Posted by Malcolm Dew-Jones on 09/27/61 11:27

Nicholas Sherlock (n_sherlock@hotmail.com) wrote:
: Han wrote:
: > We are not trying to hide sensitive data that belongs to us. The
: > sensitive info is the users' data (e.g., their passwords).

: Don't store passwords. Problem solved.


To be a little clearer, do not store unencrypted passwords, only store the
crypt or md5 checksum of a password.

Use two way encryption of important data like credit card numbers. If the
hardware is stolen then it is much harder to steal the data. If possible
require a person to enter the decrypt password for data. Either when the
system starts up so that the decrypted data is never available except
within the memory of the running computer after a bootup by an authorized
person (though the virtual memory paging file must be considered as well).
Or decrypt the data just as needed, where each set of data has a password
specific to what ever person is authorized to access that data.

Store important data on a "more secure" server (in this case - yours), and
access it through a VPN that requires a manual password.

Combine the two, so that (for example) a cronjob reads a hard coded
password but only via a secure (i.e. encrypted) link to a another computer
at a different location.

However, if any person has access, either physical or remote login with
any privileges (intended or not) then the program and the data can never
be completely protected.

One very common strategy to solve this is to make the system and data
available only to people that are trusted. "trusted" actually means back
ground checks (criminal record checks etc), signed contracts, security
clearances, two key signins, etc etc. continual review of security
procedures and policies. (That is all the stuff that allow large
companies to charge outrageous prices.)

Another strategy used in some settings - the server hardware does not
belong to the customer. The seller (you in your example) still owns the
hardware. The customer has no privileged access, but does have physical
control of the box. You login remotely to do upgrades etc, or other
maintenance. They might control your remote access by physically
disconnecting your connection to the box, and possibly monitoring your
connection when you work on it (you'll need to use a challenge/response
login if they monitor your access).

--

This programmer available for rent.

[Back to original message]