Re: Code Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Cloud computing is just another computer in a remote network. If you have a
website with some host somewhere, you are cloud computing. Just run your
site from a secure host

On Sun, Mar 8, 2015 at 1:04 AM Ethan Rosenberg <
erosenberg@xxxxxxxxxxxxxxxxxxxx> wrote:

> On 02/16/2015 12:10 AM, Mark Murphy wrote:
> > How do you prevent access to the second partition? What good is a second
> partition going to do? Both
> > partitions are visible to the OS. If you only have a single OS, then
> both the client and the server
> > are running on the same OS, and there is only one logon. The number of
> partitions is irrelavant.
> >
> > So your choices are choose a compiled language like C or Java, or use
> multiple computers. You can
> > use a hammer to drive a screw if you get a big enough hammer, but you
> will probably break something
> > and it won't work very well. You are trying to use PHP to do something
> it was never meant to do, and
> > that can only turn out badly. You can think about it all you want, but
> you are just looking for a
> > bigger hammer to drive something that isn't a nail.
> >
> > On Sun, Feb 15, 2015 at 7:21 PM, Ethan Rosenberg <
> erosenberg@xxxxxxxxxxxxxxxxxxxx
> > <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>> wrote:
> >
> >     On 02/15/2015 05:39 PM, Mark Murphy wrote:
> >
> >         I would say no. It isn't the hard drive that is the problem, you
> need a separate operating
> >         system.
> >         My thought is that even a small retailer will already have a
> computer, so all you have to
> >         sell is
> >         the appliance which is all server. No one needs to log in to the
> server. To make it useable
> >         you just
> >         need a config application that will let the owner set the IP
> address.
> >
> >         On Feb 15, 2015 1:25 PM, "Ethan Rosenberg"
> <erosenberg@hygeiabiomedical.__com
> >         <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>
> >         <mailto:erosenberg@__hygeiabiomedical.com <mailto:erosenberg@
> hygeiabiomedical.com>>> wrote:
> >
> >              On 02/14/2015 08:54 PM, Mark Murphy wrote:
> >
> >                  There might be a virtual machine solution, probably not
> the VMWare hypervisor since you
> >                  can't get it
> >                  to boot into one of the VMs. I don't know about any of
> the others. Maybe put the
> >         server at a
> >                  hosting
> >                  service like pair networks. You just can't run any
> scripted solution stand alone
> >         because of the
> >                  security risks. You might be able to use something that
> encrypts the source, but it
> >         might
> >                  have the
> >                  same security risks for a determined attacker. Look at
> Zend Guard or Ioncube. These
> >         aren't
> >                  free, but
> >                  less expensive than a whole server.
> >
> >                  That said, the most secure option is a separate server
> machine which you could set
> >         up as a
> >                  Linux box
> >                  without the GUI, and a cheap 4 port switch to hook up
> to your POS client. No one
> >         needs to
> >                  have logon
> >                  authority to the server except you, or other support
> personnel. Kind of like a POS
> >         appliance.
> >
> >                  On Feb 14, 2015 8:27 PM, "Ethan Rosenberg"
> <erosenberg@hygeiabiomedical.____com
> >                  <mailto:erosenberg@__hygeiabiomedical.com <mailto:
> erosenberg@xxxxxxxxxxxxxxxxxxxx>>
> >                  <mailto:erosenberg@ <mailto:erosenberg@>__hygeiabi
> o__medical.com
> >         <http://hygeiabiomedical.com> <mailto:erosenberg@__hygeiabio
> medical.com
> >         <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>>>> wrote:
> >
> >                       On 02/13/2015 02:12 PM, Mark Murphy wrote:
> >
> >                           Ahh... You have both client and server on the
> same computer. While this
> >         might be
> >                  fine for
> >                           demonstration, it is not ok for production
> because you cannot keep anyone
> >         out of
> >                  the code.
> >                           If you
> >                           are going to use PHP, you MUST -- I can't
> emphasize that enough -- you
> >         MUST have
> >                  the server
> >                           parts
> >                           (PHP, Apache, MySQL) on a server machine that
> is separate from the client
> >         machine
> >                  or you
> >                           will not
> >                           have any security. You can keep folks out of
> the database, but only until
> >         they look
> >                  at the
> >                           PHP code.
> >
> >                           On Fri, Feb 13, 2015 at 12:03 AM, Ethan
> Rosenberg
> >         <erosenberg@hygeiabiomedical.______com
> >
> >                           <mailto:erosenberg@ <mailto:erosenberg@>__
> hygeiabio__medical.com
> >         <http://hygeiabiomedical.com> <mailto:erosenberg@__hygeiabio
> medical.com
> >         <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>>>
> >                           <mailto:erosenberg@ <mailto:erosenberg@>
> <mailto:erosenberg@
> >         <mailto:erosenberg@>>__hygeiabi__o__medical.com <
> http://hygeiabio__medical.com>
> >                  <http://hygeiabiomedical.com> <mailto:erosenberg@
> >         <mailto:erosenberg@>__hygeiabio__medical.com <
> http://hygeiabiomedical.com>
> >                  <mailto:erosenberg@__hygeiabiomedical.com
> >         <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>>>>> wrote:
> >
> >                                On 02/06/2015 02:45 PM, Bastien Koert
> wrote:
> >
> >                                    Hold on, so you've written a point of
> sale app that exists on the
> >         client
> >                  machine as
> >                           whole?
