Re: How to get an unix programmer started on web programming?
- From: Andrew DeFaria <Andrew@xxxxxxxxxxx>
- Date: Sun, 04 Sep 2005 21:41:25 GMT
Jerry Stuckle wrote:
Andrew DeFaria wrote:
Jerry Stuckle wrote:
Yes, you are entitled to your opinion. But I hope you don't work on any of my customer's systems!
Who are you customers? ;-)
Small and medium sized businesses and U.S. Government, mainly.
Name names. I cannot tell if I've worked on any of your customer's system without such info!
Ah nobody was speaking of passwords at all really? We were talking about replicating portions of a database so that the real database we not directly manipulated by the end user, then implementing some sort of syncing processes back and forth. To me that's overkill. For all we know a very good password system is also in place. In fact that was my assumption.
But weak passwords are often how these things are hacked.
That may be, however that was not what was being discussed here.
Medium security would also enforce random password rules, SSL for much of the data, no telnet/ssh/ftp/sftp access, email on different servers, etc.
Now if you want high security - you're talking multiple passwords which change by the minute (user has a little credit card sized device which flashes a new password every minute) and biometric identification, everything ssl, access only from specific IP addresses, etc.
Again we were not talking about passwords and SSL - we (or at at least I) was talking about unnecessary replication of the database.
No, but we ARE talking about protecting data.
So what? We are talking about protecting data even without any stated requirement that the data needs protection. That's putting the cart before the horse.
And no, this isn't hard to implement. Oracle's replication can be set up in a few minutes by someone who knows what they're doing. The additional scripts take maybe maybe a half-hour to an hour to write each, depending on their complexity. Such a system can be easily set up in a couple of days. But, of course, you'd save some time on the web site because some of the code would be moved to the server site.
Ah now you switched the argument back DB replication. Clever, but it doesn't fool me. And I believe it was also suggested to do a subset of the DB. Doing the whole DB is wasteful in terms of space and time. Now doing a subset may be easy and may not - it depends on the organization of the data.
In any event, I fail to see how subsetting a DB and putting only a part out there will really achieve any security if the are also all kinds of automating synchronization scripts. The intruder can still infiltrate your exposed data then just wait for the sync to occur. This then becomes a false sense of security.
It's all part of protecting data. If you can't understand that data that isn't there can't be hacked, then you have more than a little problem.
As it turns out the system involved is not facing the "outside world" anyway. IOW security requirements are not as broad as you incorrectly assumed.
It takes much longer to actually create the web pages and the back end programming than it does to isolate the database on a different server.
Irrelevant as the creation of the web pages and back end programming need to be done anyway. All you're doing is adding more stuff to do, more complexity to do the replication (thus making the data less timely), etc. Now that's fine if you really get a benefit somewhere and if that benefit or security is indeed required. I just don't see it in this case. It was not even mention that such a worry or a problem existed nor that there was any requirement for such.
You indicated it was unnecessary work.
Yes and I still believe it is unnecessary especially lacking a stated requirement.
It adds very little complexity to the system.
I disagree. It adds complexity to the system. If, or rather when, the synchronization breaks down and needs attending too it adds to the workload.
But a large step in security.
I would beg to differ that it's a large step in security at all, but nonetheless a step in security that was not asked for.
And BTW - you indicated you have worked on government systems from a consumer POV. You may not think they are the greatest sites - but there is a LOT of stuff behind the pages you don't see.
BFD. To me that is not relevant to this situation.
Sure it is. For instance - the FCC has my SSN in its database.
So does Albertsons or any of a host of other business much less "secure" than your blessed FCC. A false sense of security is what one gets when they secure one place and fail to recognize that there are thousands of other places that would be thieves would probably use to get such info.
But you won't be able to hack it through the web because that data is protected.
If your SS # is replicated to the external database then it would be as exposed to capture as if the database was not replicated. Besides, and real world, your SS# is probably available from many other sources anyway.
Remember - YOU brought up the subject of government systems. I just gave you a real-life example of YOUR subject.
And I fail to see how it's relevant at all. We have no clear security requirements stated yet you put forth recommendations on based on FUD. We have no indication of what the data is nor whether it contains personal or confidential data nor an estimation of it's value. We didn't even have any indication of whether or not the data was available to the masses or confined to an already secured lab (turns out it's Intranet only).
For instance - check http://www.fcc.gov. You can access their wireless license database, but not private information such as DOB's and SSN's. You can even update your own records. But you won't be able to hack the main database - it isn't on the same system.
Is that really the situation that we have here? Or is that your assumption?
That is the situation.
Really? But you are not the OP. How do you know that the FCC security requirements are the same as that which is needed for the OP's situation? Do you work with the OP? Or are you just spreading more misinformation?
In case you're wondering - I do live in the D.C. area - and do a fair amount of government work.
Good for you. That's wonderful (and wonderfully irrelevant).
And although I didn't work on this particular system, I know some of the programmers who did.
Ah so then you have insight into the security requirements for this project? Or are you still just guessing? Because geeze you didn't even appear to know that it was Intranet only...
It really looks like you have no idea of what security is.
Yes I do know what security is. I was just questioning whether or not such security was needed in this specific case. I saw nothing to indicate that it was required and lacking that the steps proposed to get additional security seemed like overkill to me. Why do you have sort a hard time grasping that simple concept?
So - please don't work on any of my customers systems.
Thanks for asking nicely however I will work for whatever people wish to employ me provided they pay well, your polite request notwithstanding.
And nay I will implement as much security as required for the system under task, but I do so from clear specifications that such security is required. IOW I don't build a fortress when what was asked for is a tool shed (this is one way to get $500 toilet seats!). Similarly, however, if I notice that the tool shed would be carrying toxic stuff and there was a real threat that it required stronger walls or a lock I surely will suggest such things.
I do not, however, attempt to scare people into implementing additional security where it is unwarranted simply to extend my contract..
And let me know which ones you do work on - I don't want ANY of my personal data on them!
I'm everywhere! It's too late! ;-)
--
The trouble with doing something right the first time is that nobody appreciates how difficult it was.
.
- Follow-Ups:
- Re: How to get an unix programmer started on web programming?
- From: Jerry Stuckle
- Re: How to get an unix programmer started on web programming?
- References:
- Re: How to get an unix programmer started on web programming?
- From: Jerry Stuckle
- Re: How to get an unix programmer started on web programming?
- From: Andrew DeFaria
- Re: How to get an unix programmer started on web programming?
- From: Jerry Stuckle
- Re: How to get an unix programmer started on web programming?
- From: Andrew DeFaria
- Re: How to get an unix programmer started on web programming?
- From: Jerry Stuckle
- Re: How to get an unix programmer started on web programming?
- From: Andrew DeFaria
- Re: How to get an unix programmer started on web programming?
- From: Jerry Stuckle
- Re: How to get an unix programmer started on web programming?
- Prev by Date: Re: Just installed DOMXML and getting error when loading an XML file / string
- Next by Date: Re: Just installed DOMXML and getting error when loading an XML file / string
- Previous by thread: Re: How to get an unix programmer started on web programming?
- Next by thread: Re: How to get an unix programmer started on web programming?
- Index(es):
Relevant Pages
|
Loading
