|
|
Posted by The Natural Philosopher on 10/22/07 01:30
Jerry Stuckle wrote:
> Michael Fesser wrote:
>> .oO(Jerry Stuckle)
>>
>>> Gary L. Burnore wrote:
>>>> Security is about many things of which prevention is one.
>>> No responsible person in the security field will ever claim that.
>>>
>>> There is no such thing as "prevention". That would indicate that
>>> something can't happen, which is impossible to do.
>>
>> If a file is stored outside the document root, it can't be accessed by a
>> URL. That's prevention.
>>
>
> Nope. It is not. There is, for instance, nothing to stop me from
> uploading a document which opens the file and spits the source code out
> for me.
>
Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND IT.
> And if I get the admin password, I have direct access to it.
>
Not if the admin password isn't the admin password at all. And takes you
to somewhere else..
> The only way to prevent me from getting the file is to not place it
> there in the first place.
>
Ah Security by obscurity. Place it somewhere completely different!
>
> To be able to prevent something, you must have 100% security. And that
> means, in computer systems anyway, 100% perfect code, absolutely no
> access to the sensitive code, either via communications link, physical
> access to the server or any other way. There must also be no copies
> (i.e. backups) of the sensitive files at all. And even then you're
> likely to have potential gaps in the system.
>
> But how many systems do you know fit this?
>
None whatsoever, especially ones you put together ;-)
So we have reduced teh argument to te somple prpositon that 'no system
is secure'
Nw, which is MORE secure, the one that everyone can see, and just have
to find a way into, or the one that moat people don't see at all, and if
they do, they find what looks like a door, but it takes them straight
into a minefield?
Navigation:
[Reply to this message]
|