> >                                    Does this
> >                                    take credit card data?
> >
> >                                    If so, its so un-fucking-secure that
> this should never see the
> >         light of
> >                  day. The CC
> >                                    companies won't
> >                                    accept this at all and would remove
> any ability to accept CCs by the
> >                  business. This
> >                           style of
> >                                    app is
> >                                    in violation of so many terms of
> service (not to mention basic
> >         security
> >                  programming
> >                                    practices when
> >                                    dealing with sensitive data).
> >
> >                                    I worked with a guy who wrote an app
> like that (but not POS, still
> >                  sensitive data.
> >                           I took
> >                                    one look
> >                                    at it and yanked it from production
> and replaced it with a proper
> >         client /
> >                  server
> >                           app. Its
> >                                    not safe,
> >                                    its not secure and to code a POS on a
> single machine that the
> >         user has
> >                  access to is
> >                           just dumb.
> >
> >                                    I would strongly suggest that your
> client have a look at square
> >         or similar
> >                  if he
> >                           wants to
> >                                    process CC
> >                                    data.
> >
> >                                    Bastien
> >
> >                                    On Thu, Feb 5, 2015 at 11:24 PM,
> Ethan Rosenberg
> >                  <erosenberg@hygeiabiomedical.________com
> >                                    <mailto:erosenberg@ <mailto:
> erosenberg@> <mailto:erosenberg@
> >         <mailto:erosenberg@>>__hygeiabi__o__medical.com <
> http://hygeiabio__medical.com>
> >                  <http://hygeiabiomedical.com> <mailto:erosenberg@
> >         <mailto:erosenberg@>__hygeiabio__medical.com <
> http://hygeiabiomedical.com>
> >                  <mailto:erosenberg@__hygeiabiomedical.com <mailto:
> erosenberg@xxxxxxxxxxxxxxxxxxxx>>>>
> >                                    <mailto:erosenberg@ <mailto:
> erosenberg@> <mailto:erosenberg@
> >         <mailto:erosenberg@>> <mailto:erosenberg@ <mailto:erosenberg@>
> >                  <mailto:erosenberg@ <mailto:erosenberg@>>>__hygeia
> b__i__o__medical.com
> >         <http://hygeiabi__o__medical.com> <http://hygeiabio__medical.
> com__>
> >                           <http://hygeiabiomedical.com> <mailto:
> erosenberg@ <mailto:erosenberg@>
> >                  <mailto:erosenberg@ <mailto:erosenberg@>>__hygeiab
> i__o__medical.com
> >         <http://hygeiabio__medical.com> <http://hygeiabiomedical.com>
> >                           <mailto:erosenberg@ <mailto:erosenberg@>__
> hygeiabio__medical.com
> >         <http://hygeiabiomedical.com>
> >                  <mailto:erosenberg@__hygeiabiomedical.com
> >         <mailto:erosenberg@xxxxxxxxxxxxxxxxxxxx>>>>>> wrote:
> >
> >                                         On 02/05/2015 11:04 AM, Bastien
> Koert wrote:
> >
> >                                             I'm with the two Richard's
> on this, those users
> >         shouldn't have telnet
> >                                             access to the host server at
> all. Users should be using the
> >                  browser to
> >                                             access your site.
> >
> >                                             Other than that, the most
> important thing you can do is to
> >                  regularly back
> >                                             up your code and database to
> another location so that if
> >                  something happens
> >                                             to the working box (and
> likely all tech products, its
> >         not IF its
> >                  WHEN) you
> >                                             can restore the code and
> database with minimal data loss
> >
> >                                             Bastien
> >
> >                                             On Thu Feb 05 2015 at
> 9:39:43 AM Omar Muhsin
> >         <mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>
> >                  <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx
> >>
> >                           <mailto:mrfroasty@xxxxxxxxx <mailto:
> mrfroasty@xxxxxxxxx>
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>>
> >                                    <mailto:mrfroasty@xxxxxxxxx <mailto:
> mrfroasty@xxxxxxxxx>
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>
> >                  <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx
> >
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>>>
> >                                             <mailto:mrfroasty@xxxxxxxxx
> <mailto:mrfroasty@xxxxxxxxx>
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>
> >                  <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx
> >
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>>
> >                           <mailto:mrfroasty@xxxxxxxxx <mailto:
> mrfroasty@xxxxxxxxx>
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>
> >                  <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx
> >
> >         <mailto:mrfroasty@xxxxxxxxx <mailto:mrfroasty@xxxxxxxxx>>>>__>__>
> wrote:
> >
> >                                                 You forgot this one
> "keep the box OFFLINE ... best
> >         security" :-D
> >
> >
> >                                                 On 05-02-15 14:10,
> Richard Quadling wrote:
> >
> >                                                     1 - Don't allow
> terminal access to your box.
