[cobalt-security] more security questions - was 'purchasing a secure certificate fr om Thawte'

["Brian Baggett" <bbaggett@xxxxxxxxxx>]

Thanks for the words of wisdom.  I definitely appreciate your thoughtful
advice.  I'm starting to wish I had purchased the managed solution already.
:-)

I have a few related security type questions.

If my RaQ3 is remotely hosted and only has one drive, how can I securely
back up files without FTP'ing them unencrypted across the net?  Can you
connect via ssh and then do an FTP inside of that connection?  Are there any
easy to use secure FTP clients?  Also, how do you recommend storing
customer's credit card information on the box?  And how do I retrieve it
without transferring it across the net unencrypted?  I currently use a from
on an SSL page that drives a perl program that writes the information to a
flat file in an .htaccess protected directory.  Then I can retrieve the data
by https'ing to that directory and logging in with my name and password.  Is
this safe?  Is there a better way of doing this without giving up too much
of the convenience of my current solution? 

Thanks,
Brian

-----Original Message-----
From: Rodolfo Paiz [mailto:rpaiz@xxxxxxxxxxxxxx]
Sent: Monday, June 05, 2000 11:28 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] purchasing a secure certificate from Thawte


> Should I just press on with the instructions from the RaQ's
> user manual or should I be more concerned about finding and
> backing up my private key?  Is it secure enough in the
> default location?

[soapbox on]

Hmm... this is your private half of the security mechanism
that will protect most, if not all, your valuable and con-
fidential communications with the outside world. If you lose
this or mishandle it, you will have to go to some amount of
work to recover it. If someone steals it, you may lose a
substantial amount of money or data, or both.

You're not syure where it is stored. You don't actually have
a copy in that you don't have a copy *where you know you can
get at it*. You have no way of finding and/or recovering that
little bit of data if your hard disk goes south. And you'll
have Hell's own time decrypting your own data if you don't
have that private key.

As Brent said, the prospect is not to instill fear... Never-
theless, anytime your security is concerned (yours, your
data's, your customers', your customers' data, any or all of
the above), always be paranoid. Always be concerned. And
never have blind faith in anything, especially anything of
whose internal workings you aren't 100% cognizant. I recall
a thread recently of some Cobalt equipment storing the root
password in a clear-text (world-readable) file in an open
(world-readable) directory. Mmm... is that the sound of
security frying I hear? (Check the archives; I'm *not*
kidding.)

Find the key. Back it up. Secure it as best you can. Under-
stand how it is stored, where, and how. Figure out what
someone would have to do to hack it or get at it, then try
to protect against that eventuality. *Then* press on with
the instructions.

[soapbox off]

I mean you no offense, Brian; I hope you realize that. I
am only trying to EMPHATICALLY make the point that your
server's security is of paramount importance, and that
the one cardinal sin in security of any type is to show
unwarranted trust. Matter of fact, some would say that
the only mistake is to show *any* trust, period. But
we're only paranoid around here, not psychotic. :)

Hope I convinced you to take that key very seriously...

------
Rodolfo J. Paiz
rpaiz@xxxxxxxxxxxxxx <mailto:rpaiz@xxxxxxxxxxxxxx>  
 


_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users