|
|
Posted by Jerry Stuckle on 10/22/07 02:10
The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Michael Fesser wrote:
>>> .oO(Jerry Stuckle)
>>>
>>>> Gary L. Burnore wrote:
>>>>> Security is about many things of which prevention is one.
>>>> No responsible person in the security field will ever claim that.
>>>>
>>>> There is no such thing as "prevention". That would indicate that
>>>> something can't happen, which is impossible to do.
>>>
>>> If a file is stored outside the document root, it can't be accessed by a
>>> URL. That's prevention.
>>>
>>
>> Nope. It is not. There is, for instance, nothing to stop me from
>> uploading a document which opens the file and spits the source code
>> out for me.
>>
>
> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND IT.
>
If it's there, it can be found. Period.
>> And if I get the admin password, I have direct access to it.
>>
>
> Not if the admin password isn't the admin password at all. And takes you
> to somewhere else..
>
That's not what I said.
>> The only way to prevent me from getting the file is to not place it
>> there in the first place.
>>
> Ah Security by obscurity. Place it somewhere completely different!
>
Nope. No obscurity at all. It doesn't exist, so I can't get it. Period.
>>
>> To be able to prevent something, you must have 100% security. And
>> that means, in computer systems anyway, 100% perfect code, absolutely
>> no access to the sensitive code, either via communications link,
>> physical access to the server or any other way. There must also be no
>> copies (i.e. backups) of the sensitive files at all. And even then
>> you're likely to have potential gaps in the system.
>>
>> But how many systems do you know fit this?
>>
> None whatsoever, especially ones you put together ;-)
>
Which are probably a hell of a lot more secure than anything you come up
with. Because I don't expect obscurity to protect anything. I assume
they will find it - and act accordingly.
> So we have reduced teh argument to te somple prpositon that 'no system
> is secure'
>
> Nw, which is MORE secure, the one that everyone can see, and just have
> to find a way into, or the one that moat people don't see at all, and if
> they do, they find what looks like a door, but it takes them straight
> into a minefield?
>
The one everyone can see is more likely to be secure because a competent
admin will plan for break-ins. The one nobody can see may have an
administrator who slacks off because he believes the server is secure.
But if there is a house there, I know there is a door somewhere. And
some careful probing will find the door.
Just like if there is a server on the internet, it will respond to
something. It's just a matter of figuring out what.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|