A few years later I got into the field of information security. Well, initially I got into the field of computer virus research. But it turns out that computer virus research is an excellent introduction to the field of information security in general.
At that time, Gloria was working as a church secretary, at a different church. But our church got very interested in a church membership database, tied to a simple bookkeeping package, that allowed you to track donations. (Anytime you mention money, people get very interested.) The fellow who was selling this particular package was doing a presentation in Seattle. So, Dad asked me to come with him and attend the presentation. I did.
We attended the presentation. We asked about security. (Well, I asked about security.) The developer said that the package was completely secure, since you had to use a password to access it. (He didn't mention anything about encryption.) Dad was very happy about this program, and ready to recommend it to the church computer committee, despite the fact that it required an MS-DOS computer, and the church only had Apples.
However, I had inside information, in a sense. I knew that the church where Gloria was secretary used this church database and bookkeeping program. Gloria was not given access (or an account and password) to the database and bookkeeping program. Only the church clerk (who deals with membership) and the accountant (who deals with the bookkeeping) had passwords and accounts to access the database and bookkeeping program.
But, I had been helping Gloria, at certain times, with certain computer programs and problems. In doing this I had found out a few things about the database and bookkeeping program. It was written in dBase. dBase had a standard, and fairly compatible, and accessible, database structure. I didn't need to run the database and bookkeeping program. I could figure out, from the file names, which parts of the database stored what, and for what purpose. And, I could read everything. I could, if I wanted to, read anything in the database, and anything in the donation files. I could look up any information the church had about anybody. I could look up anybody's donations. I didn't, but I could have.
I informed our church computer committee of these facts. I don't know what happened, and I don't know what any discussions were, but I do know that the church continued to use databases which they threw together themselves with simple user tools.
No comments:
Post a Comment