[Tutor] Security [Was: Re: Decoding]

[Michael Sparks]

On Tuesday 14 August 2007 16:48, Eric Brunson wrote:
...
> The only thing I can imagine is 
> that you're stuck in some DOS mindset that if you're able to type into
> "the console" then you have ultimate access to the machine, which is not
> the case when using a true multi-user operating system like *nix or VMS.
>
> But, most strange to me is why you're this fired up over such a simple
> issue.  It seems to me like just a misunderstanding.

I'm not particularly fired up, text comes across much harsher than it looks. 
(Also people being particularly patronising, like you have above, is 
particularly irritating. Last time I used VMS was 12 years ago. I'm not 
missing your point or anyone else's, and I've not used DOS for 10 years so 
I'm hardly stuck in a DOS mindset (been developing under linux for over 10 
years).

Yes, there are a tiny set of scenarios where doing eval(raw_input(...)) could 
be a problem. The idea that its always a gaping security hole is completely 
bogus.

The scenario's raised I've never once seen happen. Despite having seen
a number of systems where you either ssh in or telnet into a specialise
console (routers and other network appliances).

What was irritating was I was saying:
   * Scenario A (and only that scenario) is hardly a risk considering 
     in >99% of cases where the user can type something in response to
     eval(raw_input(...)) they have FAR more ways of causing problems.

   * The response I was getting a told was that this was wrong because
     *other scenarios* were dangerous. 

Yes, other scenarios are wrong. Denouncing a piece of code as a gaping 
security hole without discussing the context is irresponsible.

That and being taught to suck eggs is irritating. I've been evaluating 
security of network systems for 10 years and coding for 25 years. 

After all piece of code is never a security risk by itself. It's how that
code is deployed and used that _can_ be.


Michael.