NYCPHP Meetup

NYPHP.org

[nycphp-talk] Where to store credentials and/or keys

inforequest 1j0lkq002 at sneakemail.com
Mon Aug 14 20:25:25 EDT 2006 

michael lists-at-genoverly.net |nyphp dev/internal group use| wrote:

>"Obfuscation as security".. has been beaten to death, (and as,
>predominantly, an OpenBSD user, you know what I'll say) but..   
>
>c'mon john.. a honey pot?  For what end?  Shits and giggles?  You are
>usually spot on with your posts, but, I am of the opinion you wandered
>off the trail here.  The fact that a honey pot can be found (or
>was left to be found) shows a serious flaw in the app. 
>
>Don't create and include a dbconnect.inc if you are not going to use it.
>That is a flat-out bad practice.  If it were my shop, I would feel more
>comfortable having developers concentrating on writing and implementing
>a tight app.  Besides; extraneous files are annoying and confusing to
>developers coming behind you. Oh, and, on the off chance a 'kiddie'
>finds your honey pot -and discovers it is empty- he may get pissed off
>enough to 'concentrate' on you rather than finding nothing and just
>moving on; looking for easier prey. 
>
>  
>
Yeah well I knew there would be a slap from somewhere ;-)

I also know that my short term goals as a competitive webmaster don't 
always jive with the long term goals of a sysadmin, especially were 
standards and best practices come into play.

Honeypot...no. I was referring to a best practice db.inc where best 
practice (on a shared host, for example) still suffered vulnerabilities 
(out of site, out of root, etc yet accessible on a weakly-configured 
shared host). You've done what can be done on that host. Short of 
switching to another host, I'd obfuscate just as I usually buy odds at 
the craps table. If you are going to play, take advantage of what's 
available.

As for pissing off a cracker, that's not something I worry about as much 
as the opportunistic scanner or the kiddie who hijacked my neighbor's 
hosting password and is now traversing the tree for stuff to mess up or 
get free backlinks or looking for saleable information.



-- 
-------------------------------------------------------------
"If you think this stuff is confusing, you should try optimizing websites for search engine exposure."  john andrews SEO http://www.johnon.com

More information about the talk mailing list