|
|
Posted by Jerry Stuckle on 09/05/05 17:24
Andrew DeFaria wrote:
> Jerry Stuckle wrote:
>
>>
>> We were talking SECURITY - and passwords are part of it.
>
>
> No we were talking about needless replication of data in the name of a
> false sense of security...
>
It is needless to an idiot.
>
>
> And a lot of companies don't need the security you are pushing.
>
And a lot of "consultants" have their heads up their anal orifices when
it comes to security.
>
> Yes, but I remain unconvinced that such a need exists still. And you
> can't tell if it's necessary either. Neither of us have the specs,
> requirements, etc.
>
The clueless normally do. Are you also unconvinced you shouldn't leave
your front door unlocked? Or the keys in your car? I suspect so.
>
>
> No you are wrong. The data is not facing the outside world - it's in the
> intranet and not accessible by the outside world. It is accessible to
> the inside world as it were. (Later you admit that you have knowledge
> that this is an intranet only situation. Why then do you say "If the
> database is being directly access by the web site, it is facing the
> outside world" when it clearly is not - at least not in most people's
> common usage of "inside world" = intranet and "outside world" =
> internet? Are you just trying to be argumentative?)
>
By "outside world" I mean areas which do not normally have access to
that data. It may be inside the company or outside the company.
For instance - from the HR department's POV, the marketing department is
the "outside world". And HR is the "outside world" to the marketing
department. But of course you wouldn't understand this.
>
>
> You assumed there was a need for security did you not?
>
I assumed nothing. I pointed out a potential weakness in their proposed
design, and an easy way to limit the exposure.
>
>
> You're selling FUD, plain and simple. Most security people do - that's
> their thing.
>
ROFLMAO! First of all, I am not a "security person". I am a developer
with almost 40 years of programming experience. I have worked on every
sized system from PC's to mainframes, in almost 20 different languages.
I started learning about data protection in my 13 years with IBM. I've
continued during the last 15 years as a consultant.
I've worked with "security people". They have a much different job. If
you knew anything about security, you'd understand that.
>
> I stated my opinion, that it was overkill, especially given the lack of
> a security requirement at all.
>
And you are totally clueless. Do you think every requirement was
specified in the original post? And do you think the customer
understands everything about potential exposures?
>>
>> Not understanding the customer's situation, you really have no idea.
>
>
> Nor do you. In general, however, if you are exposing parts of your
> database to update from a web interface and wish to have other parts
> remain secure then most DBMS' provide various forms and ways to
> accomplish such security. It is reasonable to assume that the whole damn
> database is not open wide to anybody who gets in, therefore the idea of
> having to replicate just parts of the database so as to keep the other
> parts "safe" seems ludicrous to me because it assume that there is
> absolutely no security implemented in the database to start with.
>
I have enough understanding to indicate a potential exposure and a
possible solution - which is all I did. It is up to them to determine
if the risk is acceptable or not.
And if you understood ANYTHING, you would realize that the security that
"most DBMS' provide" is very minimal. If the database is accessible, it
can be hacked. Just ask some major companies with serious DBMS' like
Oracle, SQL Server and DB2. All of these have been hacked.
And these are just the big cases. There are numerous other cases where
data has been accessed by unauthorized people. As I indicated earlier,
industry estimates are that > 85% if all security breeches are internal
- from disgruntled employees, for instance. But you normally don't hear
about them on the national news. However, this doesn't mean the breech
is not costly to the company.
And data which isn't there cannot be hacked.
>
> As I said, and you seem to agree, it adds complexity and yet another
> point of failure. What we are really arguing is is such added complexity
> worth it? It may be, if the data is highly confidential and requires
> extra security measures. Your assumption is that it does. What you base
> that assumption on is questionable to me as you have not seen the specs.
> My assumption is that it does not. What I base my assumption on is the
> lack of any clear statement of required security. Hey it may very well
> require such security precautions or even more. But so far that still
> has not been specified.
>
No, we don't agree.
You're "adding complexity" by putting up a web page. You're "adding
complexity" by accessing a database. You're "adding complexity" by
providing password protection.
This implementation adds less complexity to the system than any of the
above. Replication is already built into the database - and well
tested. Setting up the replication is < 30 minutes. Then it runs
itself - and is as reliable as the DBMS itself.
You still have to read from the database. And write to the database.
This is still being done. The only difference is the writing is done
from a separate system. And there must be all of a couple of dozen
extra LOC to do this. Yea, when compared to a couple of thousand lines
on a web site, it's pretty minimal.
>
> So it should not be implemented unless requested (or unless you really
> know the data and feel the company is risking things perhaps not knowing
> the risks involved but again we don't know that).
>
No, we don't know that. So you can't say it's unnecessary, can you?
Oh, but you have. Do you have some magic ESP or something?
Remember - all I did was mention a potential exposure and how it could
be minimized. I left it up to them to determine if it was necessary or not.
