The Lounge is rated PG. If you're about to post something you wouldn't want your
kid sister to read then don't post it. No flame wars, no abusive conduct, no programming
questions and please don't post ads.
One project idea I have is to finally complete and share my mini blog (for my website).
Nothing special about that... the twist I was wondering about is, I want to use it to test and illustrate some possible security attack (and counter measure).
The thing is, I am no security expert, just got the bug recently! For some reason I suddenly found security sexy!
So, let me summarize, I want to have part 1: mini blog, part 2: various security attack.
However I am no security guru and I wanted it to be more like interactive. i.e. I have my first version of the article, people comment (with usual delicacy) "this is crap, you didn't even do security attack XYZ correctly" and then I update the sample with better security attack (and defense).
Is that a good concept?
On CP there has typically been a reluctance to demonstrate virus code or attack vectors in articles as it can lead to the site being classed as a hacking site. This would then get it blocked by many corporates.
It would completely depend on how [the article] it was written. Sometimes it is just easier to stay away from that area.
I have seen several articles removed over the years because of the potentially malicious content.
The best way would be to simply write the article in a way that says "How to protect yourself from XYZ attack", without actually showing how the attack is done.
The other thing thing I was going to say was the mantra "Leave security to the experts" very much stands. If it is done wrong the consequences can be devasting as you know.
When you read articles [not necessary on this site] by individuals who have implemented their own crypography etc and see them get torn apart by the experts, it doesn't make pretty reading.
Even the experts get it wrong, there was recently an article on El Reg or somewhere like that, where the experts had written the most secure algorithm to date and it would take 'multiple life of universe' (or whatever extremely long time it was) to break. Another expert group analysed it and subsequently broke it in 2 hours.
1. I am currently working as web developer, we have no particular "security expert" it is my (our?) duty to learn about web security when doing web development... leaving to some "other senior dev" is no excuse if no one steps up!
2. CodeProject could be categorized as hacking site, ... this is problematic!!
How can one better himself if any material is censored!?!
While I see the strength of that argument, in my defense I want to emphasize that, along with the attacks, I want to present counter measures! So this is more like an anti-hacking article!
Is that a good counter argument?
3. The fact that even security expert get security wrong is no excuse to stay ignorant!
4. Finally, I want to learn and share! If I can't share, can't you lat least point me to a place of learning of those things?!
All material I found by Googling or looking at MSDN were quite hard reading! The only nice reading I found was on my kindle book about ASP.NET MVC4!!!
What, are they going to review your code and make modifications where required?
Thats not where I was coming from.
I am refering to the instances where individual have written there own crypto libraries or some other implementation when recognised industry standard ones exist, thinking they are doing something clever, but in reality have opened massive holes.
Eddy Vluggen wrote:
You can only learn about security if you know how the lock is broken
That is very true, but I personally wouldnt go writting articles on how to break the lock, and would stick to how to article that how to survive the lock picking attack.
We (I) don't want this site being block at worked, or I'll be severly bored!
We (I) don't want this site being block at worked,
..that did not stop people from explaining how SQL injection works. I think that's a good thing. Even if a company decides to block CP with the argument that CP explains "SQL Injection". Where does one draw the line? How about cross-site scripting?
As for abuse, there's a lot of dangerous code out there. Any VB-script that shows how to execute a DOS-command combined with a DOS-manual is a potential security issue. It does not stand to reason to burn all old MS-DOS manuals.
It is actually WORSE to ban all information on lockpicking than it is to point how the lock on your door can be bypassed: you assume you're safe while you're not.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
When you write an article you have to respect the fact that there are people out-there who know better - real or imaginary...
But! - and this is most important - there are who know less than you. Learning is like climbing a ladder - you have to go over all the steps. So that part should not be a problem - you have a certain level of knowledge - share it!
About the security attacks/protections - IMHO do not detail the ways of attacks, describe them in a few words (focus on the damage) and move on to the most detailed explanation of the protections...
I'm not questioning your powers of observation; I'm merely remarking upon the paradox of asking a masked man who he is. (V)
Well it is very clear that I will only share attack for which I can provide a counter measure!
So that should be .. ok, I guess?!
Apparently there is a security by obscurity culture which has strong censorship power...