viewchoice file format is a security risk
Recently I was asked to find a way to store files from payroll networks to our archive system at work.
This is so we may view this file later- maybe let some clients see it.
Payroll Networks, these guys are a company that offers some accounting services for accounting service providers for accounting service providers.. If you’re in the accounting industry and do any IT, you know what I mean.
What happens is, payroll networks creates some data for download. So that the end client may view it. In this case, us.
They have chosen as a means to secure this data, a closed proprietary format of a file from yet another 3rd party 3rd party 3rd party service provider- These next guys are viewchoice.
Viewchoice. Let me tell you about these retards..
Their file format is a security risk.
Maybe- and I mean maybe their closed off *._vc viewchoice file format is ‘secure’ from intruders. But, it’s not really secure from data loss if it requires their stupid trinket to open and see the stuff. Is it?
So, I download the file, it’s called some junk like iwaetuaiweteyt._vc. Great.
The user downloading it usually would double click it and it opens up some software and they enter
a password to decrypt it- I suppose- and then they see the thing.
You can print, zoom in, close the file. You can’t even open another file from this bare clavicle piece of gui.
the funnyfile._vc contents
Of course I just send the file to one of the linux boxes for some actual inspection.
I was expecting an encrypted pdf file.
It turns out #file deems it a zip 2.0 archive. And the contents..
- 22540813.CHD
- 22540813.CK1
- 22540813.CK2
- 22540813.PHD
- 22540813.PY1
- 22540813.PY2
Encrypted. Ok. There must be some gnu password recovery tool out there.
I get a password, try it, no worky.
So I ask for the password, one I know works.
No worky.
thwarted plans
I figured I could drop the files somwhere and process them as pdf data.
But nahh.. So, I’m not defeated by any stretch of the imagination until I realize.. wait a second.. what am I doing.
We are paying these people for data- and they are sending us dogfood.
status
So my next message sums up my feelings..
The payroll report files currently available from payroll networks appears to be a zip archive with encrypted pdf files.
WHAT WE SHOULD ASK
What we need is to inquire if they can provide this as one regular pdf file.
This is what won’t work with the current files they offer for download:
Saving the file as a pdf from the browser.
Converting the file to a pdf.WHAT THEY MAY RESPOND
I’m going into some depth here so there won’t be any surprises when we ask them for the files as pdf.
I’m hoping this will not turn out to be an issue at all. But just in case, here goes..Here is what they will suggest and what we don’t want at all:
Get your users to install our software to view the reportsWHY THEY MAY SAY THAT
If they don’t have the ability to offer the files as regular pdf, and I suspect they don’t- doing so will require some real work on their IT part.
They may also believe that they have a fabulous way of distributing and securing data in this *._vc format- and would like everyone in the world to use it.
WHY IT’S NOT IN OUT BEST INTEREST
We can’t use these payroll report files as they are.
We can’t store them securely on our system.
What I mean by this, is that we can’t depend on some 3rd party closed format trinket to view our company data.
For example, we have files that are pdf files, etc- but there are various applications that will read pdf.
Pdf files are a popular and recognized file format.
Having pdf files is acceptable because if say, adobe acrobat disappears from the market (the company goes bust, software discontinued),
we can still access the file data.This is not true of an obscure proprietary format such as *._vc viechoice files.
The very real risk is that if we store these files as they are, in a few years the data is inaccessible.WHY THEY SHOULD COMPLY
Having access to these reports is part of what we are paying for, correct? We should be able to ask for our data in some way that does not require
them afterwards.
That is, if you pay a photographer to take pictures of your house, and the photographer dies a year later- you can’t see the photo anymore?
I think we would find another photographer- or seriously reconsider investing in photographs.
I suspect we’ll ask for this on monday. I’ll update and see how it goes.
