Re: 4D Security White Paper

[Ronnie Teo via 4D_Tech]

Thanks for your input, Jody.

Regards,
Ronnie

> On 24 Apr 2019, at 9:29 PM, 4d_tech-requ...@lists.4d.com wrote:
> 
> From: Jody Bevan mailto:jody.be...@gmail.com>>
> To: 4D iNug Technical <4d_tech@lists.4d.com <mailto:4d_tech@lists.4d.com>>
> Subject: Re: 4D Security White Paper
> Message-ID:  <mailto:d36dd935-4874-49d8-871e-fccf4badf...@gmail.com>>
> Content-Type: text/plain; charset=utf-8
> 
> As with all security anything can be hacked given time, money, and desire.
> 
> First of all, social hacking is the most likely cause of leaked data. So 
> moving on, to other types.
> 
> If someone really wants your data they might steal your server computer. In 
> days gone by if you didn’t know the Administration password - not a problem 
> take the drives out and hook up into a different system. If though, you have 
> used a RAID system, with hardware encryption of the data that does not work. 
> Everything is encrypted on the hard drives. You are not going to get any data.
> 
> So, here again social hacking is needed to get the Administrator’s password. 
> No amount of work on our end as developers is going to stop social hacking.
> 
> 4D has long had encryption of data between the server and the 4D Client. That 
> is in case someone is going to sniff the wireless or wired network.
> 
> If you have opened up a 4D data file that is not encrypted, I challenge you 
> to actually piece together the information. I have tried when I opened up a 
> typical smaller data file of a smaller client - 30GB of data. Yes, I can see 
> information, but a record is not all together. Therefore trying to pull data 
> together for a single record, or a person is not going to be something one 
> can do.
> 
> This is all very easy for each of you to look at. Open a data file up. If it 
> is too big, you can build a text viewer that will read things in a character 
> or ‘x’ characters at a time. See for yourself how hard it is to read the 
> data, pull together information.
> 
> I have worked through lots of different government security regulations. 
> First they jump on what ever is the latest in the trade magazines. Second the 
> elephant in the room is ignored (social hacking). They make up all these 
> rules, and then when they have inspections on site they totally ignore the 
> security rules  that they should be checking.
> 
> Jody

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Security White Paper

[Jody Bevan via 4D_Tech]

As with all security anything can be hacked given time, money, and desire.

First of all, social hacking is the most likely cause of leaked data. So moving 
on, to other types.

If someone really wants your data they might steal your server computer. In 
days gone by if you didn’t know the Administration password - not a problem 
take the drives out and hook up into a different system. If though, you have 
used a RAID system, with hardware encryption of the data that does not work. 
Everything is encrypted on the hard drives. You are not going to get any data.

So, here again social hacking is needed to get the Administrator’s password. No 
amount of work on our end as developers is going to stop social hacking.

4D has long had encryption of data between the server and the 4D Client. That 
is in case someone is going to sniff the wireless or wired network.

If you have opened up a 4D data file that is not encrypted, I challenge you to 
actually piece together the information. I have tried when I opened up a 
typical smaller data file of a smaller client - 30GB of data. Yes, I can see 
information, but a record is not all together. Therefore trying to pull data 
together for a single record, or a person is not going to be something one can 
do.

This is all very easy for each of you to look at. Open a data file up. If it is 
too big, you can build a text viewer that will read things in a character or 
‘x’ characters at a time. See for yourself how hard it is to read the data, 
pull together information.

I have worked through lots of different government security regulations. First 
they jump on what ever is the latest in the trade magazines. Second the 
elephant in the room is ignored (social hacking). They make up all these rules, 
and then when they have inspections on site they totally ignore the security 
rules  that they should be checking.

Jody


**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Subject: Re: 4D Security White Paper

[Ronnie Teo via 4D_Tech]

Hi, thanks to all for heads-up.
Will catch up on the reading …..

Regards,
Ronnie
Tarawerkz

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Security White Paper

[John J Foster via 4D_Tech]

Hey Ronnie,

Along with what others have posted take a look at these links on 4DBlog on 4D 
v17 and the first one is a post of a new data encryption feature:

https://blog.4d.com/get-started-with-encryption-in-4d/ 


and there is an older one as well:

https://blog.4d.com/introduction-to-data-encryption-in-4d/ 


Thomas gave a presentation "SECURITY AND DATA PROTECTION WITH 4D V17 – THOMAS 
FROM THE 4D SUMMIT 2018” that might prove useful.

https://blog.4d.com/security-and-data-protection-with-4d-v17-thomas-from-the-4d-summit-2018/
 


John…


> Does anyone know if 4D have published any white papers relating to security 
> specifically for 4D versions v15 and v17?
> For example, my client would like to know what is the database encryption 
> strength level like for the above mentioned versions.

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

Re: 4D Security White Paper

[Tim Nevels via 4D_Tech]

On Apr 23, 2019, at 10:24 AM, Ronnie Teo wrote:

> Does anyone know if 4D have published any white papers relating to security 
> specifically for 4D versions v15 and v17?
> For example, my client would like to know what is the database encryption 
> strength level like for the above mentioned versions.

By default, data in the data file is not encrypted in v15 or v17. You can open 
a data file with a text editor and read some of the data. It’s stored as UTF-16 
so it’s not clearly readable as each character takes 2 bytes so my name would 
look like “T?i?m ?N?e?v?e?l?s?”. 

You could implement your own encryption at a field level using some of the 
tools 4D provides for encrypting blobs. 

But v18 is going to provide strong data file encryption systems that can be 
applied on a table-by-table basis. The record data is encrypted with a strong 
key. Even index data and data written to journal files are encrypted. And of 
course 4D backup have the encrypted data. 

4D is doing their first presentation of table level data file encryption at the 
4D World Tour. So it’s all very new, and not yet available. It’s a v18 feature. 
I think they are releasing it in a v17 R release too. 

Tim

*
Tim Nevels
Innovative Solutions
785-749-3444
timnev...@mac.com
*

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

RE: 4D Security White Paper

[Epperlein, Lutz (agendo) via 4D_Tech]

There is something like that: https://blog.4d.com/4d-security-guide/
I don't know if that gives you the information you need.
Regarding encryption there is something in v17R5: 
https://blog.4d.com/get-started-with-encryption-in-4d/

Regards
Lutz


> Does anyone know if 4D have published any white papers relating to security 
> specifically
> for 4D versions v15 and v17?
> For example, my client would like to know what is the database encryption 
> strength
> level like for the above mentioned versions.
**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**

4D Security White Paper

[Ronnie Teo via 4D_Tech]

Hi,

Does anyone know if 4D have published any white papers relating to security 
specifically for 4D versions v15 and v17?
For example, my client would like to know what is the database encryption 
strength level like for the above mentioned versions.

Regards,
Ronnie
Tarawerkz

**
4D Internet Users Group (4D iNUG)
Archive:  http://lists.4d.com/archives.html
Options: https://lists.4d.com/mailman/options/4d_tech
Unsub:  mailto:4d_tech-unsubscr...@lists.4d.com
**