free tool to encrypt php?

Hi
Any free tool i can use to encrypt my php source code?
thanks
from Peter (cmk128@hotmail.com)

Re: free tool to encrypt php?

Try Turk MMCache:

http://turck-mmcache.sourceforge.net/index_old.html#encoder

On Oct 17, 8:08 pm, cmk...@hotmail.com wrote:
> Hi
> Any free tool i can use to encrypt my php source code?
> thanks
> from Peter (cmk...@hotmail.com)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

cmk128@hotmail.com wrote:
>
> Any free tool i can use to encrypt my php source code?

Are you talking about something to shroud the variable names and remove
spaces and comments? Why? What would be the point? Browsers can't fetch
the code anyway, unless things are misconfigured.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

Re: free tool to encrypt php?

Hi,

Try Turck MMCache:

http://turck-mmcache.sourceforge.net/index_old.html#encoder

On Oct 17, 8:08 pm, cmk...@hotmail.com wrote:
> Hi
> Any free tool i can use to encrypt my php source code?
> thanks
> from Peter (cmk...@hotmail.com)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Tim Roberts wrote in
news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:

> cmk128@hotmail.com wrote:
>>
>> Any free tool i can use to encrypt my php source code?
>
> Are you talking about something to shroud the variable names and
> remove spaces and comments? Why? What would be the point? Browsers
> can't fetch the code anyway, unless things are misconfigured.

My theory is program on the web like they can see your source code. The
only issue I haven't solved is that of DB password in scripts.

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

"Puckdropper" wrote in message
news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
> Tim Roberts wrote in
> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>
>> cmk128@hotmail.com wrote:
>>>
>>> Any free tool i can use to encrypt my php source code?
>>
>> Are you talking about something to shroud the variable names and
>> remove spaces and comments? Why? What would be the point? Browsers
>> can't fetch the code anyway, unless things are misconfigured.
>
> My theory is program on the web like they can see your source code.

Nobody can see your PHP code unless your server is mis-configured.

--
Richard.

Re: free tool to encrypt php?

rf wrote:
> "Puckdropper" wrote in message
> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>> Tim Roberts wrote in
>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>
>>> cmk128@hotmail.com wrote:
>>>> Any free tool i can use to encrypt my php source code?
>>> Are you talking about something to shroud the variable names and
>>> remove spaces and comments? Why? What would be the point? Browsers
>>> can't fetch the code anyway, unless things are misconfigured.
>> My theory is program on the web like they can see your source code.
>
> Nobody can see your PHP code unless your server is mis-configured.
>
...or they have other ways to access where its kept.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1192764334.33794.1@demeter.uk.clara.net...
> rf wrote:
>> "Puckdropper" wrote in message
>> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>>> Tim Roberts wrote in
>>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>>
>>>> cmk128@hotmail.com wrote:
>>>>> Any free tool i can use to encrypt my php source code?
>>>> Are you talking about something to shroud the variable names and
>>>> remove spaces and comments? Why? What would be the point? Browsers
>>>> can't fetch the code anyway, unless things are misconfigured.
>>> My theory is program on the web like they can see your source code.
>>
>> Nobody can see your PHP code unless your server is mis-configured.
>>
> ..or they have other ways to access where its kept.

I.E. your server is mis-configured.

--
Richard.

Re: free tool to encrypt php?

rf wrote:
> "The Natural Philosopher" wrote in message
> news:1192764334.33794.1@demeter.uk.clara.net...
>> rf wrote:
>>> "Puckdropper" wrote in message
>>> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>>>> Tim Roberts wrote in
>>>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>>>
>>>>> cmk128@hotmail.com wrote:
>>>>>> Any free tool i can use to encrypt my php source code?
>>>>> Are you talking about something to shroud the variable names and
>>>>> remove spaces and comments? Why? What would be the point? Browsers
>>>>> can't fetch the code anyway, unless things are misconfigured.
>>>> My theory is program on the web like they can see your source code.
>>> Nobody can see your PHP code unless your server is mis-configured.
>>>
>> ..or they have other ways to access where its kept.
>
> I.E. your server is mis-configured.
>
Oh. I thought you meant the web serve code itself, rather than the
box/OS on which it is kept..

Anyway, being able to access the code is part of what the system
maintainer has to do, so its always accessible to *someone*. Thats
*correct* configuration.

The issue is how much of a door that leaves open and whether or not
disguising it is of any real use..

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1192770150.20750.0@proxy00.news.clara.net...
> rf wrote:
>> "The Natural Philosopher" wrote in message
>> news:1192764334.33794.1@demeter.uk.clara.net...
>>> rf wrote:
>>>> "Puckdropper" wrote in message
>>>> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>>>>> Tim Roberts wrote in
>>>>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>>>>
>>>>>> cmk128@hotmail.com wrote:
>>>>>>> Any free tool i can use to encrypt my php source code?
>>>>>> Are you talking about something to shroud the variable names and
>>>>>> remove spaces and comments? Why? What would be the point? Browsers
>>>>>> can't fetch the code anyway, unless things are misconfigured.
>>>>> My theory is program on the web like they can see your source code.
>>>> Nobody can see your PHP code unless your server is mis-configured.
>>>>
>>> ..or they have other ways to access where its kept.
>>
>> I.E. your server is mis-configured.
>>
> Oh. I thought you meant the web serve code itself, rather than the box/OS
> on which it is kept..

Er, what?

> Anyway, being able to access the code is part of what the system
> maintainer has to do, so its always accessible to *someone*. Thats
> *correct* configuration.
>
> The issue is how much of a door that leaves open and whether or not
> disguising it is of any real use..

You have to trust someone. You trust your bank manager to not make off with
your money. So too must you trust your host to keep your stuff private.

Besides the same principles apply here as with hiding HTML. The desire to
hide code is inversly proportional to the possible value of that code to
someone else.

--
Richard.

Re: free tool to encrypt php?

"rf" wrote in news:T4VRi.1631$CN4.215@news-
server.bigpond.net.au:

>
> "Puckdropper" wrote in message
> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>> Tim Roberts wrote in
>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>
>>> cmk128@hotmail.com wrote:
>>>>
>>>> Any free tool i can use to encrypt my php source code?
>>>
>>> Are you talking about something to shroud the variable names and
>>> remove spaces and comments? Why? What would be the point? Browsers
>>> can't fetch the code anyway, unless things are misconfigured.
>>
>> My theory is program on the web like they can see your source code.
>
> Nobody can see your PHP code unless your server is mis-configured.
>

Sure, and what do you propose gets done if that's the case? I don't
control my server's configuration, nor would I want to. If I'm working
on securing and updating my server, I'll not have time to write code.
Best to let someone else do it and program like your code is public.

Relying on the idea that no one can see your code unless the server is
mis-configured is false laziness. (From the Larry Wall's 3 virtues of a
good programmer. I know, this isn't a Perl newsgroup.)

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

rf wrote:
> "The Natural Philosopher" wrote in message
> news:1192770150.20750.0@proxy00.news.clara.net...
>> rf wrote:
>>> "The Natural Philosopher" wrote in message
>>> news:1192764334.33794.1@demeter.uk.clara.net...
>>>> rf wrote:
>>>>> "Puckdropper" wrote in message
>>>>> news:47181b9c$0$47112$892e7fe2@authen.yellow.readfreenews.ne t...
>>>>>> Tim Roberts wrote in
>>>>>> news:vasdh3toicgjb5cnlc391mlj28ft3i27b7@4ax.com:
>>>>>>
>>>>>>> cmk128@hotmail.com wrote:
>>>>>>>> Any free tool i can use to encrypt my php source code?
>>>>>>> Are you talking about something to shroud the variable names and
>>>>>>> remove spaces and comments? Why? What would be the point? Browsers
>>>>>>> can't fetch the code anyway, unless things are misconfigured.
>>>>>> My theory is program on the web like they can see your source code.
>>>>> Nobody can see your PHP code unless your server is mis-configured.
>>>>>
>>>> ..or they have other ways to access where its kept.
>>> I.E. your server is mis-configured.
>>>
>> Oh. I thought you meant the web serve code itself, rather than the box/OS
>> on which it is kept..
>
> Er, what?

i,e, apache is a server, but so is apache on Linux on a PC, ...
>
>> Anyway, being able to access the code is part of what the system
>> maintainer has to do, so its always accessible to *someone*. Thats
>> *correct* configuration.
>>
>> The issue is how much of a door that leaves open and whether or not
>> disguising it is of any real use..
>
> You have to trust someone. You trust your bank manager to not make off with
> your money. So too must you trust your host to keep your stuff private.
>

I don't actually. ;-)


> Besides the same principles apply here as with hiding HTML. The desire to
> hide code is inversly proportional to the possible value of that code to
> someone else.
>
Id say its actually a lot more complex than that, and is also a function
of FUD and ignorance.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1192789593.45390.0@iris.uk.clara.net...
> rf wrote:
>> "The Natural Philosopher" wrote in message
>> news:1192770150.20750.0@proxy00.news.clara.net...
>>> rf wrote:
>>>> I.E. your server is mis-configured.
>>>>
>>> Oh. I thought you meant the web serve code itself, rather than the
>>> box/OS on which it is kept..
>>
>> Er, what?
>
> i,e, apache is a server, but so is apache on Linux on a PC, ...

Er, what? None of this makes any sense at all to me. I agree that apache is
a web server but what does the rest of the above sentence mean? That apache
is also a server if it is running under Linux on a PC. Well duh, I suppose
so, since apache is, in fact, a server.

Your point?

--
Richard.

Re: free tool to encrypt php?

Puckdropper wrote:
>
>My theory is program on the web like they can see your source code. The
>only issue I haven't solved is that of DB password in scripts.

That's a very good point. I'd be curious to know what others have done
about that.

I've considered setting my database so that the user "apache" has no
password; I'm not sure that's any better or worse that putting the password
in a .php source file.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

Re: free tool to encrypt php?

Tim Roberts wrote:
> Puckdropper wrote:
>> My theory is program on the web like they can see your source code. The
>> only issue I haven't solved is that of DB password in scripts.
>
> That's a very good point. I'd be curious to know what others have done
> about that.
>
> I've considered setting my database so that the user "apache" has no
> password; I'm not sure that's any better or worse that putting the password
> in a .php source file.

Worse. That way anyone who uploads a script can access your database.
With a userid/password, they have to download it first.

If you want perfect security, take you machine, disconnect it from any
communications links, stick it in an RF-shielded room running on
batteries and close and weld the door shut. No one should be able to
access your private data that way.

Short of that, there is not way. And if you're using shared hosting,
every admin on your hosting service has access to everything on your site.

Security is not about prevention, just like there is no way to prevent
someone from breaking into your home. There is no such thing. What it
is is about identifying undesired ways of accessing your files and
limiting the effect of exposure. It's just like locking your valuables
in a bank vault to limit your exposure if someone breaks into your house.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Jerry Stuckle wrote:

> Security is not about prevention, just like there is no way to prevent
> someone from breaking into your home. There is no such thing. What it
> is is about identifying undesired ways of accessing your files and
> limiting the effect of exposure. It's just like locking your valuables
> in a bank vault to limit your exposure if someone breaks into your house.
>
It may go no further than simply living quietly, so that no one knows or
cares where you live, and never looking like you have anything worth
stealing.

Re: free tool to encrypt php?

Greetings, The Natural Philosopher.
In reply to Your message dated Friday, October 19, 2007, 14:26:33,

>>>>> ..or they have other ways to access where its kept.
>>>> I.E. your server is mis-configured.

TNP> i,e, apache is a server, but so is apache on Linux on a PC, ...

In the statement above, "server" means whole hardware+OS+software complex, not
specific service like Apache.


--
Sincerely Yours, AnrDaemon

Re: free tool to encrypt php?

AnrDaemon wrote:
> Greetings, The Natural Philosopher.
> In reply to Your message dated Friday, October 19, 2007, 14:26:33,
>
>>>>>> ..or they have other ways to access where its kept.
>>>>> I.E. your server is mis-configured.
>
> TNP> i,e, apache is a server, but so is apache on Linux on a PC, ...
>
> In the statement above, "server" means whole hardware+OS+software complex, not
> specific service like Apache.
>
>
Gosh. Golly. My telepathy is petty poor. I couldn't work that out
unambiguously. ;-)

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>
>> Security is not about prevention, just like there is no way to prevent
>> someone from breaking into your home. There is no such thing. What
>> it is is about identifying undesired ways of accessing your files and
>> limiting the effect of exposure. It's just like locking your
>> valuables in a bank vault to limit your exposure if someone breaks
>> into your house.
>>
> It may go no further than simply living quietly, so that no one knows or
> cares where you live, and never looking like you have anything worth
> stealing.
>
>

Nope. Security by obscurity is no security at all.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>
>>> Security is not about prevention, just like there is no way to
>>> prevent someone from breaking into your home. There is no such
>>> thing. What it is is about identifying undesired ways of accessing
>>> your files and limiting the effect of exposure. It's just like
>>> locking your valuables in a bank vault to limit your exposure if
>>> someone breaks into your house.
>>>
>> It may go no further than simply living quietly, so that no one knows
>> or cares where you live, and never looking like you have anything
>> worth stealing.
>>
>>
>
> Nope. Security by obscurity is no security at all.
>
Oh, indeed it is.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Jerry Stuckle wrote in
news:NMKdnXj5iuTXwIbanZ2dnUVZ_uLinZ2d@comcast.com:

> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>
>>> Security is not about prevention, just like there is no way to
>>> prevent someone from breaking into your home. There is no such
>>> thing. What it is is about identifying undesired ways of accessing
>>> your files and limiting the effect of exposure. It's just like
>>> locking your valuables in a bank vault to limit your exposure if
>>> someone breaks into your house.
>>>
>> It may go no further than simply living quietly, so that no one knows
>> or cares where you live, and never looking like you have anything
>> worth stealing.
>>
>>
>
> Nope. Security by obscurity is no security at all.
>

Security at times is simply the process of making yourself look like a
smaller fish next to a big one. You're not going to prevent someone from
getting in if they really want to, but you can prevent the script kiddies
and crackers from getting in easily.

A touch of obscurity improves security, but any more than that just gives
a false sense of security.

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>
>>>> Security is not about prevention, just like there is no way to
>>>> prevent someone from breaking into your home. There is no such
>>>> thing. What it is is about identifying undesired ways of accessing
>>>> your files and limiting the effect of exposure. It's just like
>>>> locking your valuables in a bank vault to limit your exposure if
>>>> someone breaks into your house.
>>>>
>>> It may go no further than simply living quietly, so that no one knows
>>> or cares where you live, and never looking like you have anything
>>> worth stealing.
>>>
>>>
>>
>> Nope. Security by obscurity is no security at all.
>>
> Oh, indeed it is.
>

Not at all. It is false security.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
> wrote:
>
>
>> Security is not about prevention,
>
> WHAT? What a complete and totally moronic thing to say, Jerry.
>
> Security is about many things of which prevention is one.
>

No responsible person in the security field will ever claim that.

There is no such thing as "prevention". That would indicate that
something can't happen, which is impossible to do.

For instance, banks have been trying to prevent robberies for hundreds
of years. Nowadays they have CCTV, armed guards, vaults, silent
alarms... the list goes on. But they still get robbed. Because there
is no "prevention".

As for computer security - the only way to "prevent" someone from
accessing a server is to disconnect it from all communications, seal it
in an RF proof room and run it off batteries or other local power. But
there's still the possibility of someone breaking into the room.

>
>> just like there is no way to prevent
>> someone from breaking into your home. There is no such thing. What it
>> is is about identifying undesired ways of accessing your files and
>> limiting the effect of exposure.
>
> Limiting exposure is one form of prevntion, Jerry.
>

No, limiting exposure is not about prevention. It's about minimizing
loss when something does happen.
>
>> It's just like locking your valuables in a bank vault to limit your exposure if someone breaks into your house.
>
> Not exactly, but you're close. You might be good at programming but
> you're really bad at security or at least bad at explaining it.

Not at all. It's exactly what security about.

Security professionals are paranoid. They assume that a break-in will
occur. What they do is minimize the holes someone might get through.
But more importantly, they minimize the effects if and when a break-in
does occur.

At no time will a responsible security professional claim anything about
preventing break-ins.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffg1n1$d6e$1@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 15:50:03 +0100, The Natural Philosopher

>>> Nope. Security by obscurity is no security at all.
>>>
[snip]

> Locking your door would be a form of prevention that could easily keep
> it from happening. Will it keep everyone out? No. but it'd keep out
> the crackhead who'd just go to the next house to look for an unlocked
> door.

Yeah -but if you obscure the door well, you don't have to worry about
locking it.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
> The Natural Philosopher wrote:

>>> Nope. Security by obscurity is no security at all.
>>>
>> Oh, indeed it is.
>
> Not at all. It is false security.

The only total security is to unplug the damned thing.
Everything else either works, or it doesn't.
If obscurity keeps the bad guys away - it's REAL security.

It's painfully common for Republican folks like Jerry here to tell people
who are perfectly safe that they are not.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
>> The Natural Philosopher wrote:
>
>>>> Nope. Security by obscurity is no security at all.
>>>>
>>> Oh, indeed it is.
>> Not at all. It is false security.
>
> The only total security is to unplug the damned thing.
> Everything else either works, or it doesn't.
> If obscurity keeps the bad guys away - it's REAL security.
>

But obscurity doesn't keep bad guys away. That's the false assumption.

> It's painfully common for Republican folks like Jerry here to tell people
> who are perfectly safe that they are not.
>

I'm telling people obscurity is NOT safe.

You're telling them that obscurity IS safe.

Who's telling people they are perfectly safe when they're not, Sanders?



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Gary L. Burnore wrote in news:ffgb6f$3n6$4
@blackhelicopter.databasix.com:

> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
> wrote:
>
>>Gary L. Burnore wrote:
>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle

*snip*

>>>
>>> Security is about many things of which prevention is one.
>>>
>>
>>No responsible person in the security field will ever claim that.
>
> I'm a responsible person in the security field and I claim that. I've
> been taught that and I teach that. That being that many things make
> up good security. Prevention is one part of security.
>
>
>>
>>There is no such thing as "prevention". That would indicate that
>>something can't happen, which is impossible to do.
>>
>>For instance, banks have been trying to prevent robberies for hundreds
>>of years.
>
>

*snip*

Prevention isn't about 100% prevention, but mainly deterance. With
preventative efforts, you simply try to make it more difficult to get to
your systems. Maybe then the would-be attacker gets bored or frustrated
and gives up.

Prevention isn't the only line of defense, of course. If the attacker
does succeed, you have to try to limit the amount of exposure.

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgato$3n6$2@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 18:42:40 GMT, "Sanders Kaufman"

>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>>
>>> Not at all. It is false security.
>>
>>The only total security is to unplug the damned thing.
>
> So if you can't have total security, simply obscure it and leave it
> unlocked?

If that's how you interpret what I said - go for it, dude.


>>Everything else either works, or it doesn't.
>>If obscurity keeps the bad guys away - it's REAL security.
>
> Except obscurity keeps no one away.

Which is fine - because it draws noone.

Which would you rather have - a well-defended border, or an unassaulted one.

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgar8$3n6$1@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"

>>Yeah -but if you obscure the door well, you don't have to worry about
>>locking it.
>
> Not true at all. Comparing it to hacking, someone tries everything
> whether or not it looks like a knob until something opens. Locking
> the door would prevent that.

No - locking the door only slows them down after an attack has begun.
If you want to PREVENT the attack - obscure the target.
You can't hit what you can't see.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:vI2dnQmcHuLAL4banZ2dnUVZ_rXinZ2d@comcast.com...
> Sanders Kaufman wrote:

>> The only total security is to unplug the damned thing.
>> Everything else either works, or it doesn't.
>> If obscurity keeps the bad guys away - it's REAL security.
>
> But obscurity doesn't keep bad guys away. That's the false assumption.

Actually - it's a proven security strategy that has worked for thousands of
years.
What is it about y'all Republicans that you simply WILL NOT learn from
history?

When I was in the Navy, one of my favorite pieces of crypto gear was a
[redacted].
What was so cool about this thing was when you cracked the box, there were
all these PC cards and wires and flashing lights.
But none of that stuff did *anything*.
The crypto circuitry was all embedded in the boxes casing.
When you cracked the case, it toggled control over to the components so that
they would appear to be functional to anyone who tried to hack it.

But then there's you - some crazy guy on Usenet who angrily insists, "it'll
never work".
Ha!

Re: free tool to encrypt php?

..oO(Jerry Stuckle)

>Gary L. Burnore wrote:
>>
>> Security is about many things of which prevention is one.
>
>No responsible person in the security field will ever claim that.
>
>There is no such thing as "prevention". That would indicate that
>something can't happen, which is impossible to do.

If a file is stored outside the document root, it can't be accessed by a
URL. That's prevention.

If you allow the user to submit a value out of [1, 2, 3] to a form
processing script and check it against the set of allowed values, they
can't inject a 4. That's prevention.

>For instance, banks have been trying to prevent robberies for hundreds
>of years. Nowadays they have CCTV, armed guards, vaults, silent
>alarms... the list goes on. But they still get robbed. Because there
>is no "prevention".

There are things that _can_ be prevented and there are things were you
can just lower the probability of it to happen.

Micha

Re: free tool to encrypt php?

>>>> Nope. Security by obscurity is no security at all.
>>>>
>[snip]
>
>> Locking your door would be a form of prevention that could easily keep
>> it from happening. Will it keep everyone out? No. but it'd keep out
>> the crackhead who'd just go to the next house to look for an unlocked
>> door.
>
>Yeah -but if you obscure the door well, you don't have to worry about
>locking it.

Until someone observes you leaving your house, and then they know where the
door is. It still might take some time to find the knob.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgev4$c3t$2@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 20:45:51 GMT, "Sanders Kaufman"

>>What is it about y'all Republicans that you simply WILL NOT learn from
>>history?
>
> Who cares what his political background is. He's wrong on a lot of
> things, but not about obscurity not keping bad guys away.

It's easier to just say "He's a Republican" than to detail all the different
ways he's wrong.

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgerr$c3t$1@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 20:45:51 GMT, "Sanders Kaufman"

>>No - locking the door only slows them down after an attack has begun.
>
> By which time you could have a gun inside, pointed at them. Were it
> unlocked, they'd walk right in.

That's a fine way to retalliate AFTER an attack - but a lousy way to prevent
one.

Notably that's how the original Lotus 1-2-3 DRM security worked.
If you installed an unlicensed copy - it didn't just not work, it vandalized
the system.
Now - it's illegal to do that.

It's interesting that those of you who think obscurity is NOT security,
ignore prevention, focusing instead on retalliation.

It's not just bad software design.
It's bad character.

Re: free tool to encrypt php?

"Gordon Burditt" wrote in message
news:13hnflhmt3ajif2@corp.supernews.com...

>>Yeah -but if you obscure the door well, you don't have to worry about
>>locking it.
>
> Until someone observes you leaving your house, and then they know where
> the
> door is.

I particularly enjoy the way you disagree with me... by agreeing with me.

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgg17$c3t$8@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 21:03:45 -0000, gordonb.0dr8y@burditt.org (Gordon

>>Until someone observes you leaving your house, and then they know where
>>the
>>door is. It still might take some time to find the knob.
>
> And back to IT, it's well known that the script kiddies have all day
> to turn everything from an ant to a zebra and all of the sticks, twigs
> and leaves in between until they find said knob. Then, while he (you
> snipped the attribution and I'm not going back to look at who the he
> was in this case) is busy thinking everything's cool because he's
> obscure, the script kiddies are all talking about how to find the door
> by lifting the leaf, turning the zebra and stepping firmly on the ant.

Before they can hack the system - they have to FIND the system.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Gary L. Burnore" wrote in message
> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>
>>> Yeah -but if you obscure the door well, you don't have to worry about
>>> locking it.
>> Not true at all. Comparing it to hacking, someone tries everything
>> whether or not it looks like a knob until something opens. Locking
>> the door would prevent that.
>
> No - locking the door only slows them down after an attack has begun.
> If you want to PREVENT the attack - obscure the target.
> You can't hit what you can't see.
>
>
>

Sure you can. It's harder, but not at all impossible.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Gary L. Burnore" wrote in message
> news:ffgg17$c3t$8@blackhelicopter.databasix.com...
>> On Sun, 21 Oct 2007 21:03:45 -0000, gordonb.0dr8y@burditt.org (Gordon
>
>>> Until someone observes you leaving your house, and then they know where
>>> the
>>> door is. It still might take some time to find the knob.
>> And back to IT, it's well known that the script kiddies have all day
>> to turn everything from an ant to a zebra and all of the sticks, twigs
>> and leaves in between until they find said knob. Then, while he (you
>> snipped the attribution and I'm not going back to look at who the he
>> was in this case) is busy thinking everything's cool because he's
>> obscure, the script kiddies are all talking about how to find the door
>> by lifting the leaf, turning the zebra and stepping firmly on the ant.
>
> Before they can hack the system - they have to FIND the system.
>
>
>

Which is very easy to do. Script kiddies do it every day.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:vI2dnQmcHuLAL4banZ2dnUVZ_rXinZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> The only total security is to unplug the damned thing.
>>> Everything else either works, or it doesn't.
>>> If obscurity keeps the bad guys away - it's REAL security.
>> But obscurity doesn't keep bad guys away. That's the false assumption.
>
> Actually - it's a proven security strategy that has worked for thousands of
> years.

It's a proven strategy which has given a false sense of security for
thousands of years.

> What is it about y'all Republicans that you simply WILL NOT learn from
> history?
>

What is it about you Democrats which allows you to ignore real
vulnerabilities and turn the truth around?


> When I was in the Navy, one of my favorite pieces of crypto gear was a
> [redacted].

Whoopee.

> What was so cool about this thing was when you cracked the box, there were
> all these PC cards and wires and flashing lights.
> But none of that stuff did *anything*.

So?

> The crypto circuitry was all embedded in the boxes casing.
> When you cracked the case, it toggled control over to the components so that
> they would appear to be functional to anyone who tried to hack it.
>

And what does this have to do with things?

> But then there's you - some crazy guy on Usenet who angrily insists, "it'll
> never work".
> Ha!
>

And anyone with any intelligence would quickly figure that out. And
your "obscurity" would be worthless.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:6-udnfkMZ_XKfYbanZ2dnUVZ_hqdnZ2d@comcast.com...
> Sanders Kaufman wrote:

>> Actually - it's a proven security strategy that has worked for thousands
>> of years.
>
> It's a proven strategy which has given a false sense of security for
> thousands of years.

Wow - it's proven AND it's false, eh?
The wild thing is that you probably, honestly, believe that
self-contradictory statement.


>> What is it about y'all Republicans that you simply WILL NOT learn from
>> history?
>
> What is it about you Democrats which allows you to ignore real
> vulnerabilities and turn the truth around?

I'm no Democrat.
What is it about you Republicans that you see everything in partisan terms?

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
> wrote:
>
>> Gary L. Burnore wrote:
>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>>> wrote:
>>>
>>>
>>>> Security is not about prevention,
>>> WHAT? What a complete and totally moronic thing to say, Jerry.
>>>
>>> Security is about many things of which prevention is one.
>>>
>> No responsible person in the security field will ever claim that.
>
> I'm a responsible person in the security field and I claim that. I've
> been taught that and I teach that. That being that many things make
> up good security. Prevention is one part of security.
>

If you claim obscurity is security, then that's debatable. I hope your
E&O insurance is paid up and it covers negligence on your part.

I've got some friends who are in the security business. These are guys
with clearances higher than Top Secret. They are responsible for
security of some very sensitive government systems. They can't tell me
a lot of details because I don't have a sufficient security clearance.
But one thing they agree upon - is that obscurity only gives a false
sense of security.

>
>> There is no such thing as "prevention". That would indicate that
>> something can't happen, which is impossible to do.
>>
>> For instance, banks have been trying to prevent robberies for hundreds
>> of years.
>
>
> Banks prevent you, as an employee, from seeing all the things
> necessary to get your hand on the data of a user. Does it work all
> the time, no. That's where forensics come in. But if you don't
> prevent it at all, you open yourself (yourself being the bank) to
> lawsuits from customers, fines from FICA and harassment from auditors
> for SOX.
>

They make it harder encrypting data, for instance. But they can't
prevent it. If it's possible ANYONE to get into something, it's
possible for the WRONG person to get in there, also.

And forensics is after the fact. It has nothing to do with either
security - other than a good system will audit access for later analysis.


>> At no time will a responsible security professional claim anything about
>> preventing break-ins.
>
> Right. That's why banks don't use firewalls, don't use encryption,
> don't use secure keys, etc.
>
> Stick with coding, J. You obviously know little about security.
>

And none of this prevents a break in. It just makes it harder.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Puckdropper wrote:
> Gary L. Burnore wrote in news:ffgb6f$3n6$4
> @blackhelicopter.databasix.com:
>
>> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
>> wrote:
>>
>>> Gary L. Burnore wrote:
>>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>
> *snip*
>
>>>> Security is about many things of which prevention is one.
>>>>
>>> No responsible person in the security field will ever claim that.
>> I'm a responsible person in the security field and I claim that. I've
>> been taught that and I teach that. That being that many things make
>> up good security. Prevention is one part of security.
>>
>>
>>> There is no such thing as "prevention". That would indicate that
>>> something can't happen, which is impossible to do.
>>>
>>> For instance, banks have been trying to prevent robberies for hundreds
>>> of years.
>>
>
> *snip*
>
> Prevention isn't about 100% prevention, but mainly deterance. With
> preventative efforts, you simply try to make it more difficult to get to
> your systems. Maybe then the would-be attacker gets bored or frustrated
> and gives up.
>
> Prevention isn't the only line of defense, of course. If the attacker
> does succeed, you have to try to limit the amount of exposure.
>
> Puckdropper

Here, I agree with you. Security is about deterance. But not prevention.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Michael Fesser wrote:
> .oO(Jerry Stuckle)
>
>> Gary L. Burnore wrote:
>>> Security is about many things of which prevention is one.
>> No responsible person in the security field will ever claim that.
>>
>> There is no such thing as "prevention". That would indicate that
>> something can't happen, which is impossible to do.
>
> If a file is stored outside the document root, it can't be accessed by a
> URL. That's prevention.
>

Nope. It is not. There is, for instance, nothing to stop me from
uploading a document which opens the file and spits the source code out
for me.

And if I get the admin password, I have direct access to it.

The only way to prevent me from getting the file is to not place it
there in the first place.


> If you allow the user to submit a value out of [1, 2, 3] to a form
> processing script and check it against the set of allowed values, they
> can't inject a 4. That's prevention.
>

Until they find another way into the system. All you have done is close
one hole. There are probably hundreds (or even thousands) of other ways
to get to it.

>> For instance, banks have been trying to prevent robberies for hundreds
>> of years. Nowadays they have CCTV, armed guards, vaults, silent
>> alarms... the list goes on. But they still get robbed. Because there
>> is no "prevention".
>
> There are things that _can_ be prevented and there are things were you
> can just lower the probability of it to happen.
>
> Micha
>

To be able to prevent something, you must have 100% security. And that
means, in computer systems anyway, 100% perfect code, absolutely no
access to the sensitive code, either via communications link, physical
access to the server or any other way. There must also be no copies
(i.e. backups) of the sensitive files at all. And even then you're
likely to have potential gaps in the system.

But how many systems do you know fit this?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:6-udnf4MZ_UgQobanZ2dnUVZ_hqdnZ2d@comcast.com...
> Sanders Kaufman wrote:

>> Before they can hack the system - they have to FIND the system.
>
> Which is very easy to do. Script kiddies do it every day.

No - script kiddies are only good at hacking systems after they find them.
It's a whole nother kind of hacker that finds the systems.

That's what all these beacon posts here in this group are about.
They're phisihing for developer boxes.

Normally, online, we developers, as developers, are not distinguishable from
the crowd of other folks online.
But our systems tend to be a more target-rich enviornment for hackers.
Obscured - we are secured.

But once one of us responds to one of those posts, the phisher knows that
x.x.x.x is a developer machine.
You and I probably won't get hacked - 'cause we're always secure... right?
But someone like ol' Shelly might not know that the MSDE engine that MS
Office automatically installed on his machine is accepting anonymous
connections with sa authority - or what the security impact of that can be.

Now - a hacker could try to telnet to every IP there is, and in the effort
might find some similarly unsecured boxes.
OR - he can post here on usenet, and get the mark to identify *himself*...
sometimes, repeatedly.

And that's why they do it here on Usenet.
Because NNTP vitually guarantees anonymity - which is security through
obscurity.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:6-udnf8MZ_UMQobanZ2dnUVZ_hqdnZ2d@comcast.com...
> Sanders Kaufman wrote:

>> No - locking the door only slows them down after an attack has begun.
>> If you want to PREVENT the attack - obscure the target.
>> You can't hit what you can't see.
>
> Sure you can. It's harder, but not at all impossible.

Shooting blindly is not "targeting".
It's "panic-king".

If your strategy for self-defense is to panic - then you don't really have a
strategy, do you?
Veterans know that - even if Republicans, don't.
That's why they wear camoflauge.

