Yes, a can of worms... But general direction would be nice...

Sasha Pachev sasha at asksasha.com
Thu Jul 16 13:53:33 MDT 2009


>Amen.  It's great to be able to say something bad "probably" didn't
>happen, but that's a big ole fat "probably" (proportionate to the cost
>of having it happen).  My motto has always been to be as paranoid as I
>can afford to be.

I agree that we need to not be sloppy with backups or security. If it
takes you only 5 minutes to secure against the improbable, do so by
all means. As long as it does not become 5 minutes x 1000.  What I am
saying is that sometimes we lose touch with reality and go overboard.

Let's consider a real-life example. Somebody with a budget of about
$300 who runs a relatively small site that makes maybe $500 a month
from online ads comes to you and asks you why there is some weird
Javascript code on the main page that was not there before. Somebody
wrote the web application for him a long time ago. He does not have a
full-time sysadmin to do backups or anything close to that. When bad
things happen he hires a consultant. Yes, he does value his data, it
brings him $500 a month. No he does not value his data by more than
$500 a month, he cannot spend most or all of it on a sysadmin "doing
it right".  So what do you do?

A) Tell him he's got it all wrong, he needs a sysadmin to run his
system. Since he does not have a backup and who knows what his
application does now after being hacked, he needs to re-install the OS
on his dedicated server that is 1000 miles a way, and the application
needs to be re-written from scratch to be sure.

B) Find the offending code, remove it. Investigate the break-in, close
the holes. Instruct him on how to make a backup and encourage him to
do it regularly. Spend the rest of the time permitted by the client's
budget securing the most vulnerable parts of the system.

A real-life analogy to illustrate what I am talking about. Hwy 6 is
dangerous, many people have lost their lives driving on it. When you
go to Moab from Provo do you take I-15/I-70 route instead to avoid Hwy
6 just to be sure?

-- 
Sasha Pachev
AskSasha Linux Consulting
http://asksasha.com

Fast Running Blog.
http://fastrunningblog.com
Run. Blog. Improve. Repeat.



More information about the PLUG mailing list