On Thu, May 19, 2011 at 3:31 AM, John Bokma <j...@castleamber.com> wrote: >> Agreed. Things can be secure if you accept caveats. A good server >> might be secure as long as attackers cannot, say: >> * Get physical access to the server, remove the hard disk, and tamper with it >> * Hold a gun to the developer and say "Log me in as root or you die" >> * Trigger a burst of cosmic rays that toggle some bits in memory > > You forgot the most important one: > > * if none of the software running on it has exploitable issues
That's not a caveat. That's a purposeful and deliberate goal. And far from impossible. > Personally, I think it's best to understand that no server is ever > secure and hence one must always be prepared that a breach can happen. You need to balance the risk of a breach against the effort it'd take to prevent. See my comments re DOS attacks; it's not generally worth being preemptive with those, unless you're at a way higher transaction level than this discussion is about (for those who came in late, it's a basic network game, and not Google Docs or the DNS root servers or something). If it's going to impose 500ms latency on all packets just to prevent the one chance in 1E50 that you get some particular attack, then it's really not worthwhile. However, it IS possible to ensure that the server doesn't, for instance, trust the client; those extremely basic protections are well worth the effort (even if it seems like a lot of effort). Chris Angelico -- http://mail.python.org/mailman/listinfo/python-list
