To whoever hacked into my Database
Νίκος Αλεξόπουλος
nikos.gr33k at gmail.com
Sat Nov 9 11:59:18 EST 2013
Στις 9/11/2013 5:07 μμ, ο/η Steven D'Aprano έγραψε:
> On Sat, 09 Nov 2013 09:05:51 +0200, Νίκος Αλεξόπουλος wrote:
>
>> Its probably unwise to post the following snippet of code that validates
>> user input so an attacker wouldn't pass arbitrary values to my script
>> but what the heck.....
>
> On the contrary, it is wise to publicise your security code. It is a very
> strong principle of security that you should not put your trust in
> obscurity. To give an analogy, your doors should be secure even if people
> know where the door is, what brand of lock you use, and even the type of
> key used.
>
> Nikos, you have annoyed and alienated enough people here that the
> following may not apply to you, but in general I would expect that
> publishing your code in a friendly forum would lead to "many eyes make
> shallow bugs" -- people who spotted a bug in your security code, a
> weakness or a flaw, would speak up and tell you. Your security should
> depend on the strength of the security mechanism, and not rely on others
> being ignorant of what security you have in place.
>
> On the other hand, it is possible to be *too* open. Secrets should not be
> publicised. Secrets include passwords. Occasionally they may include
> other things. For example, in port-knocking, the precise sequence of
> ports used is a secret.
>
> There is, sometimes, value in obfuscating parts of your security. E.g.
> rather than allowing ssh on the usual port 22, some people prefer to use
> some other port number for that extra bit of security. But they don't
> rely on that -- if the attacker manages to discover that they use port
> 45081 instead of 22, they still have to defeat the normal ssh security
> before gaining access.
>
>
Thank you Steven, indeed posting my code helped me realize that it
wasn't the secure code i though it were.
The attacker compromised my counters database once again and that helped
me push my logic further into delve into how we went successful.
Now witht he last changed i have made, for 9 hours or so, my databases
are intact.
I feel a bit sad though because if i wasn't able to detect the flaw
nobody would have heed me solve it.
More information about the Python-list
mailing list