Reply to Re: free tool to encrypt php?

Your name:

Reply:


Posted by Jerry Stuckle on 10/22/07 01:05

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 19:36:18 -0400, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>
>> Gary L. Burnore wrote:
>>> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
>>> <jstucklex@attglobal.net> wrote:
>>>
>>>> Gary L. Burnore wrote:
>>>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>>>>> <jstucklex@attglobal.net> wrote:
>>>>>
>>>>>
>>>>>> Security is not about prevention,
>>>>> WHAT? What a complete and totally moronic thing to say, Jerry.
>>>>>
>>>>> Security is about many things of which prevention is one.
>>>>>
>>>> No responsible person in the security field will ever claim that.
>>> I'm a responsible person in the security field and I claim that. I've
>>> been taught that and I teach that. That being that many things make
>>> up good security. Prevention is one part of security.
>>>
>> If you claim obscurity is security, then that's debatable.
>
> When the hell did I ever claim that?
>

Sorry, wrong thread. You claimed security is about prevention. And
every *real* security professional I know - including those who work on
high security systems, agree. There is no prevention. Only deterrence.
That is, if a system is hooked up to the internet or any other
communications link, that system can be hacked. And you can make it as
hard as possible, but there is no way you can prevent that from
occurring, as long as the system available.

Or even if it is not on a communications link, anyone with physical
access to the system could potentially break into the system - or even
physically remove the hard drive and stick copy it on another system.

There are lots of ways a "secure" system can be broken into. Security
is about making that as hard as possible (deterrence), and when it does
happen, limit the data which can be accessed

>> I've got some friends who are in the security business. These are guys
>> with clearances higher than Top Secret.
>
>
> Yawn.
>

I suspect they know a hell of a lot more than you do. Why not post some
of your thoughts to some of the security newsgroups? You won't get far.

>> They are responsible for security of some very sensitive government systems.
>> They can't tell me a lot of details because I don't have a sufficient security clearance.
>
> Yeah, then they have to kill you.
>

You've been watching too much TV.

>> But one thing they agree upon - is that obscurity only gives a false
>> sense of security.
>
> I've said that several times. Please plug your brain back in.
>

As I said - I got threads mixed up. You claim security is about
prevention. Which is impossible.

>>>> There is no such thing as "prevention". That would indicate that
>>>> something can't happen, which is impossible to do.
>>>>
>>>> For instance, banks have been trying to prevent robberies for hundreds
>>>> of years.
>>>
>>> Banks prevent you, as an employee, from seeing all the things
>>> necessary to get your hand on the data of a user. Does it work all
>>> the time, no. That's where forensics come in. But if you don't
>>> prevent it at all, you open yourself (yourself being the bank) to
>>> lawsuits from customers, fines from FICA and harassment from auditors
>>> for SOX.
>>>
>> They make it harder encrypting data, for instance. But they can't
>> prevent it. If it's possible ANYONE to get into something, it's
>> possible for the WRONG person to get in there, also.
>
> Yep. Harder. Not easy like leaving the door open and hoping someone
> doesn't notice it's there.
>

But it's still not impossible. And there is no "prevention".

>
>> And forensics is after the fact.
>
> Forensics help discover how someone is TRYING to get in and yes, how
> they did if it already happen. If you watch how someone's trying to
> pick a lock, you know how to better enforce the lock.
>

Forensics is not about watching someone picking the lock. It is about
discovering how they got in, after the fact.

>> It has nothing to do with either security
>
> Sure it does. You learn from it and get better at defending against
> it.
>

Only after the fact. Good security will fix holes before the fact.

>
>> - other than a good system will audit access for later analysis.
>>
>>
>>>> At no time will a responsible security professional claim anything about
>>>> preventing break-ins.
>>> Right. That's why banks don't use firewalls, don't use encryption,
>>> don't use secure keys, etc.
>>>
>>> Stick with coding, J. You obviously know little about security.
>>>
>> And none of this prevents a break in. It just makes it harder.
>
> Yeah, but a lot harder than obscurity does. <- pay attention, dip. I
> agree with you on this one thing.

But it does not PREVENT a break-in.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация