[nycphp-talk] Where to store credentials and/or keys
michael
lists at genoverly.net
Mon Aug 14 18:55:55 EDT 2006
On Mon, 14 Aug 2006 15:25:25 -0700
"inforequest" <1j0lkq002 at sneakemail.com> wrote:
> Including a dbconnect.inc or whatever with incorrect (and never used)
> details while actually using dbconnect data that was encoded into
> some other file with a non-descript name might go a long way to
> deterring the script kiddies and opportunists. Repeating the
> obscurity thing, best first know why your best bet includes that
> obfuscation tactic, so you can 'splain yourself if you get hacked. I
> might use this to protect commercial data, but not ss#s and the like.
>
> -=john
"Obfuscation as security".. has been beaten to death, (and as,
predominantly, an OpenBSD user, you know what I'll say) but..
c'mon john.. a honey pot? For what end? Shits and giggles? You are
usually spot on with your posts, but, I am of the opinion you wandered
off the trail here. The fact that a honey pot can be found (or
was left to be found) shows a serious flaw in the app.
Don't create and include a dbconnect.inc if you are not going to use it.
That is a flat-out bad practice. If it were my shop, I would feel more
comfortable having developers concentrating on writing and implementing
a tight app. Besides; extraneous files are annoying and confusing to
developers coming behind you. Oh, and, on the off chance a 'kiddie'
finds your honey pot -and discovers it is empty- he may get pissed off
enough to 'concentrate' on you rather than finding nothing and just
moving on; looking for easier prey.
--
Michael
More information about the talk
mailing list