip> > > I've been in business and technology consulting for years and years, > and very successful at getting customer's desired outcomes. I don't > think their notions "strange" or "unusual" -- just that without > further elicitation, one cannot understand what they are truly > desiring, and to find out what they don't want as an outcome of their > up-front stated goals. > > >I don't pass judgement. I simply advise (based upon my limited > >understanding of things) and let the client make the calls. After > >all, he's the one paying the bills and he has answers for the > >remainder of your questions. > > It's not a question of passing judgement on someone's ideas. It's a > question of finding the best solution for the customer's actual needs > and desires. It's almost always the case that further exploration of > the customer's concerns behind their thoughts has proven to give them > a much more robust and useful solution and gets them what they are > really after. Most people aren't aware of the assumptions and > conclusions they have. Eliciting more information can lead to better > solutions for all. Blind faith in the customer's stated requirements > can lead one to a disastrous conclusion. It's been said all over the > net that customers don't really know what they want until they see it. > Further, that they don't know what they don't want until it happens to > them. I believe in delivering the most value to the customer for their > money, and that means understanding their needs as best as possible, > and that is done by exploring their business models, assumptions, and > needs. +1 I won't argue with Tedd about this, but perhaps this is why I don't do business consulting any more. When I would come across a customer like this, I would argue with them and probe until I found out what they where *really* trying to do. It was usually some confused idea they had about something, or something they were doing which wasn't entirely ethical they were trying to cover. But again, it's Tedd's client. He can do as he likes. Paul -- Paul M. Foster
From: Paul M Foster on 12 Sep 2010 23:55 On Sun, Sep 12, 2010 at 12:32:21PM -0400, tedd wrote: > Hi gang: > > I have a client who wants his employees' access to their online > business database restricted to only times when he is logged on. > (Don't ask why) > > In other words, when the boss is not logged on, then his employees > cannot access the business database in any fashion whatsoever > including checking to see if the boss is logged on, or not. No access > whatsoever! > > Normally, I would just set up a field in the database and have that > set to "yes" or "no" as to if the employees could access the > database, or not. But in this case, the boss does not want even that > type of access to the database permitted. Repeat -- No access > whatsoever! > > I was thinking of the boss' script writing to a file that > accomplished the "yes" or "no" thing, but if the boss did not log off > properly then the file would remain in the "yes" state allowing > employees undesired access. That would not be acceptable. > > So, what methods would you suggest? I hate to seem flippant, but here would be my conversation with this customer: Customer: "My employees got access to the database while I was gone yesterday!" Consultant: "Well, let's see. Oh, it appears you didn't properly log out." Customer: "Yes, but I was *gone*. They weren't supposed to be able to access the database unless I'm *here*." Consultant: "The only way we know that is if you log in and log out properly. Now, if you like, we can put a nanny-cam in your office, and whenever you're not there (like in the bathroom), the whole thing shuts down. That will cost $x. Your choice. We've been working on the mind-reading extension to PHP, but it's not finished yet." Other than the "boss file", I don't see another way. And as you said, if he doesn't log out properly, the boss file will allow access when he didn't intend to allow it. Paul -- Paul M. Foster
From: kranthi on 13 Sep 2010 05:10
i m not sure if i usderstood your question completely. by database you mean something like phpmyadmin, right ? i would save the latest session id of the boss in a file, and every time an employee tries to log in, verify the time stamp of the session file in the tmp folder. and if the boss logs out... clear off the tmp folder to ensure that the employees dosent have further access. |