stacks interacting over LAN? (newbie)

Richard Gaskin ambassador at fourthworld.com
Wed Dec 1 12:27:30 EST 2004 

Björnke von Gierke wrote:
 > On Dec 01 2004, at 11:02, sims wrote:
 >> I'm curious about what security concerns that a chat (or sockets in
 >> general) might open up for the user and what (if any) precautions
 >> need to be taken.
 >
 > This of course varies with the implementation, but talking about
 > chatrev, I can assure you that there is no security risk whatsoever
 > for the client. This is mainly due to the fact that the client never
 > opens a port.

How does it create a socket connection without opening a port?

 > However this is about to change, as we are incorporating file
 > transfer (Which needs a accept connection at one end). Still,
 > the opened port is occupied by rev and closed swiftly after
 > finishing transfer, and because of that you won't get any
 > malicious attempt trough.

I'm no security expert, and this may be just a case of my own ignorance 
getting the best of me, but for my own wares I would be very careful 
about offering such broad assurances for anything involving network 
software.  Maybe "unlikely to" is more accurate than "won't".

Anytime one computer talks to another there are at least two risks:

- One of the computers may be in the hands of someone
   with malicious intent

- While in transit the data may be intercepted
   by a malicious third party

The beauty of TCP is that it's a ubiquitous standard that's been around 
for a long, long time, so everyone uses it and all tools can be 
interoperable with it.

The downside of its ubiquity and maturity is that there are people out 
who devote a sad majority of their lives to mastering TCP specifically 
to destroy other people's constructive activity.  Most of those 
misanthropes are far smarter than me, and have a deeper knowledge of TCP 
and its implementations across operating systems than I'll ever have.

I believe that absolute security is not achievable, and that the best we 
can aim for is to slow down exploits.  That's no so bad, and is good 
enough for businesses and even governments to go about their business 
more productively than without software.

But I would be wary of giving people the impression that a software 
provides absolute security.  Instead, communicating what it does to 
protect itself may be all that's needed for the user to make their own 
risk assessment.

-- 
  Richard Gaskin
  Fourth World Media Corporation
  ___________________________________________________________
  Ambassador at FourthWorld.com       http://www.FourthWorld.com

More information about the use-livecode mailing list