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 15:50:03 +0100, The Natural Philosopher
> wrote:
>
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>
>>>>> Security is not about prevention, just like there is no way to
>>>>> prevent someone from breaking into your home. There is no such
>>>>> thing. What it is is about identifying undesired ways of accessing
>>>>> your files and limiting the effect of exposure. It's just like
>>>>> locking your valuables in a bank vault to limit your exposure if
>>>>> someone breaks into your house.
>>>>>
>>>> It may go no further than simply living quietly, so that no one knows
>>>> or cares where you live, and never looking like you have anything
>>>> worth stealing.
>>>>
>>>>
>>> Nope. Security by obscurity is no security at all.
>>>
>> Oh, indeed it is.
>
> You can claim that all you want but it's not true. While it is
> incorrect to claim that security is not about prevention, obsecurity
> only fools the entity doing the obscuring into thinking they're
> secure.
>

Thats why no country has a secrt intelligence service: Does nothing for
security.;)

> Using your own analogy, if you live quietly and no one knows or cares
> where you live and you look like you have nothing worth stealing, a
> crackhead could still walk into your house and murder your wife and
> kids.

Well n kids, cos I don;t have any, and dot a crackhead, cos there aren't
any for miles ..they'd have to drive at least. And id probably hear them
pull in teh drive..
>
> Locking your door would be a form of prevention that could easily keep
> it from happening. Will it keep everyone out? No. but it'd keep out
> the crackhead who'd just go to the next house to look for an unlocked
> door. (fyi, using crackhead in rl as compared to a cracker on the
> internet. :) )

Oh, I dont lock my doors that much anyway.

Last time I got burgled they used a jemmy on a window anyway. Locking
the doors just keeps the insurance company happy.

I guess they are just about due out of jail now: they got 8 years for
robbery with violence..Silly idiots hit a house with a mother and child
in it. Instead of just running they felt brave and told her to be quiet
or the kid gets it etc etc. Automatic upgarde from 3 years to 8 years
for that.

They took all the cheap spare camera gear I had lying in a cupboard, and
missed the dirty stained $30 camera bag with $8000 of Nikon gear in it.

I now why they hit me, I even saw the guy casing the joint, tho I can't
prove it.. It was the Jaguar XK8 parked outside that made em do it. I
sold that now.

I got quite a lot of the stuff back as well.

Burglar alarm would have made no difference: police at least 20 miles
way. They left in a hurry when a neighbour saw them moving stuff out.

All the really valuable stuff looked like nothing and was in unusual
places. They missed it all.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Gary L. Burnore" wrote in message
> news:ffg1n1$d6e$1@blackhelicopter.databasix.com...
>> On Sun, 21 Oct 2007 15:50:03 +0100, The Natural Philosopher
>
>>>> Nope. Security by obscurity is no security at all.
>>>>
> [snip]
>
>> Locking your door would be a form of prevention that could easily keep
>> it from happening. Will it keep everyone out? No. but it'd keep out
>> the crackhead who'd just go to the next house to look for an unlocked
>> door.
>
> Yeah -but if you obscure the door well, you don't have to worry about
> locking it.
>
>
The secret is that it doesn't even look like a door.

You hide things where it doesn't even look like there is a hiding place.

Everyone goes for safes. No one goes for ..well let's not give any
secrets away, just find the cheapest most ordinary object in your house
you can think of, and work out how to put small valuables inside.

But most of all, just look like someone who hasn't got a dime.

I get a real kick out of dressing like a tramp, knowing how much I
really am worth..Ok I'm no Bill Gates,. but I wont ever have to work
again anyway.

Same with net security. JUts put stuff in dull boring plaes and gve it
dull birin names, and above all don't go around being ostentatious.
People target that.

They might spend 6 months tryng to hack the pentagon, or the coca cola
company: they aren't going to do that for a nickel and dime website. Tey
aren't going to spend 6 minutes.

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
> wrote:
>
>> "Gary L. Burnore" wrote in message
>> news:ffg1n1$d6e$1@blackhelicopter.databasix.com...
>>> On Sun, 21 Oct 2007 15:50:03 +0100, The Natural Philosopher
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>> [snip]
>>
>>> Locking your door would be a form of prevention that could easily keep
>>> it from happening. Will it keep everyone out? No. but it'd keep out
>>> the crackhead who'd just go to the next house to look for an unlocked
>>> door.
>> Yeah -but if you obscure the door well, you don't have to worry about
>> locking it.
>
> Not true at all. Comparing it to hacking, someone tries everything
> whether or not it looks like a knob until something opens. Locking
> the door would prevent that.

I don't think so really. They try the usual things. Ports that come back
with meaningful responses.. but unless they have a clear idea that you
have something as it were lying on the back seat of the car in plain
site, they just walk down the cars trying the door handles.

Why take a lot of effort to break into an empty car?

A sucesful entry means either hat you left teh door open and they
happened along, and if it doesn't look like a door and they didn;'t
happen along, cost you live n an isolated place that is a low
probability, or it means that they knew you has something they wanted,
and mounted a determined breakin. Nothing is secure against a determined
break in.

So I prefer look like there are no doors, even if you find the house,
and when you look in the window there isn't anything to see worth
spending 5 minutes ripping a hole in the wall for.

I run my own server, here, behind my own firewall. Its slow, but its
pretty safe. No one is going to sniff my network. My PHP code isn't that
great anyway. It does a job, that's all.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Gary L. Burnore" wrote in message
> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>
>>> Yeah -but if you obscure the door well, you don't have to worry about
>>> locking it.
>> Not true at all. Comparing it to hacking, someone tries everything
>> whether or not it looks like a knob until something opens. Locking
>> the door would prevent that.
>
> No - locking the door only slows them down after an attack has begun.
> If you want to PREVENT the attack - obscure the target.
> You can't hit what you can't see.
>
>
Yup camouflage. And honey pots. I never made one, but it sounds like fun.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> Sanders Kaufman wrote:
>> "Gary L. Burnore" wrote in message
>> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>>
>>>> Yeah -but if you obscure the door well, you don't have to worry about
>>>> locking it.
>>> Not true at all. Comparing it to hacking, someone tries everything
>>> whether or not it looks like a knob until something opens. Locking
>>> the door would prevent that.
>>
>> No - locking the door only slows them down after an attack has begun.
>> If you want to PREVENT the attack - obscure the target.
>> You can't hit what you can't see.
>>
>>
>>
>
> Sure you can. It's harder, but not at all impossible.
>
You wont even try to hit something you don't know is there.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:6-udnf8MZ_UMQobanZ2dnUVZ_hqdnZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> No - locking the door only slows them down after an attack has begun.
>>> If you want to PREVENT the attack - obscure the target.
>>> You can't hit what you can't see.
>> Sure you can. It's harder, but not at all impossible.
>
> Shooting blindly is not "targeting".
> It's "panic-king".
>

Not at all. It is aiming at all possible targets. Not that much
different than saturation bombing, which was quite effective during WW
II - whether they knew where the target was or not.

> If your strategy for self-defense is to panic - then you don't really have a
> strategy, do you?

Shooting blindly is not what I do. It is what hackers do. And it is
quite effective.

> Veterans know that - even if Republicans, don't.
> That's why they wear camoflauge.
>

And you really do think you are safe, don't you. You'll get no sympathy
from me when you get hacked. But your customers will.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:6-udnf4MZ_UgQobanZ2dnUVZ_hqdnZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> Before they can hack the system - they have to FIND the system.
>> Which is very easy to do. Script kiddies do it every day.
>
> No - script kiddies are only good at hacking systems after they find them.
> It's a whole nother kind of hacker that finds the systems.
>

Try again. Script kiddies are quite adept at finding "hidden" systems.

> That's what all these beacon posts here in this group are about.
> They're phisihing for developer boxes.
>

Those aren't script kiddies. Any reasonable hacker wouldn't be that stupid.

> Normally, online, we developers, as developers, are not distinguishable from
> the crowd of other folks online.

If you say so.

> But our systems tend to be a more target-rich enviornment for hackers.
> Obscured - we are secured.
>

Nope. You are not at all obscured.

For instance, you are posting from 209.30.206.81, which belons to AT&T
Internet Services. This resolves to the Dallas, TX area. That took me
about 30 seconds. I suspect a little closer look would get me closer.

Now I can use that information to do all kinds of things on your IP
address. And believe me, if there's a hole, a hacker can find it.

> But once one of us responds to one of those posts, the phisher knows that
> x.x.x.x is a developer machine.

Sure - but even if you don't respond, hackers will try. For instance, I
get regular probes on another system which has never been on usenet. It
is strictly a system I've used to test websites from a different OS.
But I still get probes - because people are scanning IP addresses for
any weakness.

> You and I probably won't get hacked - 'cause we're always secure... right?
> But someone like ol' Shelly might not know that the MSDE engine that MS
> Office automatically installed on his machine is accepting anonymous
> connections with sa authority - or what the security impact of that can be.
>

No, I am not secure. I am as protected as I can make it. But I do not
consider myself secure, even with the multiple levels of security I have
installed - like at least 2 firewalls before someone can get to any
data, three levels of scanning for virii/trojans and more. That's why I
keep logs, backups, and regularly scan my systems for any suspicious
software (not just anti-virus scans).

But no, I am not "secure". I am, however, as protected as I can be.

> Now - a hacker could try to telnet to every IP there is, and in the effort
> might find some similarly unsecured boxes.
> OR - he can post here on usenet, and get the mark to identify *himself*...
> sometimes, repeatedly.
>

They don't actually telnet to every port. They have more sophisticated
methods.

> And that's why they do it here on Usenet.
> Because NNTP vitually guarantees anonymity - which is security through
> obscurity.
>

Nope. It takes very little to find someone's real information on
usenet. For instance, a quick court order and I can find out from AT&T
exactly who was assigned your IP address at the time you made your post.

And a good hacker might even be able to hack the AT&T database to get
the information. Or a disgruntled employee might get the info (maybe
pay him a few $$$ for the info).

Even if you go through proxies you can be tracked, in time.

But all of that is not important. All someone has to do is start
scanning all of the IP addresses in your block - whether by design or by
accident.

And this is just the tip of the iceberg. Hackers have much many more
tricks up their sleeves. That's why so many "secure" corporate systems
have been hacked over the years. And even military systems at the DoD
get hacked - and they should be much more secure.

That's why experienced security people (and I'm talking people who do
*real* security - like on sensitive federal systems) know obscurity is
no security.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>
>>>>> Security is not about prevention, just like there is no way to
>>>>> prevent someone from breaking into your home. There is no such
>>>>> thing. What it is is about identifying undesired ways of accessing
>>>>> your files and limiting the effect of exposure. It's just like
>>>>> locking your valuables in a bank vault to limit your exposure if
>>>>> someone breaks into your house.
>>>>>
>>>> It may go no further than simply living quietly, so that no one
>>>> knows or cares where you live, and never looking like you have
>>>> anything worth stealing.
>>>>
>>>>
>>>
>>> Nope. Security by obscurity is no security at all.
>>>
>> Oh, indeed it is.
>>
>
> Not at all. It is false security.
>
It works.
Call it what you like, it works.

That's why passwords should not be on a dictionary search. Be obscure.


I have one that is the number of the first car I drove. Back in 1968.
Not used it recently, I am remember it tho. My mother, whose car it was
- can't. Dementia set in. I doubt anyone in the world knows that car
number except me.

At other times we used to simply look out of the window where we were
setting the machine up and make the password the first thing we saw.

Somewhere out there is red.bus, wet.street and nowt.at.all.

I always wanted to make the password 'there.isn't.one' ..just for
further confusion.

Someone asked us once 'How much does it cost to safeguard my data' and I
said 'as much in salary to your system administrator as anyone would
ever offer him for it'

That seemed to shake him somewhat...

Why is anyone going to bother with my systems, when there are a thousand
open wifi networks they can cruise on by ?

I use cash whenever possible, and the card goes in one of two or three
bank machines only. My wife does not know my PIN numbers. I do not know
hers. Technology? gives a false sense of security. Its humans that are
the weak point.


I don't write passwords down. I have a file that says things like
whereyoulive/Ford Escort.

Those aren't names and passwords. Those are hints to me as to what those
names and passwords are.

If that file gets stolen, its unlikely that anyone could work it out
inside of a few weeks - long enough to change them all.

I don't use paypal. Why make yourself a target?

Obscure, obfuscate, look drab and ordinary. James Bond doesn't drive an
Aston Martin in real life. He drives a 2 year old Ford Mondeo, stays at
the travelodge and buys his suits from a retail outfitters. He is dull
to the point of forgetability, and everything he does has a perfectly
ordinary explanation.

If you want to go furher, make sure there is an open telnet connection,
that gos to what seems to be a very ordinary server, and le th script
kiddes make a total mess of it whilst te real access is on a completely
differet port, and goes to the real machne with te state secrts on t.

Do you know the biggest and most public breah of computer security in te
last few months in teh UK?

The tax people downloaded the WHOLE of a banks customer details - the
ruddy lot - onto a laptop and left in in the back seat of a car...with
people like that, who needs firewalls?

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:6-udnfkMZ_XKfYbanZ2dnUVZ_hqdnZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> Actually - it's a proven security strategy that has worked for thousands
>>> of years.
>> It's a proven strategy which has given a false sense of security for
>> thousands of years.
>
> Wow - it's proven AND it's false, eh?
> The wild thing is that you probably, honestly, believe that
> self-contradictory statement.
>

Only you would think that is self-contradictory, Sanders.

It is possible to prove something false. All you have to do is find one
exception to the "rule".

>
>>> What is it about y'all Republicans that you simply WILL NOT learn from
>>> history?
>> What is it about you Democrats which allows you to ignore real
>> vulnerabilities and turn the truth around?
>
> I'm no Democrat.
> What is it about you Republicans that you see everything in partisan terms?
>

True. You aren't even that smart.

And BTW - you're the one who brought up politics and partisanship. Not me.

But then that's typical of you. You bring up something, then when
you're called on it, claim the other person sees it that way.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Jerry Stuckle wrote in news:46GdnfUzY-
HIeYbanZ2dnUVZ_rWtnZ2d@comcast.com:

*snip*

>
> To be able to prevent something, you must have 100% security. And that
> means, in computer systems anyway, 100% perfect code, absolutely no
> access to the sensitive code, either via communications link, physical
> access to the server or any other way. There must also be no copies
> (i.e. backups) of the sensitive files at all. And even then you're
> likely to have potential gaps in the system.
>
> But how many systems do you know fit this?
>

Prevention is NOT about stopping EVERYTHING. It's about stopping SOME
THINGs. You are correct that absolute prevention requires 100% effective
security, but we're merely talking about stopping some attacks.

Security, at its simplist, is about allowing access to those who need
access and preventing access to those who do not need access.

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 19:36:18 -0400, Jerry Stuckle
> wrote:
>
>> Gary L. Burnore wrote:
>>> On Sun, 21 Oct 2007 14:05:33 -0400, Jerry Stuckle
>>> wrote:
>>>
>>>> Gary L. Burnore wrote:
>>>>> On Sat, 20 Oct 2007 22:05:13 -0400, Jerry Stuckle
>>>>> wrote:
>>>>>
>>>>>
>>>>>> Security is not about prevention,
>>>>> WHAT? What a complete and totally moronic thing to say, Jerry.
>>>>>
>>>>> Security is about many things of which prevention is one.
>>>>>
>>>> No responsible person in the security field will ever claim that.
>>> I'm a responsible person in the security field and I claim that. I've
>>> been taught that and I teach that. That being that many things make
>>> up good security. Prevention is one part of security.
>>>
>> If you claim obscurity is security, then that's debatable.
>
> When the hell did I ever claim that?
>

Sorry, wrong thread. You claimed security is about prevention. And
every *real* security professional I know - including those who work on
high security systems, agree. There is no prevention. Only deterrence.
That is, if a system is hooked up to the internet or any other
communications link, that system can be hacked. And you can make it as
hard as possible, but there is no way you can prevent that from
occurring, as long as the system available.

Or even if it is not on a communications link, anyone with physical
access to the system could potentially break into the system - or even
physically remove the hard drive and stick copy it on another system.

There are lots of ways a "secure" system can be broken into. Security
is about making that as hard as possible (deterrence), and when it does
happen, limit the data which can be accessed

>> I've got some friends who are in the security business. These are guys
>> with clearances higher than Top Secret.
>
>
> Yawn.
>

I suspect they know a hell of a lot more than you do. Why not post some
of your thoughts to some of the security newsgroups? You won't get far.

>> They are responsible for security of some very sensitive government systems.
>> They can't tell me a lot of details because I don't have a sufficient security clearance.
>
> Yeah, then they have to kill you.
>

You've been watching too much TV.

>> But one thing they agree upon - is that obscurity only gives a false
>> sense of security.
>
> I've said that several times. Please plug your brain back in.
>

As I said - I got threads mixed up. You claim security is about
prevention. Which is impossible.