> >                                                     2 - Use a PHP byte
> code encoder (IonCube, Zend
> >         Guard) -
> >                  not perfect as
> >
> >                                                 they
> >
> >                                                     can be reversed to
> access the code in a form.
> >                                                     3 - Don't use PHP.
> >
> >
> >                                         ----
> >                                         Thanks to all.
> >
> >                                         I apologize, but I did not
> properly define the problem I am
> >                  addressing. I have
> >                           written
> >                                    code for
> >                                         a POS [Point Of Sale] system to
> be used in a store.  I don't
> >         expect
> >                  the store
> >                           owner to
> >                                    play with
> >                                         the code.  His friends [or
> enemies] might try. There are two
> >         logins
> >                  to the
> >                           computer,
> >                                    ethan [me]
> >                                         and worker.  Worker has to be
> able to access the code to use
> >         it.  He
> >                  has to be
> >                           blocked from
> >                                         reading, writing or copying the
> code.
> >
> >                                         How??
> >
> >                                         TIA
> >
> >                                         Ethan
> >
> >
> >                                    Bastien
> >
> >                                    Cat, the other other white meat
> Grrr... I have a gingy cat, and
> >         she is
> >                  very nice.
> >                           Don't
> >                                    insult her [LOL]
> >
> >
> >                                ---
> >
> >                                Thanks all.....
> >
> >                                Sorry, my fault by not being clear.
> >
> >                                The POS system is free standing and not
> on a network.
> >
> >                                The server is Apache.
> >
> >                                So ....
> >
> >                                Mr Nice has bought my system.
> >
> >                                His friend, Mr. Ugly, wants to steal my
> code.
> >
> >                                He asks Mr.[naive]Nice if he could look
> at the computer while it is
> >         logged in.
> >
> >                                Ctrl-Alt-F1  A terminal.
> >
> >                                cd /var/www
> >
> >                                cp *.* memoryStick  He now has my code
> >
> >                                look at the code to find out where the
> passwords are stored and copy to
> >                  memoryStick
> >
> >                                history |grep mys*  He has the login, and
> hopefully the password
> >
> >                                show databases;
> >
> >                                  /usr/bin/mysqldump -u root -p  Database
> >
> >                  /pathtodatabasefolder/________Database.sql
> >
> >                                Everything gone!!!
> >
> >                                How do I prevent the above?
> >
> >
> >                                TIA
> >
> >                                Ethan
> >
> >
> >                       Thanks to ALL -
> >
> >                       Mark, proceeding with your suggestion...  This is
> a stand-alone machine.
> >         Having two
> >                  computers
> >                       with the server side code on one of them, in this
> case would not be practical
> >         [or cost
> >                       effective].  The question is how to implement your
> suggestion...
> >
> >                       1] Can I partition the hard disk and turn it into
> a server?
> >                       2] Should I use two hard drives?
> >
> >                       Either way, I need to learn how to setup and run a
> server.  Would someone
> >         please give me
> >                       references as to working w/ a server.
> >
> >                       TIA
> >
> >                       Ethan
> >
> >              Mark -
> >
> >              Thanks a lot.
> >
> >              This is a stand alone system designed to be sold to small
> stores. A second computer
> >         will destroy
> >              any possible profit.
> >
> >              Let's try to innovate.....
> >
> >              Can I 1] partition the hard drive with one of the
> partitions being the server or 2]
> >         install a
> >              second hard drive?
> >
> >              TIA
> >
> >              Ethan
> >
> >
> >     Mark -
> >
> >     Thanks.
> >
> >     A  lot of these stores do not have computers.  If they did, they
> would have a POS system.  I'm
> >     trying to sell to these small "Mom & Pop" stores. BTW, a large
> bakery in this town does not have
> >     a computer.
> >
> >     Let's try ...
> >
> >     If I partition the hard drive, with the server on one partition [w/
> no login].  Would it work?
> >
> >     TIA
> >
> >     Ethan
> >
> >
> ----
> Mark -
>
> Your comments are well taken.  A solution, I think, is to have an
> independent server.  Two computers
> for each setup is not cost effective from my end.
>
> Things in  have to be changed.  All customers will be required, to have or
> to acquire an internet
> connection.
>
> The server will be "the cloud".
>
> At this point, I have no knowledge of cloud computing.
>
> I do not wish to pummel you with questions concerning cloud storage and
> computing.  I have to learn
> it myself.  To enable me to do this, I have some simple questions...
>
> 1] What sites would you recommend, with respect to both cost and data
> security?
>
> 2] What references, both in print and on the internet would you recommend
> for gaining knowledge in
> cloud computing?
>
> TIA
>
> Ethan
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux