So I'm hoping this is not too discursive a question - but I am looking at encryption and the CodeIgniter encryption library. Great. But I'm just wondering in the following circumstance if there is actually any point encrypting my data?
No open port access to MySQL (all done via key based SSH)
Key stored in CI config file (which resides on the same box)
Server is a Ubuntu Linode (Cloud server)
I am the only person with access to the box
Why should I store my data at rest? Wikipedia mentions "unauthorised access or theft" but that would require physically stealing the box which is unlikely. I guess access to my machine if I'm logged into a database and the data is unreadable but again - unless someone breaks into my house and unlocks my machine its highly unlikely.
Related
I connect to a remote sqlserver database using the jdbc service. My apps script has my password and userid. Is there a security risk involved. I ask because javascript is open to inspection; are app-scripts open to users?
What is the best way to get that secure information into an app?
Even hard coded values don't show up in the javascript when rendered by the browser. That is because all the code that you write runs on the server side (except client handlers).
However, if you share a script or spreadsheet with the script with another user, the code is visible to the other user.
You can store your username and password in a spreadsheet that only you have access to and read from there during runtime. However, ensure that the script runs under your id (i.e only published as a web app).
Use the UserProperties service. It's values are only available to you and if you decide to make the application multi-user, you could even direct users to store their unique sql username/password in their own UserProperties.
I am testing Windows 7 file encryption. A test file was encrypted ( I see green colored file name). that file was shared across the network and it still can opened from other station. That green color file name is also viewable from other computer as well. What am I doing wrong? I admit that I don't know the encryption concept yet.
If I moved that file to shared folder of other computers, message appeared asking "Confirm encryption loss". How can I copy that file with encryption?
I know Truecrypt software but I am testing with Windows Encryption.
The NTFS file encryption is using your password hash to encrypt the file.
If you connect to the file from another computer you need to supply the user's password, which means the remote computer has the key to decrypt the file.
If you copy the file from the share to the local computer windows will save the key in the remote computer.
The whole idea in the filesystem encryption is that another user cannot use your encrypted files, or someone that get a hold on your hard-drive. But, if you're logged in, all the running applications that has been executed by you or have access to your token (for example, SYSTEM user) can access the file without ever knowing it is encrypted on the disk.
Be careful of encryption! Some encryption systems for Windows will automatically encrypt your files/folders for you. This is common in gov't/corporate computers. If you do NOT have this set, and then another user on your computer who DOES have this set accesses your file/folder, the file/folder can get encrypted with that other user's token, and then you won't be able to access your own file/folder!
This actually happened to me last week. Took a whole day to figure it out, because Windows won't tell you WHO encrypted the file, just that it wasn't done with your current token. Aaargh!
(This won't happen if permissions are set to ReadOnly, but in a collaborative environment sometimes permissions aren't set that way.)
I want to share a single authentificaition method for to Symfony websites sharing the same top-domain.
I use a cookie valid on all subdomains and sfPDOSessionStorage for keeping session data.
factories.yml is set up like this on both projects:
all:
storage:
class: sfPDOSessionStorage
param:
database: doctrine
db_table: sessions
session_name: myauth
db_id_col: id
db_data_col: sess_data
db_time_col: time
session_cookie_domain: ".mydomain.net"
session_cookie_lifetime: 86400
session_cookie_path: /
On my development machine and on my co-workers's machine this mechanism is working fine but on the server it does not (I'm asked for credentials when I switch sub-domains). The only difference I see between the two environments is the format in which the data is stored, the data seems to be encrypted on the prod server but appears in clear text on my machine. There's no sensitive data here so I can post an example :
Dev environment sess_data:
symfony/user/sfUser/lastRequest|i:1295349567;symfony/user/sfUser/authenticated|b:0;symfony/user/sfUser/credentials|a:0:{}symfony/user/sfUser/attributes|a:1:{s:30:"symfony/user/sfUser/attributes";a:1:{s:7:"referer";s:0:"";}}symfony/user/sfUser/culture|s:2:"fr";
Production server sess_data:
BB7HBTsQg75NNGvb9Z8sexldqbS79YzDgrztQzSFhsUpEk2EeCOtKw8FQbm31vLIRyr3ZP_klwZFXywnkdem27naIWjIVBP_WwpwNRg4IMj1J0fIfxJN_UOw2RbCWh91L5ryCD_7_ynN2UtxfuJwUWnxoGuUvqD8YQxNdczQipmktPVFk1mVfKE1-BsrdHHLIXH_gi44-Bos3f-EshE5skuQpachnY1FkgvvvOuXEj7zxPflgA3xtGoqJxkDijT-uKnQCH4TrimhvkIRGCt0oVuOdsAJzuWW6ijgPCD3X767mSIzm_lQmJoSGxDB7fAgFihB7Ljoq0tsysC62BqTYFB6dTnuZoj3KON8lXlyNJZVyLgTWZ3EYoObtc8jCKYNDonSjEqzTvwg4NJRVoB5ePx61iTqbDd9qFlkryzj9J8.