>>>> There is no such thing as "prevention". That would indicate that
>>>> something can't happen, which is impossible to do.
>>>>
>>>> For instance, banks have been trying to prevent robberies for hundreds
>>>> of years.
>>>
>>> Banks prevent you, as an employee, from seeing all the things
>>> necessary to get your hand on the data of a user. Does it work all
>>> the time, no. That's where forensics come in. But if you don't
>>> prevent it at all, you open yourself (yourself being the bank) to
>>> lawsuits from customers, fines from FICA and harassment from auditors
>>> for SOX.
>>>
>> They make it harder encrypting data, for instance. But they can't
>> prevent it. If it's possible ANYONE to get into something, it's
>> possible for the WRONG person to get in there, also.
>
> Yep. Harder. Not easy like leaving the door open and hoping someone
> doesn't notice it's there.
>

But it's still not impossible. And there is no "prevention".

>
>> And forensics is after the fact.
>
> Forensics help discover how someone is TRYING to get in and yes, how
> they did if it already happen. If you watch how someone's trying to
> pick a lock, you know how to better enforce the lock.
>

Forensics is not about watching someone picking the lock. It is about
discovering how they got in, after the fact.

>> It has nothing to do with either security
>
> Sure it does. You learn from it and get better at defending against
> it.
>

Only after the fact. Good security will fix holes before the fact.

>
>> - other than a good system will audit access for later analysis.
>>
>>
>>>> At no time will a responsible security professional claim anything about
>>>> preventing break-ins.
>>> Right. That's why banks don't use firewalls, don't use encryption,
>>> don't use secure keys, etc.
>>>
>>> Stick with coding, J. You obviously know little about security.
>>>
>> And none of this prevents a break in. It just makes it harder.
>
> Yeah, but a lot harder than obscurity does. <- pay attention, dip. I
> agree with you on this one thing.

But it does not PREVENT a break-in.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Sun, 21 Oct 2007 18:42:40 GMT, "Sanders Kaufman"
> wrote:
>
>> "Jerry Stuckle" wrote in message
>> news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
>>> The Natural Philosopher wrote:
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>> Not at all. It is false security.
>> The only total security is to unplug the damned thing.
>
> So if you can't have total security, simply obscure it and leave it
> unlocked?
>

Its not a bad way.

Obscurity is a form of lock. A lock is a puzzle that you have the answer
to and the bad guy does not.

That puzzle can be just as much where to look, as how to get past a
barrier.

I know of many many cases of things that were hidden in houses that a
thorough police search never found.

>> Everything else either works, or it doesn't.
>> If obscurity keeps the bad guys away - it's REAL security.
>
> Except obscurity keeps no one away.

It does. If you walk past a bush, and all you see is a bush, who's to
know it stands on a bit of earth that is in a pot that ca be removed
that has a trapdoor underneath.. the bad guys don't even know its there.



>> It's painfully common for Republican folks like Jerry here to tell people
>> who are perfectly safe that they are not.
>
> Says someone who claims obsuring something is security.

If a maze is well enough designed so it takes you twice as long to get
to the center of it as to crack a 64bit code, I'd say it was as good.

I believe the US intelligence services used to send messages in Navaho,
knowing that probably no one in Japan spoke that language.

Cryptography itself is security by obscurity.

In essence you have two aspects to protecting something. The first line
is to make sure that as few people know its there at all, and is worth
anything.

The second line is to make it easy for the person who needs to access it
to get at it and hard for the person you assume knows it's there to
access it.

Obscurity is the prime line of attack in the first aspect. Obscurity
also features in the second. The method of access must be obscure, but
known to the good guys.

For php? why not call your files - say - .fortran instead of .php, and
configure your web server to know that. Some geek browsing your site and
seeing all those .fortran URLs coming up will give up in disgust
already. Even if he downloads one somehow and tries to execute it, it
won't run..

Patch the PHP interpreter or the web server to do something simple like
reverse every two bytes and invert the high bit. then run your source
through something that does the inverse.. None of that will survive a
sustained investigation by a top cryptographer, but you aren;'t dealing
with that. Or if you are the CIA is onto you anyway, and your PHP is the
last of your worries.

If I was an islamic terrorist, I would send my messages in an arrogant
right wing sort of way on some obscure newsgroup like comp.lang.php and
sign them 'Jerry' ;-)

They would be encoded into all sort of messages. Misspelt words would
be significant, as would ad hominem attacks. ;-)

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> Sanders Kaufman wrote:
>> "Jerry Stuckle" wrote in message
>> news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
>>> The Natural Philosopher wrote:
>>
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>> Not at all. It is false security.
>>
>> The only total security is to unplug the damned thing.
>> Everything else either works, or it doesn't.
>> If obscurity keeps the bad guys away - it's REAL security.
>>
>
> But obscurity doesn't keep bad guys away. That's the false assumption.
>
>> It's painfully common for Republican folks like Jerry here to tell
>> people who are perfectly safe that they are not.
>>
>
> I'm telling people obscurity is NOT safe.
>
> You're telling them that obscurity IS safe.
>
> Who's telling people they are perfectly safe when they're not, Sanders?
>
>
>
I'm telling you nothing is safe. So make sure that nothing is what they
fie when they go lookinmg.

A door with a big fuckoff lock on it is an inviation to have a crack..

If you were a secret intelligence agency, where would you put your
headquarters - in the biggest skyscraper in new york? or above Mr Ho's
chinese laundry in Des Moines?

I know where I would put it.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:vI2dnQmcHuLAL4banZ2dnUVZ_rXinZ2d@comcast.com...
>> Sanders Kaufman wrote:
>
>>> The only total security is to unplug the damned thing.
>>> Everything else either works, or it doesn't.
>>> If obscurity keeps the bad guys away - it's REAL security.
>> But obscurity doesn't keep bad guys away. That's the false assumption.
>
> Actually - it's a proven security strategy that has worked for thousands of
> years.
> What is it about y'all Republicans that you simply WILL NOT learn from
> history?
>

s/WILL NOT/cannot
s/from history//

> When I was in the Navy, one of my favorite pieces of crypto gear was a
> [redacted].
> What was so cool about this thing was when you cracked the box, there were
> all these PC cards and wires and flashing lights.
> But none of that stuff did *anything*.
> The crypto circuitry was all embedded in the boxes casing.
> When you cracked the case, it toggled control over to the components so that
> they would appear to be functional to anyone who tried to hack it.
>

A HONEY POT!

> But then there's you - some crazy guy on Usenet who angrily insists, "it'll
> never work".
> Ha!
>

S/right wing/self-righteous/g

>

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Puckdropper wrote:

> Prevention isn't about 100% prevention, but mainly deterance. With
> preventative efforts, you simply try to make it more difficult to get to
> your systems. Maybe then the would-be attacker gets bored or frustrated
> and gives up.
>
> Prevention isn't the only line of defense, of course. If the attacker
> does succeed, you have to try to limit the amount of exposure.
>
> Puckdropper


When you build a tank., you do not paint it in dayglo.
You paint it dull colors.

You *also* give it very thick armour plating.

You HOPE the armour plating is never put to the test.
Because you know that no armour plating the tank an carry and still
function like a tank, is truly safe. Its just better than nothing.

And so is the camo on top.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
I've got some friends who are in the security business. These are guys
> with clearances higher than Top Secret. They are responsible for
> security of some very sensitive government systems. They can't tell me
> a lot of details because I don't have a sufficient security clearance.
> But one thing they agree upon - is that obscurity only gives a false
> sense of security.
>

Sure Jerry, sure. And i am a personal friend of the head of MI5, but she
is so obscure that she resembles a pet rabbit.

I have to clean out her cage daily.



> They make it harder encrypting data, for instance. But they can't
> prevent it. If it's possible ANYONE to get into something, it's
> possible for the WRONG person to get in there, also.
>

Exacrly. Security does nothing except give you a false sense of security.

That's why they build stealth bombers.


>
> And none of this prevents a break in. It just makes it harder.
>

By judicious snipping of your illogical crap, I have made that a true
statement.

You should thank me for that.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> Michael Fesser wrote:
>> .oO(Jerry Stuckle)
>>
>>> Gary L. Burnore wrote:
>>>> Security is about many things of which prevention is one.
>>> No responsible person in the security field will ever claim that.
>>>
>>> There is no such thing as "prevention". That would indicate that
>>> something can't happen, which is impossible to do.
>>
>> If a file is stored outside the document root, it can't be accessed by a
>> URL. That's prevention.
>>
>
> Nope. It is not. There is, for instance, nothing to stop me from
> uploading a document which opens the file and spits the source code out
> for me.
>

Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND IT.

> And if I get the admin password, I have direct access to it.
>

Not if the admin password isn't the admin password at all. And takes you
to somewhere else..

> The only way to prevent me from getting the file is to not place it
> there in the first place.
>
Ah Security by obscurity. Place it somewhere completely different!

>
> To be able to prevent something, you must have 100% security. And that
> means, in computer systems anyway, 100% perfect code, absolutely no
> access to the sensitive code, either via communications link, physical
> access to the server or any other way. There must also be no copies
> (i.e. backups) of the sensitive files at all. And even then you're
> likely to have potential gaps in the system.
>
> But how many systems do you know fit this?
>
None whatsoever, especially ones you put together ;-)

So we have reduced teh argument to te somple prpositon that 'no system
is secure'

Nw, which is MORE secure, the one that everyone can see, and just have
to find a way into, or the one that moat people don't see at all, and if
they do, they find what looks like a door, but it takes them straight
into a minefield?

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Sanders Kaufman wrote:
>>> "Gary L. Burnore" wrote in message
>>> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>>>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>>>
>>>>> Yeah -but if you obscure the door well, you don't have to worry about
>>>>> locking it.
>>>> Not true at all. Comparing it to hacking, someone tries everything
>>>> whether or not it looks like a knob until something opens. Locking
>>>> the door would prevent that.
>>>
>>> No - locking the door only slows them down after an attack has begun.
>>> If you want to PREVENT the attack - obscure the target.
>>> You can't hit what you can't see.
>>>
>>>
>>>
>>
>> Sure you can. It's harder, but not at all impossible.
>>
> You wont even try to hit something you don't know is there.
>

Hackers don't care if it's there or not. They'll so a systematic scan
just to see if something's there. It doesn't cost them anything.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Sanders Kaufman wrote:
>>> "Jerry Stuckle" wrote in message
>>> news:HZqdnWi_EtW0DobanZ2dnUVZ_vfinZ2d@comcast.com...
>>>> The Natural Philosopher wrote:
>>>
>>>>>> Nope. Security by obscurity is no security at all.
>>>>>>
>>>>> Oh, indeed it is.
>>>> Not at all. It is false security.
>>>
>>> The only total security is to unplug the damned thing.
>>> Everything else either works, or it doesn't.
>>> If obscurity keeps the bad guys away - it's REAL security.
>>>
>>
>> But obscurity doesn't keep bad guys away. That's the false assumption.
>>
>>> It's painfully common for Republican folks like Jerry here to tell
>>> people who are perfectly safe that they are not.
>>>
>>
>> I'm telling people obscurity is NOT safe.
>>
>> You're telling them that obscurity IS safe.
>>
>> Who's telling people they are perfectly safe when they're not, Sanders?
>>
>>
>>
> I'm telling you nothing is safe. So make sure that nothing is what they
> fie when they go lookinmg.
>

A determined search will always find something.

> A door with a big fuckoff lock on it is an inviation to have a crack..
>

Actually, it's less of an invitation than a small lock. Burglars aren't
looking for challenges. They're looking for goods.

> If you were a secret intelligence agency, where would you put your
> headquarters - in the biggest skyscraper in new york? or above Mr Ho's
> chinese laundry in Des Moines?
>

Right where it is - in a compound in McLean, Va. (CIA) or a secure
building in Greenbelt, MD (NSA).

> I know where I would put it.
>

You've been watching too many Man From U.N.C.L.E. reruns.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> The Natural Philosopher wrote:
>>>>> Jerry Stuckle wrote:
>>>>>
>>>>>> Security is not about prevention, just like there is no way to
>>>>>> prevent someone from breaking into your home. There is no such
>>>>>> thing. What it is is about identifying undesired ways of
>>>>>> accessing your files and limiting the effect of exposure. It's
>>>>>> just like locking your valuables in a bank vault to limit your
>>>>>> exposure if someone breaks into your house.
>>>>>>
>>>>> It may go no further than simply living quietly, so that no one
>>>>> knows or cares where you live, and never looking like you have
>>>>> anything worth stealing.
>>>>>
>>>>>
>>>>
>>>> Nope. Security by obscurity is no security at all.
>>>>
>>> Oh, indeed it is.
>>>
>>
>> Not at all. It is false security.
>>
> It works.
> Call it what you like, it works.
>

Keep thinking that. Right up until you get hacked.

> That's why passwords should not be on a dictionary search. Be obscure.
>

Which is completely different from trying to hide a system.

>
> I have one that is the number of the first car I drove. Back in 1968.
> Not used it recently, I am remember it tho. My mother, whose car it was
> - can't. Dementia set in. I doubt anyone in the world knows that car
> number except me.
>

So? Who cares? It has absolutely nothing to do with this discussion.

> At other times we used to simply look out of the window where we were
> setting the machine up and make the password the first thing we saw.
>

We're not talking about passwords here, dummy.

> Somewhere out there is red.bus, wet.street and nowt.at.all.
>
> I always wanted to make the password 'there.isn't.one' ..just for
> further confusion.
>

Again, completely unrelated to the topic at hand.

> Someone asked us once 'How much does it cost to safeguard my data' and I
> said 'as much in salary to your system administrator as anyone would
> ever offer him for it'
>
> That seemed to shake him somewhat...
>
> Why is anyone going to bother with my systems, when there are a thousand
> open wifi networks they can cruise on by ?
>
> I use cash whenever possible, and the card goes in one of two or three
> bank machines only. My wife does not know my PIN numbers. I do not know
> hers. Technology? gives a false sense of security. Its humans that are
> the weak point.
>
>
> I don't write passwords down. I have a file that says things like
> whereyoulive/Ford Escort.
>
> Those aren't names and passwords. Those are hints to me as to what those
> names and passwords are.
>
> If that file gets stolen, its unlikely that anyone could work it out
> inside of a few weeks - long enough to change them all.
>
> I don't use paypal. Why make yourself a target?
>
> Obscure, obfuscate, look drab and ordinary. James Bond doesn't drive an
> Aston Martin in real life. He drives a 2 year old Ford Mondeo, stays at
> the travelodge and buys his suits from a retail outfitters. He is dull
> to the point of forgetability, and everything he does has a perfectly
> ordinary explanation.
>
> If you want to go furher, make sure there is an open telnet connection,
> that gos to what seems to be a very ordinary server, and le th script
> kiddes make a total mess of it whilst te real access is on a completely
> differet port, and goes to the real machne with te state secrts on t.
>
> Do you know the biggest and most public breah of computer security in te
> last few months in teh UK?
>
> The tax people downloaded the WHOLE of a banks customer details - the
> ruddy lot - onto a laptop and left in in the back seat of a car...with
> people like that, who needs firewalls?
>

Blah, blah, blah.

Fine. But you're the only one who has brought up passwords. They are
not at all related to what we're discussing.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Mon, 22 Oct 2007 01:49:44 +0100, The Natural Philosopher
> wrote:
>
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>> The Natural Philosopher wrote:
>>>>>> Jerry Stuckle wrote:
>>>>>>
>>>>>>> Security is not about prevention, just like there is no way to
>>>>>>> prevent someone from breaking into your home. There is no such
>>>>>>> thing. What it is is about identifying undesired ways of accessing
>>>>>>> your files and limiting the effect of exposure. It's just like
>>>>>>> locking your valuables in a bank vault to limit your exposure if
>>>>>>> someone breaks into your house.
>>>>>>>
>>>>>> It may go no further than simply living quietly, so that no one
>>>>>> knows or cares where you live, and never looking like you have
>>>>>> anything worth stealing.
>>>>>>
>>>>>>
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>>>
>>> Not at all. It is false security.
>>>
>> It works.
>> Call it what you like, it works.
>>
>> That's why passwords should not be on a dictionary search. Be obscure.
>
> That's prevention. Obscurity is hiding and hoping no one notices you
> don't have a password.

That's deterrence, not prevention.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Puckdropper wrote:
>
>> Prevention isn't about 100% prevention, but mainly deterance. With
>> preventative efforts, you simply try to make it more difficult to get
>> to your systems. Maybe then the would-be attacker gets bored or
>> frustrated and gives up.
>>
>> Prevention isn't the only line of defense, of course. If the attacker
>> does succeed, you have to try to limit the amount of exposure.
>>
>> Puckdropper
>
>
> When you build a tank., you do not paint it in dayglo.
> You paint it dull colors.
>
> You *also* give it very thick armour plating.
>
> You HOPE the armour plating is never put to the test.
> Because you know that no armour plating the tank an carry and still
> function like a tank, is truly safe. Its just better than nothing.
>
> And so is the camo on top.
>
>

So? We're not talking about tanks.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
> I've got some friends who are in the security business. These are guys
>> with clearances higher than Top Secret. They are responsible for
>> security of some very sensitive government systems. They can't tell
>> me a lot of details because I don't have a sufficient security
>> clearance. But one thing they agree upon - is that obscurity only
>> gives a false sense of security.
>>
>
> Sure Jerry, sure. And i am a personal friend of the head of MI5, but she
> is so obscure that she resembles a pet rabbit.
>
> I have to clean out her cage daily.
>

Why? Do you shit in it that much?