YOU are the one who determined it was overkill - with absolutely no more
knowledge of their situation than I had.
I love your kind of consultant. You know more about the "solution" than
you do the problem. You don't take the time to understand the
customer's needs. But you know the answer. They don't need security!
I've made hundreds of thousands of dollars in my consulting business by
picking up after people like you. But then I bother to understand my
customer's needs, clearly explain possible solutions and risks involved
with each solution, and let them make the decision.
>
>
> Expand that to a myriad of other companies that have the same info. Do
> you really believe that your SS# is secure at every company that has
> that info?
>
I believe it's secure in every company system I've work on. I don't
believe it's secure in ANY system you've worked on.
>>
>> But my SSN is NOT replicated to the external database.
>
>
> Did you miss that first word were I said "If"?
>
No, I didn't miss the "if". My SSN was not replicated - so the rest of
your statement was meaningless.
>> Part of security is to replicate ONLY THE REQUIRED DATA.
>
>
> Thus making such data less useful. Then again it's hard to say that
> because again (I know I sound like a broken record) neither you nor I
> have any inkling of the requirements and needs of this web application.
> Maybe the SS# is required. Maybe even it needs to be available for
> update. We just don't know the specifics. We could continue to speculate
> if you like but I really don't see the point.
>
Wrong again. Data which is unnecessary does not make the anything less
useful. If I'm designing an inventory control system, I really don't
care what about the orbit of Jupiter. It's unnecessary data, and does
not affect my HR system at all. However, if I'm working on a guidance
system for a space probe, details on the orbit of Jupiter are important.
The same here. SSN's are of no importance to the marketing department,
and HR doesn't care about sales figures. To each, the other's data is
superfluous and does not affect the usability of their own data.
>
> Yeah, right. But I sure know overkill when I see it. Of course our
> government is the model of efficiency, modern data processing and
> sharing of information, that's for sure! Hell just take the USCIS for
> example. Last I checked it they still haven't updated their PDF files
> with the correct pricing information. It's only been about 2 years now
> but then again that's way faster than most normal businesses!
>
Again, you understand the user's company, the data involved,
requirements for how the data is to be used, the potential exposures if
the data is misused, and the consequences thereof.
Gee, you must have the greatest ESP around!
> Yeah I understand security. Security only really keeps honest people
> honest. The dishonest people hardly slow down at all with security. It
> just causes more frustration for honest, regular users and makes it so
> that it's actually quicker to do things without computer systems! Yeah
> but we have to throw up these security barriers, even when unasked for
> and unneeded, otherwise we'd process too many things at once and lord
> knows different branches of the government that are supposed to talk to
> one another will actually talk to one another and then the terrorists
> will have a tough time and we wouldn't want that happening!
>
> Give me a break!
>
Of course you believe that. Minimal security as you propose only keeps
the honest people honest.
Fortunately, my bank, my doctor, the government and virtually every
medium and large company understand that this isn't true - and that you
can implement higher security which will keep dishonest people out.
What I suggested will not keep everyone out. But it will provide a lot
more protection.
>> Because I know the person who designed this part of the web site, and
>> we have discussed its implementation in detail.
>
>
> Then you are working with details that I am not. Now you could have
> simply stated up front that you knew this and that such security was
> required for this project, but no you figured you'd argue a little
> first. I see...
>
Again, I didn't say that such security was necessary for the project. I
only pointed out a potential weakness and a possible solution, leaving
it up to them to determine if it was necessary.
It was YOU who, in all of your great knowledge, indicated that this
level of security was unnecessary. Again - your ESP must be on overtime
because you knew the security was unnecessary from the little bit of
data given.
>>
>>
>> It is relevant when you're questioning whether I understand Federal
>> government systems.
>
>
> Not really but you can continue to think so if you want. Federal
> government systems don't all emanate from DC ya know.
>
No, they don't all emanate from D.C. But they are all managed from D.C.
in one way or another.
>
>
> Good for you. I hope you don't resort to the same argument tactics you
> do here with them.
>
No, I don't argue with them. They're not clueless.
And BTW, YOU are the one who hopped in uninvited and indicated my
solution was "unnecessary". And you continue to indicate my solution is
unnecessary. Despite no knowledge of the customer's needs or situation.
>
>
> Just as soon as you reveal yours! ;-)
>
> However, if I say "I'm everywhere" then you can just assume it's
> "everybody".
>
> Have a nice day! Now go away because I really have no time for somebody
> who withholds information like they have seen the specifications just to
> argue with somebody else. You could have been up front and clear but
> instead you decided just to be argumentative and quite frankly I do not
> wish to argue with such deceptive people.
Speaking about yourself, huh? Remember - you started it!
And no, I don't have any other information on the customer's needs. But
I don't tell him something is necessary or unnecessary. But I do offer
options.
And I have no desire to have a discussion with a "know it all" idiot who
is way out of his league - but too stupid to realize it.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
[Back to original message]
|