|
|
Posted by Jerry Stuckle on 10/22/07 12:27
The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> Michael Fesser wrote:
>>>>> .oO(Jerry Stuckle)
>>>>>
>>>>>> Gary L. Burnore wrote:
>>>>>>> Security is about many things of which prevention is one.
>>>>>> No responsible person in the security field will ever claim that.
>>>>>>
>>>>>> There is no such thing as "prevention". That would indicate that
>>>>>> something can't happen, which is impossible to do.
>>>>>
>>>>> If a file is stored outside the document root, it can't be accessed
>>>>> by a
>>>>> URL. That's prevention.
>>>>>
>>>>
>>>> Nope. It is not. There is, for instance, nothing to stop me from
>>>> uploading a document which opens the file and spits the source code
>>>> out for me.
>>>>
>>>
>>> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER
>>> FOUND IT.
>>>
>>
>> If it's there, it can be found. Period.
>>
>
> That's not what I said. I said YOU never found it.
>
> Your logic is very one dimesnional isn't it?
>
You didn't read what I said, did you.
If it is there, it can be found. Period. Whether I find it or not is
immaterial. The fact that SOMEONE can find it is critical.
>
>
>>> Ah Security by obscurity. Place it somewhere completely different!
>>>
>>
>> Nope. No obscurity at all. It doesn't exist, so I can't get it.
>> Period.
>>
>
> Ah. So the only secure computer is one with no informatuon on it. Cool.
>
Or one which is completely isolated from the internet and outside world,
yes. That's how security professionals think.
>
>>>> But how many systems do you know fit this?
>>>>
>>> None whatsoever, especially ones you put together ;-)
>>>
>>
>> Which are probably a hell of a lot more secure than anything you come
>> up with. Because I don't expect obscurity to protect anything. I
>> assume they will find it - and act accordingly.
>>
>
> Oh so do I, but that doesn't stop me also making sure that there is
> nothing obvious there to make them want to.
>
They don't have to "want to". I have some sites which collect no
information from users - they are strictly informational sites. But
hackers still try to get to them.
>>> So we have reduced teh argument to te somple prpositon that 'no
>>> system is secure'
>>>
>>> Nw, which is MORE secure, the one that everyone can see, and just
>>> have to find a way into, or the one that moat people don't see at
>>> all, and if they do, they find what looks like a door, but it takes
>>> them straight into a minefield?
>>>
>>
>> The one everyone can see is more likely to be secure because a
>> competent admin will plan for break-ins. The one nobody can see may
>> have an administrator who slacks off because he believes the server is
>> secure.
>>
>
> "may".
>
>
>> But if there is a house there, I know there is a door somewhere. And
>> some careful probing will find the door.
>
> Not if it doesn't look like a house.
>
It has an address. There is something there. It can be found.
>>
>> Just like if there is a server on the internet, it will respond to
>> something. It's just a matter of figuring out what.
>>
> port 80.
>
> Only.
>
> Unless you happen to do some very unusual things that you wouldn't guess.
>
>
Hackers know all of the tricks. In fact, they probably know a lot more
tricks than you do.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|