There are some advantages to living in the DC area and having lots of
contacts here.

>
>
>> They make it harder encrypting data, for instance. But they can't
>> prevent it. If it's possible ANYONE to get into something, it's
>> possible for the WRONG person to get in there, also.
>>
>
> Exacrly. Security does nothing except give you a false sense of security.
>
> That's why they build stealth bombers.
>

Which has nothing to do with our discussion. Try keeping on topic.

Ah, I understand now. You've got to keep bringing up completely
unrelated issues because you have no valid arguments on the issues.

>
>>
>> And none of this prevents a break in. It just makes it harder.
>>
>
> By judicious snipping of your illogical crap, I have made that a true
> statement.
>
> You should thank me for that.
>

You always were good at misquoting. But then trolls are.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Puckdropper wrote:
> Jerry Stuckle wrote in news:46GdnfUzY-
> HIeYbanZ2dnUVZ_rWtnZ2d@comcast.com:
>
> *snip*
>
>> To be able to prevent something, you must have 100% security. And that
>> means, in computer systems anyway, 100% perfect code, absolutely no
>> access to the sensitive code, either via communications link, physical
>> access to the server or any other way. There must also be no copies
>> (i.e. backups) of the sensitive files at all. And even then you're
>> likely to have potential gaps in the system.
>>
>> But how many systems do you know fit this?
>>
>
> Prevention is NOT about stopping EVERYTHING. It's about stopping SOME
> THINGs. You are correct that absolute prevention requires 100% effective
> security, but we're merely talking about stopping some attacks.
>
> Security, at its simplist, is about allowing access to those who need
> access and preventing access to those who do not need access.
>
> Puckdropper

Ah, but it is. If you prevent something, you have stopped it. Period.
Stopping "some" break-ins is not prevention.

What you are talking is deterrence.

And security is about deterring what you can - and minimizing the damage
for those you can't.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Michael Fesser wrote:
>>> .oO(Jerry Stuckle)
>>>
>>>> Gary L. Burnore wrote:
>>>>> Security is about many things of which prevention is one.
>>>> No responsible person in the security field will ever claim that.
>>>>
>>>> There is no such thing as "prevention". That would indicate that
>>>> something can't happen, which is impossible to do.
>>>
>>> If a file is stored outside the document root, it can't be accessed by a
>>> URL. That's prevention.
>>>
>>
>> Nope. It is not. There is, for instance, nothing to stop me from
>> uploading a document which opens the file and spits the source code
>> out for me.
>>
>
> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND IT.
>

If it's there, it can be found. Period.

>> And if I get the admin password, I have direct access to it.
>>
>
> Not if the admin password isn't the admin password at all. And takes you
> to somewhere else..
>

That's not what I said.

>> The only way to prevent me from getting the file is to not place it
>> there in the first place.
>>
> Ah Security by obscurity. Place it somewhere completely different!
>

Nope. No obscurity at all. It doesn't exist, so I can't get it. Period.

>>
>> To be able to prevent something, you must have 100% security. And
>> that means, in computer systems anyway, 100% perfect code, absolutely
>> no access to the sensitive code, either via communications link,
>> physical access to the server or any other way. There must also be no
>> copies (i.e. backups) of the sensitive files at all. And even then
>> you're likely to have potential gaps in the system.
>>
>> But how many systems do you know fit this?
>>
> None whatsoever, especially ones you put together ;-)
>

Which are probably a hell of a lot more secure than anything you come up
with. Because I don't expect obscurity to protect anything. I assume
they will find it - and act accordingly.

> So we have reduced teh argument to te somple prpositon that 'no system
> is secure'
>
> Nw, which is MORE secure, the one that everyone can see, and just have
> to find a way into, or the one that moat people don't see at all, and if
> they do, they find what looks like a door, but it takes them straight
> into a minefield?
>

The one everyone can see is more likely to be secure because a competent
admin will plan for break-ins. The one nobody can see may have an
administrator who slacks off because he believes the server is secure.

But if there is a house there, I know there is a door somewhere. And
some careful probing will find the door.

Just like if there is a server on the internet, it will respond to
something. It's just a matter of figuring out what.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

>No - locking the door only slows them down after an attack has begun.
>If you want to PREVENT the attack - obscure the target.
>You can't hit what you can't see.

Yes, you CAN sometimes hit what you can't see. The Nigerian bank
fraud scammers, spammers, and those doing port scans looking for
vulnerabilities do it all the time. Randomly or sequentially
scanning the Internet may not be very efficient, but it does work.

Various blind mugees (and people fighting hand-to-hand in the dark)
have proven that they can hear where an attacker is and kick sensitive
body parts without having to see the attacker.

Machine guns can spray an area with bullets even if you can't see
the attacker. It's not a very efficient use of ammunition, but it
still can be effective.

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:v_KdnVEpHouoaYbanZ2dnUVZ_trinZ2d@comcast.com...

>> I'm no Democrat.
>> What is it about you Republicans that you see everything in partisan
>> terms?
>
> True. You aren't even that smart.

What is it about you Republicans that you think partisan lies are "smart"?


> And BTW - you're the one who brought up politics and partisanship. Not
> me.

Actually, I just commented on ONE party.
What is it about you Republicans that you think the GOP is all there is to
politics?


> But then that's typical of you. You bring up something, then when you're
> called on it, claim the other person sees it that way.

Well... since you're all focused on Republican partisanship, I do have
something relevent to the discussion to say on the matter.

It's not just a matter of values or mores - but rather of *logic*.
You partisans - Republican, Democrat, Libertarian - you're irrational people
with no respect for the truth, and an inability to admit to falibility.
You'll even deny a french fry is a french fry - if that's what your fellows
do.
That's not rational.

Similarly - insisting so vehemintlee that obscuring or hiding things is
*not* a way to secure it is not *rational*.
It's not a matter of values or mores - but of *logic*.

Dealing with evil people is easy - you can count on them to do bad things in
their own self-interest.
But dealing with self-contradictory and irrational people... like y'all
partisans - is impossible.
They just have to be either released into captivity... or gunned down into
enternal life.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1193015727.44564.2@iris.uk.clara.net...
> Sanders Kaufman wrote:

>> But none of that stuff did *anything*.
>> The crypto circuitry was all embedded in the boxes casing.
>> When you cracked the case, it toggled control over to the components so
>> that they would appear to be functional to anyone who tried to hack it.
>
> A HONEY POT!

More like a false compartment.

Active v. Passive and Aggressive v. Defensive
A honey pot is an aggressive/active tool for *catching* hackers.
A false compartment is a defensive/passive tool for obscuring the system.

But yeah - both are pre-emptive defenses.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1193015610.44564.1@iris.uk.clara.net...

> A door with a big fuckoff lock on it is an inviation to have a crack..
>
> If you were a secret intelligence agency, where would you put your
> headquarters - in the biggest skyscraper in new york? or above Mr Ho's
> chinese laundry in Des Moines?

I saw a UWTV lecture by a guy who does company-sponsored break-ins.
He says that one of his favorite things to do is, whenever he needs to
create a distraction, he pulls presses or flips something labeled "do not
touch".

Re: free tool to encrypt php?

"Gary L. Burnore" wrote in message
news:ffgovi$3uv$5@blackhelicopter.databasix.com...
> On Sun, 21 Oct 2007 16:54:50 -0500, "Sanders Kaufman"

>>That's a fine way to retalliate AFTER an attack - but a lousy way to
>>prevent
>>one.
>>
> Oh and hiding the door behind a bush in hopes they don't find it and
> then leaving it unlocked isn't lousy? Please.

That kind of simple-mindedness is where you go wrong on this issue.
You dumb it down to a lock on a door, or hiding behind a bush.
You also ignore the fact that ALL security measures must work with a system.

Once you corret those two mistakes, you'll better see that obscurity through
security is a valid security technique.
That's why they don't publish the travel schedules for nuqulure submarines.

I find it quite comical that I'm having to lecture right wingers (OF ALL
PEOPLE!!!) about the value of keeping secrets in order to protect stuff.
Do *all* of your beliefs and lifestyle choices contradict each other so
dramatically?

White House Email Scandal

"The Natural Philosopher" wrote in message
news:1193012101.66998.0@despina.uk.clara.net...

> They might spend 6 months tryng to hack the pentagon, or the coca cola
> company: they aren't going to do that for a nickel and dime website. Tey
> aren't going to spend 6 minutes.

Yup - that's what the Bush White House did with the ongoing email
investigation.

During Libby's trial, it came out that the Republican party was hosting
several obscure email domain for the White House.
The Bush Administration then used those networks to do government business
that they wanted to keep off-the-books.

Unfortunately, like most Republican issues - it was short-sighted,
egotistical and ignored the *human* factor.
It was short-sighted because, by using just a couple of domains, over time
they went from obscurity to popularity.
It was egotistical because they thought they would never make a mistake.
And it ignored the human factor because they never considered that their IT
people would be somewhat honest.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:NMmdnfUCXMbcnIHanZ2dnUVZ_gqdnZ2d@comcast.com...

> Hackers don't care if it's there or not.

What - are you trying to see just how many dumb things you can say in one
day?
Again - this isn't about values or mores.
It's just simple *logic*.
I mean - come on, be *rational* man.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1193014185.11412.0@proxy02.news.clara.net...

> I don't write passwords down. I have a file that says things like
> whereyoulive/Ford Escort.

I've got an article coming out on SSWUG.org about that very issue - password
obscurity.

The premise is the fact that many people, like you, use the same password on
every site.
You're no dummy - you know what a bad idea that is.
But you're also no Rainman - so remembering a matrix of sites and passwords
is insane.

My solution is to use an password algorithm that integrates the site name.

For example:
Suppose my every password is "GOOGLE"
And the site I'm logging into is "google.com".
I might interlace the two as "GgOoGgLlEe".

That way - I have a unique password for every site and never have to write
down a password ever.
All I gotta do is remember ONE password, and the algorithm.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:NMmdnfUCXMbcnIHanZ2dnUVZ_gqdnZ2d@comcast.com...
>
>> Hackers don't care if it's there or not.
>
> What - are you trying to see just how many dumb things you can say in one
> day?
> Again - this isn't about values or mores.
> It's just simple *logic*.
> I mean - come on, be *rational* man.
>
>
>

I wish you were, Sanders.

What you don't get is - hackers don't care. They just start a program
which picks an IP address and hits every port on that address, looking
for anything open. If there are no ports open, they move onto the next
IP address in line.

It costs them *nothing* to do it. And most will have dozens of these
programs running simultaneously, looking for ways to break in.

Similar to your house with the "hidden" door. A hacker takes a sledge
hammer and starts methodically pounding away at every square inch of the
house until he finds the door.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:v_KdnVEpHouoaYbanZ2dnUVZ_trinZ2d@comcast.com...
>
>>> I'm no Democrat.
>>> What is it about you Republicans that you see everything in partisan
>>> terms?
>> True. You aren't even that smart.
>
> What is it about you Republicans that you think partisan lies are "smart"?
>

There goes Sanders again. Can't come up with an intelligent argument,
so he starts in with the politics. I would say he's a stoopid troll,
but that's just normal for him.

>
>> And BTW - you're the one who brought up politics and partisanship. Not
>> me.
>
> Actually, I just commented on ONE party.
> What is it about you Republicans that you think the GOP is all there is to
> politics?
>

Don't try to twist your own words round. You brought up politics.
Don't lie and say you didn't.

>
>> But then that's typical of you. You bring up something, then when you're
>> called on it, claim the other person sees it that way.
>
> Well... since you're all focused on Republican partisanship, I do have
> something relevent to the discussion to say on the matter.
>

No, YOU focused on the Republican partisanship. Not me.

> It's not just a matter of values or mores - but rather of *logic*.
> You partisans - Republican, Democrat, Libertarian - you're irrational people
> with no respect for the truth, and an inability to admit to falibility.
> You'll even deny a french fry is a french fry - if that's what your fellows
> do.
> That's not rational.
>

You - talking about "logic"? ROFLMAO! And you have no idea what the
"truth" is - outside of your own delusional world, that is.

> Similarly - insisting so vehemintlee that obscuring or hiding things is
> *not* a way to secure it is not *rational*.
> It's not a matter of values or mores - but of *logic*.
>

Only in your world is it rational, Sanders. And you wouldn't know logic
if it bit you in the ass.

> Dealing with evil people is easy - you can count on them to do bad things in
> their own self-interest.
> But dealing with self-contradictory and irrational people... like y'all
> partisans - is impossible.
> They just have to be either released into captivity... or gunned down into
> enternal life.
>

OK, if it's so easy, why don't you figure out a way to stop all those
"evil people" in the world? You'd win the Nobel Prize!

And you're right. Dealing with irrational people like yourself is
impossible.

Just like you tried to claim the Bush tax cuts hurt everyone. Until I
proved to you they didn't. You didn't have anything to say after that
one, did you?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "The Natural Philosopher" wrote in message
> news:1193015610.44564.1@iris.uk.clara.net...
>
>> A door with a big fuckoff lock on it is an inviation to have a crack..
>>
>> If you were a secret intelligence agency, where would you put your
>> headquarters - in the biggest skyscraper in new york? or above Mr Ho's
>> chinese laundry in Des Moines?
>
> I saw a UWTV lecture by a guy who does company-sponsored break-ins.
> He says that one of his favorite things to do is, whenever he needs to
> create a distraction, he pulls presses or flips something labeled "do not
> touch".
>
>
>

Yea, right. OK, Sanders. Whatever you say.

ROFLMAO!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "The Natural Philosopher" wrote in message
> news:1193014185.11412.0@proxy02.news.clara.net...
>
>> I don't write passwords down. I have a file that says things like
>> whereyoulive/Ford Escort.
>
> I've got an article coming out on SSWUG.org about that very issue - password
> obscurity.
>

Whoopee. Is it going to be as asinine as the comments you've made here?

> The premise is the fact that many people, like you, use the same password on
> every site.
> You're no dummy - you know what a bad idea that is.
> But you're also no Rainman - so remembering a matrix of sites and passwords
> is insane.
>
> My solution is to use an password algorithm that integrates the site name.
>

Yea, right.

> For example:
> Suppose my every password is "GOOGLE"
> And the site I'm logging into is "google.com".
> I might interlace the two as "GgOoGgLlEe".
>
> That way - I have a unique password for every site and never have to write
> down a password ever.
> All I gotta do is remember ONE password, and the algorithm.
>

Sorry, I've got a real method to track passwords.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Post removed (X-No-Archive: yes)

Re: free tool to encrypt php?

Jerry Stuckle wrote in
news:8bednQcnusXVmIHanZ2dnUVZ_uninZ2d@comcast.com:

> Puckdropper wrote:
>> Jerry Stuckle wrote in news:46GdnfUzY-
>> HIeYbanZ2dnUVZ_rWtnZ2d@comcast.com:
>>
>> *snip*
>>
>>> To be able to prevent something, you must have 100% security. And
>>> that means, in computer systems anyway, 100% perfect code,
>>> absolutely no access to the sensitive code, either via
>>> communications link, physical access to the server or any other way.
>>> There must also be no copies (i.e. backups) of the sensitive files
>>> at all. And even then you're likely to have potential gaps in the
>>> system.
>>>
>>> But how many systems do you know fit this?
>>>
>>
>> Prevention is NOT about stopping EVERYTHING. It's about stopping
>> SOME THINGs. You are correct that absolute prevention requires 100%
>> effective security, but we're merely talking about stopping some
>> attacks.
>>
>> Security, at its simplist, is about allowing access to those who need
>> access and preventing access to those who do not need access.
>>
>> Puckdropper
>
> Ah, but it is. If you prevent something, you have stopped it.
> Period.
> Stopping "some" break-ins is not prevention.
>
> What you are talking is deterrence.
>
> And security is about deterring what you can - and minimizing the
> damage for those you can't.
>

I'm afraid we're using different definitions.
Prevent: To keep something from happening; to keep from doing something.
Deter: To prevent or discourage someone from acting by arousing fear,
uncertainty, intimidation, or other strong emotion.

Source: Webster's Dictionary (c) 1991

It appears you're using the first part of "prevent", stopping at the
semicolon. I'm using the second part of the definition, so by stopping
one, you have successfully kept someone from doing something, and thus
prevented it.

I'm not quite sure where "deter" comes in. It appears you're using it to
imply the second part of "prevent", but in computing security there need
be no emotion.

Puckdropper
--
Wise is the man who attempts to answer his question before asking it.

To email me directly, send a message to puckdropper (at) fastmail.fm

Re: free tool to encrypt php?

