|
|
Posted by The Natural Philosopher on 10/22/07 12:09
Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> Michael Fesser wrote:
>>>> .oO(Jerry Stuckle)
>>>>
>>>>> Gary L. Burnore wrote:
>>>>>> Security is about many things of which prevention is one.
>>>>> No responsible person in the security field will ever claim that.
>>>>>
>>>>> There is no such thing as "prevention". That would indicate that
>>>>> something can't happen, which is impossible to do.
>>>>
>>>> If a file is stored outside the document root, it can't be accessed
>>>> by a
>>>> URL. That's prevention.
>>>>
>>>
>>> Nope. It is not. There is, for instance, nothing to stop me from
>>> uploading a document which opens the file and spits the source code
>>> out for me.
>>>
>>
>> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND
>> IT.
>>
>
> If it's there, it can be found. Period.
>
That's not what I said. I said YOU never found it.
Your logic is very one dimesnional isn't it?
>> Ah Security by obscurity. Place it somewhere completely different!
>>
>
> Nope. No obscurity at all. It doesn't exist, so I can't get it. Period.
>
Ah. So the only secure computer is one with no informatuon on it. Cool.
>>> But how many systems do you know fit this?
>>>
>> None whatsoever, especially ones you put together ;-)
>>
>
> Which are probably a hell of a lot more secure than anything you come up
> with. Because I don't expect obscurity to protect anything. I assume
> they will find it - and act accordingly.
>
Oh so do I, but that doesn't stop me also making sure that there is
nothing obvious there to make them want to.
>> So we have reduced teh argument to te somple prpositon that 'no system
>> is secure'
>>
>> Nw, which is MORE secure, the one that everyone can see, and just have
>> to find a way into, or the one that moat people don't see at all, and
>> if they do, they find what looks like a door, but it takes them
>> straight into a minefield?
>>
>
> The one everyone can see is more likely to be secure because a competent
> admin will plan for break-ins. The one nobody can see may have an
> administrator who slacks off because he believes the server is secure.
>
"may".
> But if there is a house there, I know there is a door somewhere. And
> some careful probing will find the door.
Not if it doesn't look like a house.
>
> Just like if there is a server on the internet, it will respond to
> something. It's just a matter of figuring out what.
>
port 80.
Only.
Unless you happen to do some very unusual things that you wouldn't guess.
>
[Back to original message]
|