web-security methods, advice please!

James Knott james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Mon Jan 1 17:31:12 UTC 2007


Madison Kelly wrote:
> Sy Ali wrote:
>> On 12/31/06, Madison Kelly <linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org> wrote:
>>>    I am not a cryptologist (or particularly good at math) and make no
>>> claims to be a security expert of any kind. So please be brutal and
>>> honest with my plans (a cracker would)! :)
>>> <snip>
>>> Again, *Please* be brutal on your critiques of my methods. If my
>>> thinking is flawed, I would be grateful to learn now rather than
>>> later. :)
>>
>> I'm not in a position of expertise, but i want to give you the very
>> first thing that lept to my mind..
>>
>> Unless I'm missing something.. if you're not an expert, you shouldn't
>> play at being one when security is in question.
>>
>> Having said that, is it possible for you to either contract this
>> portion of the coding out to an expert or either re-use or buy
>> existing, tested and trusted code for your own purposes?
>>
>> At the very least, this helps you cover your behind..
>
> Wise advice, certainly. :)
>
> This is my own company though that I am starting on a shoe-string
> budget. There are many things I should be contracting out, not least
> being security, but I simply can't afford to do this at this point
> (though I may well later if/when business picks up).
>
> So for now, I am hoping that my prying questions will close at least a
> few of the holes I have certainly missed. :)
>

One thing to bear in mind, is that you can never prove a system to be
secure.  You can only fail to break in.  There have been many times in
the past, when someone insisted they had a secure method.  The only
reason they could make that claim, was they didn't know enough about
possible failures to recognize them.  Even with widely scrutinized open
source security methods, such as PGP etc., there is no proof that it's
secure, only that despite all that inspection by experts, no one's yet
found a way in, and so it's presumed to be secure at the moment.




--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list