Puckdropper wrote:
> Jerry Stuckle wrote in
> news:8bednQcnusXVmIHanZ2dnUVZ_uninZ2d@comcast.com:
>
>> Puckdropper wrote:
>>> Jerry Stuckle wrote in news:46GdnfUzY-
>>> HIeYbanZ2dnUVZ_rWtnZ2d@comcast.com:
>>>
>>> *snip*
>>>
>>>> To be able to prevent something, you must have 100% security. And
>>>> that means, in computer systems anyway, 100% perfect code,
>>>> absolutely no access to the sensitive code, either via
>>>> communications link, physical access to the server or any other way.
>>>> There must also be no copies (i.e. backups) of the sensitive files
>>>> at all. And even then you're likely to have potential gaps in the
>>>> system.
>>>>
>>>> But how many systems do you know fit this?
>>>>
>>> Prevention is NOT about stopping EVERYTHING. It's about stopping
>>> SOME THINGs. You are correct that absolute prevention requires 100%
>>> effective security, but we're merely talking about stopping some
>>> attacks.
>>>
>>> Security, at its simplist, is about allowing access to those who need
>>> access and preventing access to those who do not need access.
>>>
>>> Puckdropper
>> Ah, but it is. If you prevent something, you have stopped it.
>> Period.
>> Stopping "some" break-ins is not prevention.
>>
>> What you are talking is deterrence.
>>
>> And security is about deterring what you can - and minimizing the
>> damage for those you can't.
>>
>
> I'm afraid we're using different definitions.
> Prevent: To keep something from happening; to keep from doing something.
> Deter: To prevent or discourage someone from acting by arousing fear,
> uncertainty, intimidation, or other strong emotion.
>
> Source: Webster's Dictionary (c) 1991
>

When used by security professionals, it is known as deterrence. They
never talk about keeping intrusions or other breeches from happening
(prevention), because they know it's impossible.

> It appears you're using the first part of "prevent", stopping at the
> semicolon. I'm using the second part of the definition, so by stopping
> one, you have successfully kept someone from doing something, and thus
> prevented it.
>

I'm using the same terminology security professionals use. And claiming
prevention is not one of them. Rather, they claim deterrence not
necessarily by fear, but by making it harder to break in so that hackers
will go further.

Maybe not an exact Webster's 1991 definition. But every profession has
it's own argot, also.

I just got a note from one of my friends who's in government security.
In part, he said:

"You are correct, Jerry. We are told to never use the words prevent or
prevention when talking about security."

> I'm not quite sure where "deter" comes in. It appears you're using it to
> imply the second part of "prevent", but in computing security there need
> be no emotion.
>
> Puckdropper

Security is always an emotional issue with customers.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Mon, 22 Oct 2007 01:07:53 +0100, The Natural Philosopher
> wrote:
>
>> Oh, I dont lock my doors that much anyway.
>
> The smell keeps the bad guys away, eh?
>
Are you a Republican or something?

What a curious comment to make.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> Sanders Kaufman wrote:
>>>> "Gary L. Burnore" wrote in message
>>>> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>>>>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>>>>
>>>>>> Yeah -but if you obscure the door well, you don't have to worry about
>>>>>> locking it.
>>>>> Not true at all. Comparing it to hacking, someone tries everything
>>>>> whether or not it looks like a knob until something opens. Locking
>>>>> the door would prevent that.
>>>>
>>>> No - locking the door only slows them down after an attack has begun.
>>>> If you want to PREVENT the attack - obscure the target.
>>>> You can't hit what you can't see.
>>>>
>>>>
>>>>
>>>
>>> Sure you can. It's harder, but not at all impossible.
>>>
>> You wont even try to hit something you don't know is there.
>>
>
> Hackers don't care if it's there or not. They'll so a systematic scan
> just to see if something's there. It doesn't cost them anything.
>
Ah, but a scan of what?

I accidentally left a machine with an open global telnet up - for about
2 weeks.

No one hacked it. Its firewalled correctly now..

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> Sanders Kaufman wrote:
>> "Jerry Stuckle" wrote in message
>> news:NMmdnfUCXMbcnIHanZ2dnUVZ_gqdnZ2d@comcast.com...
>>
>>> Hackers don't care if it's there or not.
>>
>> What - are you trying to see just how many dumb things you can say in
>> one day?
>> Again - this isn't about values or mores.
>> It's just simple *logic*.
>> I mean - come on, be *rational* man.
>>
>>
>>
>
> I wish you were, Sanders.
>
> What you don't get is - hackers don't care. They just start a program
> which picks an IP address and hits every port on that address, looking
> for anything open. If there are no ports open, they move onto the next
> IP address in line.
>
> It costs them *nothing* to do it. And most will have dozens of these
> programs running simultaneously, looking for ways to break in.
>
> Similar to your house with the "hidden" door. A hacker takes a sledge
> hammer and starts methodically pounding away at every square inch of the
> house until he finds the door.
>
Not really.

Even hackers have better things to do, and besides, the door is in the
ground.

Re: free tool to encrypt php?

Gary L. Burnore wrote:
> On Mon, 22 Oct 2007 01:49:44 +0100, The Natural Philosopher
> wrote:
>
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>> The Natural Philosopher wrote:
>>>>>> Jerry Stuckle wrote:
>>>>>>
>>>>>>> Security is not about prevention, just like there is no way to
>>>>>>> prevent someone from breaking into your home. There is no such
>>>>>>> thing. What it is is about identifying undesired ways of accessing
>>>>>>> your files and limiting the effect of exposure. It's just like
>>>>>>> locking your valuables in a bank vault to limit your exposure if
>>>>>>> someone breaks into your house.
>>>>>>>
>>>>>> It may go no further than simply living quietly, so that no one
>>>>>> knows or cares where you live, and never looking like you have
>>>>>> anything worth stealing.
>>>>>>
>>>>>>
>>>>> Nope. Security by obscurity is no security at all.
>>>>>
>>>> Oh, indeed it is.
>>>>
>>> Not at all. It is false security.
>>>
>> It works.
>> Call it what you like, it works.
>>
>> That's why passwords should not be on a dictionary search. Be obscure.
>
> That's prevention. Obscurity is hiding and hoping no one notices you
> don't have a password.

No is not prevention . All passwords can be cracked.

The secret is to make the password secret. AND obscure, so that scanning
every passwrd in the dictionary doesn't result in a match.

No different from scanning every port in a machine, or every machine on
the internet.

And the robots do not do this anyway: looking at muy firewall reveals
that a very few ports are occasionally probed. No one has done a
systematic scan on it. Is been up with a public website for over a year now.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "The Natural Philosopher" wrote in message
> news:1193014185.11412.0@proxy02.news.clara.net...
>
>> I don't write passwords down. I have a file that says things like
>> whereyoulive/Ford Escort.
>
> I've got an article coming out on SSWUG.org about that very issue - password
> obscurity.
>
> The premise is the fact that many people, like you, use the same password on
> every site.
> You're no dummy - you know what a bad idea that is.
> But you're also no Rainman - so remembering a matrix of sites and passwords
> is insane.
>
> My solution is to use an password algorithm that integrates the site name.
>
> For example:
> Suppose my every password is "GOOGLE"
> And the site I'm logging into is "google.com".
> I might interlace the two as "GgOoGgLlEe".
>
> That way - I have a unique password for every site and never have to write
> down a password ever.
> All I gotta do is remember ONE password, and the algorithm.
>
>
>
I'd say that is even stupider. They crack your algorithm, they have all
your sites.


I don't use the same password everywhere and i certainly don't use the
same user name everywhere.

Ad teh sites ar largely unrelated: there is nothing to tie my login on
one to my login on another.

The one weak point is the computer islef: If that gets stlen ther are
probably a load of passwords in te kechains etc.,

However, its no different than if the house gets burgled and all the
car/house keys taken. New locks all round. End of story.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Puckdropper wrote:
>>
>>> Prevention isn't about 100% prevention, but mainly deterance. With
>>> preventative efforts, you simply try to make it more difficult to get
>>> to your systems. Maybe then the would-be attacker gets bored or
>>> frustrated and gives up.
>>>
>>> Prevention isn't the only line of defense, of course. If the
>>> attacker does succeed, you have to try to limit the amount of exposure.
>>>
>>> Puckdropper
>>
>>
>> When you build a tank., you do not paint it in dayglo.
>> You paint it dull colors.
>>
>> You *also* give it very thick armour plating.
>>
>> You HOPE the armour plating is never put to the test.
>> Because you know that no armour plating the tank an carry and still
>> function like a tank, is truly safe. Its just better than nothing.
>>
>> And so is the camo on top.
>>
>>
>
> So? We're not talking about tanks.
>
No, we are talking about security, in a hostile environment.

And things that demomstrably work.

Like camouflage.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> Michael Fesser wrote:
>>>> .oO(Jerry Stuckle)
>>>>
>>>>> Gary L. Burnore wrote:
>>>>>> Security is about many things of which prevention is one.
>>>>> No responsible person in the security field will ever claim that.
>>>>>
>>>>> There is no such thing as "prevention". That would indicate that
>>>>> something can't happen, which is impossible to do.
>>>>
>>>> If a file is stored outside the document root, it can't be accessed
>>>> by a
>>>> URL. That's prevention.
>>>>
>>>
>>> Nope. It is not. There is, for instance, nothing to stop me from
>>> uploading a document which opens the file and spits the source code
>>> out for me.
>>>
>>
>> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER FOUND
>> IT.
>>
>
> If it's there, it can be found. Period.
>

That's not what I said. I said YOU never found it.

Your logic is very one dimesnional isn't it?



>> Ah Security by obscurity. Place it somewhere completely different!
>>
>
> Nope. No obscurity at all. It doesn't exist, so I can't get it. Period.
>

Ah. So the only secure computer is one with no informatuon on it. Cool.


>>> But how many systems do you know fit this?
>>>
>> None whatsoever, especially ones you put together ;-)
>>
>
> Which are probably a hell of a lot more secure than anything you come up
> with. Because I don't expect obscurity to protect anything. I assume
> they will find it - and act accordingly.
>

Oh so do I, but that doesn't stop me also making sure that there is
nothing obvious there to make them want to.

>> So we have reduced teh argument to te somple prpositon that 'no system
>> is secure'
>>
>> Nw, which is MORE secure, the one that everyone can see, and just have
>> to find a way into, or the one that moat people don't see at all, and
>> if they do, they find what looks like a door, but it takes them
>> straight into a minefield?
>>
>
> The one everyone can see is more likely to be secure because a competent
> admin will plan for break-ins. The one nobody can see may have an
> administrator who slacks off because he believes the server is secure.
>

"may".


> But if there is a house there, I know there is a door somewhere. And
> some careful probing will find the door.

Not if it doesn't look like a house.

>
> Just like if there is a server on the internet, it will respond to
> something. It's just a matter of figuring out what.
>
port 80.

Only.

Unless you happen to do some very unusual things that you wouldn't guess.


>

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> Sanders Kaufman wrote:
>>> "Jerry Stuckle" wrote in message
>>> news:NMmdnfUCXMbcnIHanZ2dnUVZ_gqdnZ2d@comcast.com...
>>>
>>>> Hackers don't care if it's there or not.
>>>
>>> What - are you trying to see just how many dumb things you can say in
>>> one day?
>>> Again - this isn't about values or mores.
>>> It's just simple *logic*.
>>> I mean - come on, be *rational* man.
>>>
>>>
>>>
>>
>> I wish you were, Sanders.
>>
>> What you don't get is - hackers don't care. They just start a program
>> which picks an IP address and hits every port on that address, looking
>> for anything open. If there are no ports open, they move onto the
>> next IP address in line.
>>
>> It costs them *nothing* to do it. And most will have dozens of these
>> programs running simultaneously, looking for ways to break in.
>>
>> Similar to your house with the "hidden" door. A hacker takes a sledge
>> hammer and starts methodically pounding away at every square inch of
>> the house until he finds the door.
>>
> Not really.
>
> Even hackers have better things to do, and besides, the door is in the
> ground.
>

No, actually, they don't. They just start a program and walk away. The
program hits every square inch of th house. And that includes the ground.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> Sanders Kaufman wrote:
>>>>> "Gary L. Burnore" wrote in message
>>>>> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>>>>>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>>>>>
>>>>>>> Yeah -but if you obscure the door well, you don't have to worry
>>>>>>> about
>>>>>>> locking it.
>>>>>> Not true at all. Comparing it to hacking, someone tries everything
>>>>>> whether or not it looks like a knob until something opens. Locking
>>>>>> the door would prevent that.
>>>>>
>>>>> No - locking the door only slows them down after an attack has begun.
>>>>> If you want to PREVENT the attack - obscure the target.
>>>>> You can't hit what you can't see.
>>>>>
>>>>>
>>>>>
>>>>
>>>> Sure you can. It's harder, but not at all impossible.
>>>>
>>> You wont even try to hit something you don't know is there.
>>>
>>
>> Hackers don't care if it's there or not. They'll so a systematic scan
>> just to see if something's there. It doesn't cost them anything.
>>
> Ah, but a scan of what?
>
> I accidentally left a machine with an open global telnet up - for about
> 2 weeks.
>
> No one hacked it. Its firewalled correctly now..
>
>

So? No one attempted to hack it in two weeks. What does that prove?
Maybe they weren't worth hacking?

Some of the sites I monitor have had over 500 attempts per day to access
various ports. Telnet wasn't one of them because it's not active. But
there are many other ports which could be active. I finally had to take
additional steps to secure the systems.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Puckdropper wrote:
>>>
>>>> Prevention isn't about 100% prevention, but mainly deterance. With
>>>> preventative efforts, you simply try to make it more difficult to
>>>> get to your systems. Maybe then the would-be attacker gets bored or
>>>> frustrated and gives up.
>>>>
>>>> Prevention isn't the only line of defense, of course. If the
>>>> attacker does succeed, you have to try to limit the amount of exposure.
>>>>
>>>> Puckdropper
>>>
>>>
>>> When you build a tank., you do not paint it in dayglo.
>>> You paint it dull colors.
>>>
>>> You *also* give it very thick armour plating.
>>>
>>> You HOPE the armour plating is never put to the test.
>>> Because you know that no armour plating the tank an carry and still
>>> function like a tank, is truly safe. Its just better than nothing.
>>>
>>> And so is the camo on top.
>>>
>>>
>>
>> So? We're not talking about tanks.
>>
> No, we are talking about security, in a hostile environment.
>
> And things that demomstrably work.
>
> Like camouflage.
>

Tanks are physical security. Let's see you camouflage electrons.

They are not at all the same thing. Don't keep trying to change the
subject.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> Michael Fesser wrote:
>>>>> .oO(Jerry Stuckle)
>>>>>
>>>>>> Gary L. Burnore wrote:
>>>>>>> Security is about many things of which prevention is one.
>>>>>> No responsible person in the security field will ever claim that.
>>>>>>
>>>>>> There is no such thing as "prevention". That would indicate that
>>>>>> something can't happen, which is impossible to do.
>>>>>
>>>>> If a file is stored outside the document root, it can't be accessed
>>>>> by a
>>>>> URL. That's prevention.
>>>>>
>>>>
>>>> Nope. It is not. There is, for instance, nothing to stop me from
>>>> uploading a document which opens the file and spits the source code
>>>> out for me.
>>>>
>>>
>>> Unless there is no way to upload code OR THERE IS, BUT YOU NEVER
>>> FOUND IT.
>>>
>>
>> If it's there, it can be found. Period.
>>
>
> That's not what I said. I said YOU never found it.
>
> Your logic is very one dimesnional isn't it?
>

You didn't read what I said, did you.

If it is there, it can be found. Period. Whether I find it or not is
immaterial. The fact that SOMEONE can find it is critical.

>
>
>>> Ah Security by obscurity. Place it somewhere completely different!
>>>
>>
>> Nope. No obscurity at all. It doesn't exist, so I can't get it.
>> Period.
>>
>
> Ah. So the only secure computer is one with no informatuon on it. Cool.
>

Or one which is completely isolated from the internet and outside world,
yes. That's how security professionals think.

>
>>>> But how many systems do you know fit this?
>>>>
>>> None whatsoever, especially ones you put together ;-)
>>>
>>
>> Which are probably a hell of a lot more secure than anything you come
>> up with. Because I don't expect obscurity to protect anything. I
>> assume they will find it - and act accordingly.
>>
>
> Oh so do I, but that doesn't stop me also making sure that there is
> nothing obvious there to make them want to.
>

They don't have to "want to". I have some sites which collect no
information from users - they are strictly informational sites. But
hackers still try to get to them.

