NYCPHP Meetup

NYPHP.org

[nycphp-talk] Where to store credentials and/or keys

michael lists at genoverly.net
Mon Aug 14 21:24:26 EDT 2006 

On Mon, 14 Aug 2006 17:25:25 -0700
"inforequest" <1j0lkq002 at sneakemail.com> wrote:

> I also know that my short term goals as a competitive webmaster don't 
> always jive with the long term goals of a sysadmin, especially were 
> standards and best practices come into play.

agreed [grin]
 
> Honeypot...no. I was referring to a best practice db.inc where best 
> practice (on a shared host, for example) still suffered
> vulnerabilities (out of site, out of root, etc yet accessible on a
> weakly-configured shared host). You've done what can be done on that
> host. Short of switching to another host, I'd obfuscate just as I
> usually buy odds at the craps table. If you are going to play, take
> advantage of what's available.
> 
> As for pissing off a cracker, that's not something I worry about as
> much as the opportunistic scanner or the kiddie who hijacked my
> neighbor's hosting password and is now traversing the tree for stuff
> to mess up or get free backlinks or looking for saleable information.

John, you are a respected colleague, but I'm not buying your logic
*here*.  Assessing risk and mitigating risk is something to be taken
seriously. I think we agree on that.  I'm not a fan of shared hosting
for any sort of serious business; just for the reason above. You can be
as strong as you want, but the weak link in that chain may well be your
neighbor.  

If one's business (and presumably livelyhood) depends on a web server
-and the above is the risk model- then shared hosting *should* be the
first thing chucked out the window. (This is where you say 'not an
option' and I quickly retort 'horse hockey') Dedicated/Managed hosting
is in reach for any serious business.  If a business can't afford it,
then don't do it. To wit.. If you *must* jump into shark infested
water, make the small financial investment and rent a shark cage. Those
are the odds that you can buy.  No amount of spray-on-shark-repellent
can compare to that... or even wearing an extra fake limb so the shark
will bite it thinking he 'got ya' and goes away.


-- 

Michael

More information about the talk mailing list