--- Video Populares et Optimates <[EMAIL PROTECTED]> wrote: > > If you mean to protect your source from your users, that is the case > > already. Unless someone can compromise your server, they never get > > access to the source, only its output. > > True! But what for the network technicians, system administrators and > web developers (to be very paranoid) that access the servers.
Well, then you start getting into the social aspects of security (which are just as important, I agree) more than the technical ones. There are file and directory permissions that can help you maintain who sees what, but if you have Web developers who need access to the code but who you want to protect the code from, it's a very difficult challenge (in my humble opinion). At some point, I think it is necessary to trust certain people within your organization. This is a challenge that everyone faces. > > This is far different from standard client-side applications, where > > the user has a compiled version of the source. With server-side > > applications, there is nothing for them to reverse engineer. > > Yes, of course.. but with compiled software (built using asm, C/C++, > VBA or what have you), it doesn't matter where the software is - on the > user's computer or the server. All the same, it's compiled and a tough > business to reverse engineer and make sense of. I'll admit that it's tough for me, but I have some friends who are very good at reverse engineering things like this, and they tell me that it's easy (they may just be bragging, but I tend to believe them). My point was that when you distribute an application to run on the client, you have a practically unlimited amount of people who can try to reverse it. When you only have a few people with access to a particular server (and a server-side application), there are at least far fewer people who can poke around. The company I work for distributes a very popular file sharing application that is used by millions of people around the world. The Windows developers here use something called thinstall (I think that's the name) in an attempt to make reversing the binary more difficult. They tell me that it's still not a perfect solution, but that it is too easy to reverse if they omit this step (which they did in years past). So, I thnk that this is easier than it may seem. > It does! Seeing that you have the additional title "hacker" at your > site I'm sure you know of my despair when it comes to internal hacking. > ;-) Well, my definition of hacker and yours might differ. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security Handbook Coming mid-2004 HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