>>> So we have reduced teh argument to te somple prpositon that 'no
>>> system is secure'
>>>
>>> Nw, which is MORE secure, the one that everyone can see, and just
>>> have to find a way into, or the one that moat people don't see at
>>> all, and if they do, they find what looks like a door, but it takes
>>> them straight into a minefield?
>>>
>>
>> The one everyone can see is more likely to be secure because a
>> competent admin will plan for break-ins. The one nobody can see may
>> have an administrator who slacks off because he believes the server is
>> secure.
>>
>
> "may".
>
>
>> But if there is a house there, I know there is a door somewhere. And
>> some careful probing will find the door.
>
> Not if it doesn't look like a house.
>

It has an address. There is something there. It can be found.

>>
>> Just like if there is a server on the internet, it will respond to
>> something. It's just a matter of figuring out what.
>>
> port 80.
>
> Only.
>
> Unless you happen to do some very unusual things that you wouldn't guess.
>
>

Hackers know all of the tricks. In fact, they probably know a lot more
tricks than you do.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

..oO(Jerry Stuckle)

>Michael Fesser wrote:
>
>> If a file is stored outside the document root, it can't be accessed by a
>> URL. That's prevention.
>
>Nope. It is not. There is, for instance, nothing to stop me from
>uploading a document which opens the file and spits the source code out
>for me.

The file in question is still not accessible by URL, which is all what I
was talking about here.

>The only way to prevent me from getting the file is to not place it
>there in the first place.

The point was to "access the file by URL", which is what a user usually
does. It was not about breaking into the system to get it. If I don't
want a user to directly access something by URL, I can prevent it. If he
still wants to get it, he has to find another way.

>> If you allow the user to submit a value out of [1, 2, 3] to a form
>> processing script and check it against the set of allowed values, they
>> can't inject a 4. That's prevention.
>
>Until they find another way into the system. All you have done is close
>one hole.

Exactly. And i can prevent users from sneaking through that particular
hole by closing it.

>To be able to prevent something, you must have 100% security. And that
>means, in computer systems anyway, 100% perfect code, absolutely no
>access to the sensitive code, either via communications link, physical
>access to the server or any other way. There must also be no copies
>(i.e. backups) of the sensitive files at all. And even then you're
>likely to have potential gaps in the system.

Prevention is not only about protecting an entire system from a break-
in. It's also about all the little things that can get really annyoing,
even if someone just presses the wrong key and the application behaves
in an unexpected way or wreaks havoc.

Micha

Re: free tool to encrypt php?

I have not read all of the info here, I admit it. Just seems odd that
this post got to where it is when the original request was for a php
source code encrypting tool. Whatever the requestors reason was, that
was what they asked for.

It is not possible to prevent an attacker from accessing a system, by
obscurity or any other method short of disconnecting the system etc.
Obscurity may work well as a military defense, and may work as a
function to add a little more security with computer systems, but
there is no see all be all with regards to computer security, being
100% prevention/protection. All computer security is is basically
continually monitoring methods attackers are using, and trying to
close those holes as soon as possible, to prevent a particular method
being used. However for every hole you close, you potentially could
be opening another hole up, regardless of whether the security
professional realizes it at first or not...can't count the number of
security fixes released by some OS suppliers that seem to fix the same
problems time after time with the same programs etc. Obscurity is not
a valid computer security method in most cases, since obscuring the
computer system, makes it useless, whether it is a public accessible
system, or internal system, has essentially the same effect as turning
it off and not even using the thing. As others mentioned, if it can
be connected to, internally or externally, it is going to have
vulnerabilities, and eventually someone may find these
vulnerabilities, and use them to gain un authorized access. With any
new application installed on a system, or whatever, there is a whole
new set of vulnerabilities that would come along with it, which may or
may not be securable. In order to provide the necessary functionality
for a system, there will be vulnerabilities. You could only obscure
so much to a point, for example if you obscure your door, you still
may have a window visible, secure the window and you lose
functionality. If you built your house with no doors, no windows, you
would have a sealed box, that you could either remain built in, sealed
out, or whatever...not a very useful place. Same thing with
computers, if you close down everything, or built to not allow any
access, you have a useless box...useless to the intended users, and
useless to those choosing to crack the box. Sure you would have
security, but to what benefit? A security professional would make the
system as secure as possible, without eliminating this functionality
needed, by doing so, they know there are vulnerabilities in the
system, any security guy that said the box is uncrackable would be a
liar, an idiot, or both. It is an ever changing field, not one I am
involved heavily with, thank God. Securing computer systems is
basically just trying to stay ahead of the attackers, fixing holes as
possible, but never attaining super galactic preventative security.

As for the PHP encrypting, as others mentioned, you can encrypt your
php code, but without some sort of updating to your web server, it
will be unable to use the encrypted php...if the web server is
modified to read the php encrypted code, it would open up other
security holes I am sure, since I would imagine it would need to
decrypt the code at a point in the process, which may or may not be
exploitable. I am not aware of any php encrypter/encrypted php
interpreters for the web servers, though some might exist somewhere.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Jerry Stuckle wrote:
>>>>> Sanders Kaufman wrote:
>>>>>> "Gary L. Burnore" wrote in message
>>>>>> news:ffgar8$3n6$1@blackhelicopter.databasix.com...
>>>>>>> On Sun, 21 Oct 2007 18:42:39 GMT, "Sanders Kaufman"
>>>>>>
>>>>>>>> Yeah -but if you obscure the door well, you don't have to worry
>>>>>>>> about
>>>>>>>> locking it.
>>>>>>> Not true at all. Comparing it to hacking, someone tries everything
>>>>>>> whether or not it looks like a knob until something opens. Locking
>>>>>>> the door would prevent that.
>>>>>>
>>>>>> No - locking the door only slows them down after an attack has begun.
>>>>>> If you want to PREVENT the attack - obscure the target.
>>>>>> You can't hit what you can't see.
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Sure you can. It's harder, but not at all impossible.
>>>>>
>>>> You wont even try to hit something you don't know is there.
>>>>
>>>
>>> Hackers don't care if it's there or not. They'll so a systematic
>>> scan just to see if something's there. It doesn't cost them anything.
>>>
>> Ah, but a scan of what?
>>
>> I accidentally left a machine with an open global telnet up - for
>> about 2 weeks.
>>
>> No one hacked it. Its firewalled correctly now..
>>
>>
>
> So? No one attempted to hack it in two weeks. What does that prove?
> Maybe they weren't worth hacking?

Indeed. Which is the whole pint I'm trying to make

Sigh.

>
> Some of the sites I monitor have had over 500 attempts per day to access
> various ports. Telnet wasn't one of them because it's not active. But
> there are many other ports which could be active. I finally had to take
> additional steps to secure the systems.
>

If I knew whch sites you monitored I'd make it my business to hack at
them as hard as I could.

Its your winning personality that does it.

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> The Natural Philosopher wrote:
>> Jerry Stuckle wrote:
>>> The Natural Philosopher wrote:
>>>> Puckdropper wrote:
>>>>
>>>>> Prevention isn't about 100% prevention, but mainly deterance. With
>>>>> preventative efforts, you simply try to make it more difficult to
>>>>> get to your systems. Maybe then the would-be attacker gets bored
>>>>> or frustrated and gives up.
>>>>>
>>>>> Prevention isn't the only line of defense, of course. If the
>>>>> attacker does succeed, you have to try to limit the amount of
>>>>> exposure.
>>>>>
>>>>> Puckdropper
>>>>
>>>>
>>>> When you build a tank., you do not paint it in dayglo.
>>>> You paint it dull colors.
>>>>
>>>> You *also* give it very thick armour plating.
>>>>
>>>> You HOPE the armour plating is never put to the test.
>>>> Because you know that no armour plating the tank an carry and still
>>>> function like a tank, is truly safe. Its just better than nothing.
>>>>
>>>> And so is the camo on top.
>>>>
>>>>
>>>
>>> So? We're not talking about tanks.
>>>
>> No, we are talking about security, in a hostile environment.
>>
>> And things that demomstrably work.
>>
>> Like camouflage.
>>
>
> Tanks are physical security. Let's see you camouflage electrons.
>

Coaxial cable.

Next?

> They are not at all the same thing. Don't keep trying to change the
> subject.
>
>
Why not? I learnt it from you..;-)

Re: free tool to encrypt php?

The Natural Philosopher wrote:
> Jerry Stuckle wrote:
>> The Natural Philosopher wrote:
>>> Jerry Stuckle wrote:
>>>> The Natural Philosopher wrote:
>>>>> Puckdropper wrote:
>>>>>
>>>>>> Prevention isn't about 100% prevention, but mainly deterance.
>>>>>> With preventative efforts, you simply try to make it more
>>>>>> difficult to get to your systems. Maybe then the would-be
>>>>>> attacker gets bored or frustrated and gives up.
>>>>>>
>>>>>> Prevention isn't the only line of defense, of course. If the
>>>>>> attacker does succeed, you have to try to limit the amount of
>>>>>> exposure.
>>>>>>
>>>>>> Puckdropper
>>>>>
>>>>>
>>>>> When you build a tank., you do not paint it in dayglo.
>>>>> You paint it dull colors.
>>>>>
>>>>> You *also* give it very thick armour plating.
>>>>>
>>>>> You HOPE the armour plating is never put to the test.
>>>>> Because you know that no armour plating the tank an carry and still
>>>>> function like a tank, is truly safe. Its just better than nothing.
>>>>>
>>>>> And so is the camo on top.
>>>>>
>>>>>
>>>>
>>>> So? We're not talking about tanks.
>>>>
>>> No, we are talking about security, in a hostile environment.
>>>
>>> And things that demomstrably work.
>>>
>>> Like camouflage.
>>>
>>
>> Tanks are physical security. Let's see you camouflage electrons.
>>
>
> Coaxial cable.
>

Yea, right.

> Next?
>
>> They are not at all the same thing. Don't keep trying to change the
>> subject.
>>
>>
> Why not? I learnt it from you..;-)
>
>

No you didn't, troll.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1193054390.75710.0@iris.uk.clara.net...
> Sanders Kaufman wrote:

>> Suppose my every password is "GOOGLE"
>> And the site I'm logging into is "google.com".
>> I might interlace the two as "GgOoGgLlEe".
>>
>> That way - I have a unique password for every site and never have to
>> write down a password ever.
>> All I gotta do is remember ONE password, and the algorithm.
>>
> I'd say that is even stupider. They crack your algorithm, they have all
> your sites.

So you think that cracking an algorithm is easier than cracking a password?
Do the math - the forumala is harder to crack.


> I don't use the same password everywhere and i certainly don't use the
> same user name everywhere.

Of course not. You just have a couple of usernames and passwords... that
you use everywhere.
When you do that - you *deliver* your credentials to for dozens of sites to
every webmaster - honest or otherwise.


> Ad teh sites ar largely unrelated: there is nothing to tie my login on one
> to my login on another.
>
> The one weak point is the computer islef: If that gets stlen ther are
> probably a load of passwords in te kechains etc.,

> However, its no different than if the house gets burgled and all the
> car/house keys taken. New locks all round. End of story.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:ffqdnWXoe6LKtYHanZ2dnUVZ_qWtnZ2d@comcast.com...

> What you don't get is - hackers don't care. They just start a program
> which picks an IP address and hits every port on that address, looking for
> anything open. If there are no ports open, they move onto the next IP
> address in line.
>
> It costs them *nothing* to do it. And most will have dozens of these
> programs running simultaneously, looking for ways to break in.

Well - nothing except time.
And even then - you've got no idea what kind of target you've got.
Bettter to go somewhere where you already KNOW that you'll get the kinds of
hits your looking for, than to scan every PC on the web.


> Similar to your house with the "hidden" door. A hacker takes a sledge
> hammer and starts methodically pounding away at every square inch of the
> house until he finds the door.

While that's a lousy way to break into something - it's a fine way to draw
attention to yourself.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:arGdnY6T793tGIHanZ2dnUVZ_qiinZ2d@comcast.com...

>
> When used by security professionals, it is known as deterrence. They
> never talk about keeping intrusions or other breeches from happening
> (prevention), because they know it's impossible.

This is one of the things that Republicans like Jerry do that *really*
pisses me off.

They use a word in a completely inappropriate way.
Then, when called on it, they claim that they were using a *slang* version
of the word.

Then, like that's not enough of a lie, they go on to claim that some other
group uses it that way.

This same thing happened in another conversation about Valerie Plame - the
CIA agent who was exposed by Bush in retalliation for her disproving his
Iraqi WMD lies.

The Republican in that conversation said that she was not "covert".
Then, after some back and forth, he said she was not "covert" in the
"classical sense".

It would be *so* easy for Republicans to just say "I was wrong" or "I made a
mistake" - but it's just not in their character.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:4I2dnZdK9LwoCIHanZ2dnUVZ_tKinZ2d@comcast.com...
> The Natural Philosopher wrote:

>> I accidentally left a machine with an open global telnet up - for about
>> 2 weeks.
>>
>> No one hacked it. Its firewalled correctly now..
>
> So? No one attempted to hack it in two weeks. What does that prove?
> Maybe they weren't worth hacking?

An open, freely available, unsecured, global telnet box - NOT WORTH
HACKING??!!
It's the Holy Grail of botnet zombies.


> Some of the sites I monitor have had over 500 attempts per day to access
> various ports. Telnet wasn't one of them because it's not active. But
> there are many other ports which could be active. I finally had to take
> additional steps to secure the systems.

Hackers don't *try* to connect via telnet because it's not active?
What - are you pre-notifying them?
No, of course not.
You're just making shit up to embiggen yourself.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:4I2dnZZK9Ly3C4HanZ2dnUVZ_tLinZ2d@comcast.com...
> The Natural Philosopher wrote:

> Tanks are physical security. Let's see you camouflage electrons.

Camoflauging something that's invisible will only make the camoflauge
conspicuous.

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"Jerry Stuckle" wrote in message
>news:ffqdnWXoe6LKtYHanZ2dnUVZ_qWtnZ2d@comcast.com...
>
>> What you don't get is - hackers don't care. They just start a program
>> which picks an IP address and hits every port on that address, looking for
>> anything open. If there are no ports open, they move onto the next IP
>> address in line.
>>
>> It costs them *nothing* to do it. And most will have dozens of these
>> programs running simultaneously, looking for ways to break in.
>
>Well - nothing except time.

Massively parallel port scanning should be quite cheap on a modern
machine and a good connection. Such scanners can run in the background,
while you're watching a movie, having sex or even during the night.
Time is not really an issue here.

>And even then - you've got no idea what kind of target you've got.

Who cares? Spammers send out _millions_ of emails. It's more than enough
if 0.1% hit their "target". You can fire a thousand bullets out of a
machine gun - often it's enough if _one_ hits the target critically.

>Bettter to go somewhere where you already KNOW that you'll get the kinds of
>hits your looking for, than to scan every PC on the web.

Many years ago it already was that simple: Start the scanner, enter an
IP range - and go. Yes, I've tried such a tool out of curiosity, because
I wanted to know if it's really that easy. And it was. There's _always_
a lot to find (in that case open Windows shares), and with such a tool
you don't even really have to search for it - just start it, let it do
the work and wait for the results.

And I'm pretty sure - today it's even simpler for the script kiddies,
there are enough tools around. They fire it up in the morning, and when
they come back from school, they have a nice list of new victims or
maybe even more already.

Micha

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"The Natural Philosopher" wrote in message
>news:1193054390.75710.0@iris.uk.clara.net...
>
>> I'd say that is even stupider. They crack your algorithm, they have all
>> your sites.
>
>So you think that cracking an algorithm is easier than cracking a password?

Yes, often.

>Do the math - the forumala is harder to crack.

Never underestimate the power and possibilies of cryptoanalysis and
stochastics. Brute-forcing a password is one way, but often the more
efficient and easier way is to break the algorithm. There are _many_
different ways to break even unknown algorithms, and often enough it's
this "closed source" nature itself that makes it vulnerable.

Micha

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "The Natural Philosopher" wrote in message
> news:1193054390.75710.0@iris.uk.clara.net...
>> Sanders Kaufman wrote:
>
>>> Suppose my every password is "GOOGLE"
>>> And the site I'm logging into is "google.com".
>>> I might interlace the two as "GgOoGgLlEe".
>>>
>>> That way - I have a unique password for every site and never have to
>>> write down a password ever.
>>> All I gotta do is remember ONE password, and the algorithm.
>>>
>> I'd say that is even stupider. They crack your algorithm, they have all
>> your sites.
>
> So you think that cracking an algorithm is easier than cracking a password?
> Do the math - the forumala is harder to crack.
>
>

It entirely depends on the algorithm.

For example one which merely reverses the order of the sitename would be
trivial

>> I don't use the same password everywhere and i certainly don't use the
>> same user name everywhere.
>
> Of course not. You just have a couple of usernames and passwords... that
> you use everywhere.

I hope you are not involved in security.
First you deduce things from write data that are incorrect, secondly you
assert as fact that which you cannot know.


> When you do that - you *deliver* your credentials to for dozens of sites to
> every webmaster - honest or otherwise.
>

I don't. Do that. I merely asserted that memorable but hard to guess
passwords are actually easy to think up.