I haven't got a clue which encryption type is used to store information in the database, nor am I sure that this is the root of my problems but as this is the only difference I can spot, I don't see any other explanation. (PHP and MySQL versions are identical, with Ubuntu 10.10 on my side and Debian Squeeze server-side).
I think there's some module installed on your production server responsible for encrypting the session's data.
For example, suhosin patch adds such a feature to PHP: http://www.hardened-php.net/suhosin/configuration.html
It's activated by suhosin.session.encrypt configuration option in php.ini.
I guess this is kind of a programming question, because I'm going to write a program if this doesn't exist.
So I found a very cheap web-host (I don't really care about the actual web hosting). They will give me a domain name and ftp server with a ton of storage space. Anyway, I want to backup a few hundred gigs of data (mostly family photos and scans of important documents). I also want to backup any future family photos / documents. I don't care if everything on my local NAS dies in a fire, I just want to have the photos and important documents backed up off-site.
So I want some program that lets me select folders locally and schedules them to be backed up to the ftp server. I'm a bit of a security nut, so i'd like the files to be encrypted locally before being transferred up onto the server.
I know I can do this with truecrypt volumes, but I don't want to transfer an entire encrypted volume blob up to the server ever time I change a file in it. So I could do multiple true crypt volumes but that will be a pain to manage
Also this must be mac/linux compatible although I'll primarily be on linux.
I basically need rsync + truecrypt + cron + sftp all rolled into a cryptographically secure program.
I've been searching for days with no luck. Any ideas?
mozyBackup does this - it doesn't use FTP, it has a custom uploader.
ps. Remember a typical home ADSL connection only does about 1Gb/day upstream
Linux option.
Out of the box option probably duplicity ( for example see http://www.howtoforge.com/creating-encrypted-ftp-backups-with-duplicity-and-ftplicity-on-debian-lenny )
Otherwise if these are basically rarely changed archive copies of files - I would roll my own gnupg (or dpad) individual file encryption, a file changed script, and ftp or rsync.
Typically file servers are used to store images for a web application. For more security and control you'd go for storing images in database. But this proves to be complex and slow.
Are there other mainstream options available other than db/file server, to store images securely with user permissions, etc.
Edit: I'm deployed on amazon cloud and use postgresql as db.
SQL Server 2008 offers the Filestream storage wich allows you to store data in the filesystem, yet accessing it thorugh the database. It can be useful if your only concern with using a database is performance.
If images are stored in a folder that has no direct web access permissions you can then do
<img src="getimage.aspx?id=1234">
and have your GetImage "page" do any appropraite permissions test (e.g. using session ID) and then "deliver" the image from the secure folder.
Downside is that the image is not cached I think? but I expect that is true of the database route too.
Storing images in the phyiscal database bloats the database, increasing backup & restore times; but it provides a single container which is great if you want to move everything to a new / multiple servers, or if ensuring referential integrity between Image and other data in the DB is important
Are you are concerned about people guessing a URL and directly accessing an image?
If so, you can still place the images on the filesystem, just outside your www directory. You create a page called ImageServer.php/.aspx/.jsp, grabs the image off of the filesystem and then serves it in response to a URL like:
ImageServer.php?image=BlueWhale.png
If you do this, be careful to correctly set the MIME type and expiry headers because Apache/IIS won't do it for you.