Thread: Security issue
View Single Post
Old 01-21-2009, 05:49 PM   #48
Dale
Banned
 
Join Date: Jun 2005

Location: Western Missouri
Posts: 960
Analogy: some people put their emergency cash in an old beer can in the refrigerator. No burglar would ever think of looking there.

Or, if I hide the front door key in that real-looking fake rock in the flowerbed...

If software "security" is based on "nobody would ever think of doing that to get to do something bad", it's not very secure. Somebody is sure to think of doing it.

Recent analogy: Just because the "website" button lets someone get to a web browser (without putting in a password), nobody would think of how to abuse that.

The whole area is generally called "security through obscurity". In other words, if you hide the exposure well enough, it's "not a problem".

In this case, I (perhaps incorrectly) inferred that the "security" solution depends on writing (and/or running) a file, which is hidden from the user.

Let's say it depends on running a script - and if the script isn't there, then it writes the script file, and then runs it.

User finds the file, MODIFIES the script, and then PROTECTS the file from being replaced. Now, when the "website" button causes the script to be executed, it is the MODIFIED script. Does whatever the user wanted.

That's all speculative, of course. But if the "security" depends on writing or reading a user-modifiable file (i.e., a file in user space), it's just not technically "secure". It's just "obscure".

Did that explanation help to understand my (possibly totally off-base) comment?
Dale is offline   Reply With Quote