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:4I2dnZdK9LwoCIHanZ2dnUVZ_tKinZ2d@comcast.com...
>> The Natural Philosopher wrote:
>
>>> I accidentally left a machine with an open global telnet up - for about
>>> 2 weeks.
>>>
>>> No one hacked it. Its firewalled correctly now..
>> So? No one attempted to hack it in two weeks. What does that prove?
>> Maybe they weren't worth hacking?
>
> An open, freely available, unsecured, global telnet box - NOT WORTH
> HACKING??!!
> It's the Holy Grail of botnet zombies.
>
>

Indeed. Which is why I was deeply grateful that no one noticed it before
I could get it tested. And set the firewall to come on when
booted..couldn't test it where it was as the firewall allows ME in.


>> Some of the sites I monitor have had over 500 attempts per day to access
>> various ports. Telnet wasn't one of them because it's not active. But
>> there are many other ports which could be active. I finally had to take
>> additional steps to secure the systems.
>
> Hackers don't *try* to connect via telnet because it's not active?
> What - are you pre-notifying them?
> No, of course not.
> You're just making shit up to embiggen yourself.
>

the bigger the arsehole the more shit comes out.

Jerry likes to lord it over everyone..he knows some, but not as much as
he wants people to believe.


>

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:ffqdnWXoe6LKtYHanZ2dnUVZ_qWtnZ2d@comcast.com...
>
>> What you don't get is - hackers don't care. They just start a program
>> which picks an IP address and hits every port on that address, looking for
>> anything open. If there are no ports open, they move onto the next IP
>> address in line.
>>
>> It costs them *nothing* to do it. And most will have dozens of these
>> programs running simultaneously, looking for ways to break in.
>
> Well - nothing except time.
> And even then - you've got no idea what kind of target you've got.
> Bettter to go somewhere where you already KNOW that you'll get the kinds of
> hits your looking for, than to scan every PC on the web.
>

They don't care. All they do is start the program and go off. And no,
they don't know what they're looking for. But they're hoping they'll
"strike gold" - i.e. a database of unencrypted credit card numbers, etc.

They are much more likely to get that on a less-famous site than
microsoft.com, for instance. And that's what they want.

And they do scan "every pc on the web". I even get it here on my cable
connection, and when I'm in a hotel or other outside link, my firewall
sometimes logs hundreds of hits per minute.

>
>> Similar to your house with the "hidden" door. A hacker takes a sledge
>> hammer and starts methodically pounding away at every square inch of the
>> house until he finds the door.
>
> While that's a lousy way to break into something - it's a fine way to draw
> attention to yourself.
>
Not at all. How regularly do you think most people check their logs? I
keep telling my customers they need to check their logs - I can either
show them how to do it, or do it for them (for a price, of course). But
many don't.



--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:4I2dnZdK9LwoCIHanZ2dnUVZ_tKinZ2d@comcast.com...
>> The Natural Philosopher wrote:
>
>>> I accidentally left a machine with an open global telnet up - for about
>>> 2 weeks.
>>>
>>> No one hacked it. Its firewalled correctly now..
>> So? No one attempted to hack it in two weeks. What does that prove?
>> Maybe they weren't worth hacking?
>
> An open, freely available, unsecured, global telnet box - NOT WORTH
> HACKING??!!
> It's the Holy Grail of botnet zombies.
>
>
>> Some of the sites I monitor have had over 500 attempts per day to access
>> various ports. Telnet wasn't one of them because it's not active. But
>> there are many other ports which could be active. I finally had to take
>> additional steps to secure the systems.
>
> Hackers don't *try* to connect via telnet because it's not active?
> What - are you pre-notifying them?
> No, of course not.
> You're just making shit up to embiggen yourself.
>
>
>

But telnet is not the only port - in fact, it's one of the least often
ports hackers try to access. There are much more lucrative ones.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Sanders Kaufman wrote:
> "Jerry Stuckle" wrote in message
> news:arGdnY6T793tGIHanZ2dnUVZ_qiinZ2d@comcast.com...
>
>> When used by security professionals, it is known as deterrence. They
>> never talk about keeping intrusions or other breeches from happening
>> (prevention), because they know it's impossible.
>
> This is one of the things that Republicans like Jerry do that *really*
> pisses me off.
>

Got no argument so you need to pull in the politics again, huh,
Sanders-troll?

> They use a word in a completely inappropriate way.
> Then, when called on it, they claim that they were using a *slang* version
> of the word.
>

That is the way SECURITY PROFESSIONALS use it. It has NOTHING to do
with politics.

> Then, like that's not enough of a lie, they go on to claim that some other
> group uses it that way.
>

Yep. People who are a hell of a lot more intelligent than the
Sanders-Troll.

> This same thing happened in another conversation about Valerie Plame - the
> CIA agent who was exposed by Bush in retalliation for her disproving his
> Iraqi WMD lies.
>

More trolling, Sanders.

> The Republican in that conversation said that she was not "covert".
> Then, after some back and forth, he said she was not "covert" in the
> "classical sense".
>

Keep up the trolling, Sanders.
> It would be *so* easy for Republicans to just say "I was wrong" or "I made a
> mistake" - but it's just not in their character.
>

Let me know when you want to have a real discussion, Sanders-Troll.
Your attempt to politicize everyting is boring.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: free tool to encrypt php?

Jerry Stuckle wrote:
> Sanders Kaufman wrote:
>> "Jerry Stuckle" wrote in message
>> news:4I2dnZdK9LwoCIHanZ2dnUVZ_tKinZ2d@comcast.com...
>>> The Natural Philosopher wrote:
>>
>>>> I accidentally left a machine with an open global telnet up - for
>>>> about 2 weeks.
>>>>
>>>> No one hacked it. Its firewalled correctly now..
>>> So? No one attempted to hack it in two weeks. What does that prove?
>>> Maybe they weren't worth hacking?
>>
>> An open, freely available, unsecured, global telnet box - NOT WORTH
>> HACKING??!!
>> It's the Holy Grail of botnet zombies.
>>
>>
>>> Some of the sites I monitor have had over 500 attempts per day to
>>> access various ports. Telnet wasn't one of them because it's not
>>> active. But there are many other ports which could be active. I
>>> finally had to take additional steps to secure the systems.
>>
>> Hackers don't *try* to connect via telnet because it's not active?
>> What - are you pre-notifying them?
>> No, of course not.
>> You're just making shit up to embiggen yourself.
>>
>>
>>
>
> But telnet is not the only port - in fact, it's one of the least often
> ports hackers try to access. There are much more lucrative ones.
>
Well SMB was wide open too. They missed that as well.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:vIednXqDY-rwoYDanZ2dnUVZ_hOdnZ2d@comcast.com...
> Sanders Kaufman wrote:

>> Bettter to go somewhere where you already KNOW that you'll get the kinds
>> of hits your looking for, than to scan every PC on the web.
>
> They don't care. All they do is start the program and go off. And no,
> they don't know what they're looking for. But they're hoping they'll
> "strike gold" - i.e. a database of unencrypted credit card numbers, etc.

War Game Dialing is perhaps the MOST common way for amateur hackers to get
themselves busted.

It's not very effective at finding hackable systems - but it's a GREAT way
to find Honey Pots.

Re: free tool to encrypt php?

"Michael Fesser" wrote in message
news:437qh3ljs51gtqhlfp0fn2vg8gl988pido@4ax.com...
> .oO(Sanders Kaufman)

>>So you think that cracking an algorithm is easier than cracking a
>>password?
>
> Yes, often.
>
>>Do the math - the forumala is harder to crack.
>
> Never underestimate the power and possibilies of cryptoanalysis and
> stochastics. Brute-forcing a password is one way, but often the more
> efficient and easier way is to break the algorithm. There are _many_
> different ways to break even unknown algorithms, and often enough it's
> this "closed source" nature itself that makes it vulnerable.

Indeed - which is why a dynamic password, rather than a static one, is so
much more secure.

Put a hundred monkeys in a room with a hundred typewriters for a hundred
days - and one of them will type your password.
But multiply that process by itself and still - NONE of them will come up
with a password algorithm.

Re: free tool to encrypt php?

"The Natural Philosopher" wrote in message
news:1193092804.14073.0@proxy01.news.clara.net...
> Sanders Kaufman wrote:

>> So you think that cracking an algorithm is easier than cracking a
>> password?
>> Do the math - the forumala is harder to crack.
>
> It entirely depends on the algorithm.

No - a dynamic value is *always* harder to guess than a static one.

But that's not what this is about.
This is about protecting your credentials from the person to whom you
DELIVER them.

If I can get you to sign up at my site (kaufman.net) with your userid and
password - the same one you use most everywhere - I don't NEED to crack your
password.
You gave it to me.

But by using an algorithm, instead of a static password - all I can do is
crack into your account on the machine I *already* control.
I can't login to paypal as you - because the resultant password is
different, even though your algorithm and private key remain the same.


>> Of course not. You just have a couple of usernames and passwords... that
>> you use everywhere.
>
> I hope you are not involved in security.
> First you deduce things from write data that are incorrect, secondly you
> assert as fact that which you cannot know.

This, I know.

Re: free tool to encrypt php?

"Jerry Stuckle" wrote in message
news:vIednXSDY-opoIDanZ2dnUVZ_hOdnZ2d@comcast.com...
> Sanders Kaufman wrote:

>> They use a word in a completely inappropriate way.
>> Then, when called on it, they claim that they were using a *slang*
>> version of the word.
>
> That is the way SECURITY PROFESSIONALS use it. It has NOTHING to do with
> politics.

So you justify using a word *incorrectly* by claiming that unnamed experts
use it in a similarly incorrect way, eh?

Why do you Republicans always think that "everybody does it" is an excuse
for your own insincerity?

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"Michael Fesser" wrote in message
>news:437qh3ljs51gtqhlfp0fn2vg8gl988pido@4ax.com...
>
>> Never underestimate the power and possibilies of cryptoanalysis and
>> stochastics. Brute-forcing a password is one way, but often the more
>> efficient and easier way is to break the algorithm. There are _many_
>> different ways to break even unknown algorithms, and often enough it's
>> this "closed source" nature itself that makes it vulnerable.
>
>Indeed - which is why a dynamic password, rather than a static one, is so
>much more secure.

The password itself is only a little piece in the puzzle. A strong
password is useless in a weak algorithm.

Published and well-known algorithms like MD5 and SHA1 are under heavy
attacks today, because vulnerabilities were found in the last couple of
years. And it's just a matter of time when these algorithms will be
finally broken (some people think they already are). In such case it
absolutely doesn't matter what the password is. It can be "123456" or
"ölj&e#" - if you get the hash and know how to break the algo (or have
other tools at hand, like rainbow tables for example), the door is open.

You don't even have to know the algorithm itself. IMHO the most famous
example are the Enigma machines during WW2, which have perfectly shown
that you can break even unknown algorithms. And the simpler the algo
(like switching some characters around or mixing them with something
else), the easier it's to break. In fact hiding the algorithm doesn't
work, because it's just security by obscurity. The security of a system
should not rely on its algorithm, but on the secret key (Kerckhoffs'
principle).

>Put a hundred monkeys in a room with a hundred typewriters for a hundred
>days - and one of them will type your password.

Maybe.

>But multiply that process by itself and still - NONE of them will come up
>with a password algorithm.

Why not? These monkeys are able to write Shakespeare in Chinese
backwards if you're lucky enough.

Micha

Re: free tool to encrypt php?

"Michael Fesser" wrote in message
news:aj0th3d1v725nmmc629h9qturjqd2ijffi@4ax.com...
> .oO(Sanders Kaufman)

>>Indeed - which is why a dynamic password, rather than a static one, is so
>>much more secure.
>
> The password itself is only a little piece in the puzzle. A strong
> password is useless in a weak algorithm.

What an *empty* thing to say.


> Published and well-known algorithms like MD5 and SHA1 are under heavy
> attacks today, because vulnerabilities were found in the last couple of
> years.

Wow - that's overkill.
I just wanted to have a way to remember a different password for every site.
I wasn't trying to reverse-engineer Enigma.


>>Put a hundred monkeys in a room with a hundred typewriters for a hundred
>>days - and one of them will type your password.
>
>>But multiply that process by itself and still - NONE of them will come up
>>with a password algorithm.
>
> Why not? These monkeys are able to write Shakespeare in Chinese
> backwards if you're lucky enough.

Because an algorithm is not a string.

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"Michael Fesser" wrote in message
>news:aj0th3d1v725nmmc629h9qturjqd2ijffi@4ax.com...
>>
>> Why not? These monkeys are able to write Shakespeare in Chinese
>> backwards if you're lucky enough.
>
>Because an algorithm is not a string.

Of course it is.

This is a string: "Add the two variables x and y."
This is a string as well: ""

Both describe an algorithm in different ways. Even the compiled binary
code can be considered a string.

Micha

Re: free tool to encrypt php?

"Michael Fesser" wrote in message
news:16d1i3t7cjs1ebjfo3u4mfm5rph6eh1t4g@4ax.com...
> .oO(Sanders Kaufman)

>>Because an algorithm is not a string.
>
> Of course it is.

Congratulations.
That's the dumbest thing said in comp.lang.php - EVER.


> Even the compiled binary code can be considered a string.

And that's a close second.

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"Michael Fesser" wrote in message
>news:16d1i3t7cjs1ebjfo3u4mfm5rph6eh1t4g@4ax.com...
>> .oO(Sanders Kaufman)
>
>>>Because an algorithm is not a string.
>>
>> Of course it is.
>
>Congratulations.
>That's the dumbest thing said in comp.lang.php - EVER.

Tell me why these:

"Add the two variables x and y."
""

are either no strings or don't describe the algo.

>> Even the compiled binary code can be considered a string.
>
>And that's a close second.

What is a string?

It's either this:

http://www.cargal.org/images/gallery/albums/album41/getstrin gfromobject.sized.jpg

Or just a sequence of symbols or digits chosen from a predetermined set,
which is what we're talking about here. And what is binary code? It's a
sequence of symbols or digits. Since there are usually only digits on
the lowest level, you could also interpret it as a really big integer,
but this doesn't matter here.

In other words: Where's the difference between Shakespeare and a PHP
script? Both use the same alphabet, the same symbols - just in a
different order. So why shouldn't one of your monkeys not be able to
write "Romeo and Juliet", another one writes a speech for Bush (which in
fact does happen quite regularly, SCNR) and a third one comes up with
the MD5 algo for example? Technically they're the same - a sequence of
symbols, a string.

Micha

Re: free tool to encrypt php?

"Michael Fesser" wrote in message
news:37l1i3dnvc7m6hpp99t3gu0381hvq20gf4@4ax.com...
> .oO(Sanders Kaufman)

>>>>Because an algorithm is not a string.
>>>
>>> Of course it is.
>>
>>Congratulations.
>>That's the dumbest thing said in comp.lang.php - EVER.
>
> Tell me why these:
>
> "Add the two variables x and y."
> ""
>
> are either no strings or don't describe the algo.

It's odd - how you start by arguing that the string IS the algoritm.
And END by arguing that it simply *represents* the algorithm.
If you can't see the contradiction there - nothing I can type here will
leave you better informed.


>>> Even the compiled binary code can be considered a string.
>>
>>And that's a close second.
>
> What is a string?

A bunch of characters, of course.
Any *honest* programmer can tell you that.


> In other words: Where's the difference between Shakespeare and a PHP
> script?

What an awkwardly complex way of avoiding the simple definition THAT was.

Re: free tool to encrypt php?

..oO(Sanders Kaufman)

>"Michael Fesser" wrote
>
>> Tell me why these:
>>
>> "Add the two variables x and y."
>> ""
>>
>> are either no strings or don't describe the algo.
>
>It's odd - how you start by arguing that the string IS the algoritm.
>And END by arguing that it simply *represents* the algorithm.

Hairsplitting. You didn't answer my question. You still refuse to answer
this simple question: Why are a hundred monkeys with typewriters able to
write a complex drama, but not a simple password encryption algorithm?

>> What is a string?
>
>A bunch of characters, of course.

That's _exactly_ what I said.

>Any *honest* programmer can tell you that.

_You_ didn't tell me.

>> In other words: Where's the difference between Shakespeare and a PHP
>> script?
>
>What an awkwardly complex way of avoiding the simple definition THAT was.

Again - you didn't answer the question, even if it was as simple as
possible.

Micha

Re: free tool to encrypt php?

"Michael Fesser" wrote in message
news:ln62i3lqd5fht72k6qafuj5h1o03qjdrgk@4ax.com...
> .oO(Sanders Kaufman)

>>It's odd - how you start by arguing that the string IS the algoritm.
>>And END by arguing that it simply *represents* the algorithm.
>
> Hairsplitting.

When dealing with complex, math concepts - hairsplitting is NO sin.
Indeed - it's an intellectual imperative.
If you would prefer a less precise form of dialogue, you may want to
consider a less precision-demanding topic.