Reply to Re: free tool to encrypt php?

Your name:

Reply:


Posted by Jerry Stuckle on 10/21/07 23:44

Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> Gary L. Burnore wrote:
>>> Security is about many things of which prevention is one.
>> No responsible person in the security field will ever claim that.
>>
>> There is no such thing as "prevention". That would indicate that
>> something can't happen, which is impossible to do.
>
> If a file is stored outside the document root, it can't be accessed by a
> URL. That's prevention.
>

Nope. It is not. There is, for instance, nothing to stop me from
uploading a document which opens the file and spits the source code out
for me.

And if I get the admin password, I have direct access to it.

The only way to prevent me from getting the file is to not place it
there in the first place.


> If you allow the user to submit a value out of [1, 2, 3] to a form
> processing script and check it against the set of allowed values, they
> can't inject a 4. That's prevention.
>

Until they find another way into the system. All you have done is close
one hole. There are probably hundreds (or even thousands) of other ways
to get to it.

>> For instance, banks have been trying to prevent robberies for hundreds
>> of years. Nowadays they have CCTV, armed guards, vaults, silent
>> alarms... the list goes on. But they still get robbed. Because there
>> is no "prevention".
>
> There are things that _can_ be prevented and there are things were you
> can just lower the probability of it to happen.
>
> Micha
>

To be able to prevent something, you must have 100% security. And that
means, in computer systems anyway, 100% perfect code, absolutely no
access to the sensitive code, either via communications link, physical
access to the server or any other way. There must also be no copies
(i.e. backups) of the sensitive files at all. And even then you're
likely to have potential gaps in the system.

But how many systems do you know fit this?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация