|P is for Practical|
Re: Quest: a bulletproof-secure, automated scraperby polettix (Vicar)
|on Mar 19, 2005 at 08:13 UTC||Need Help??|
Apart from any technical consideration, this seems more a philosophical one. All modern crypto systems, however strong they may be, make the basic assumption that you only know the secret information that lets the sesame open. Even without knowing them, a powerful and lengthy attack could eventually lead to the desired secret.
So, the issue is that you have to assess the risk and play with it. It's like you wrote the PIN inside your agenda to be sure not to forget it: how secure is your agenda? Maybe you write all your passwords inside it, and keep it inside the most secure bank - do you really do this?
If you really want to keep your secret inside the computer more than in your head, you should ask yourself how secure your computer is and how a potential attacker could gain access to it; so, it seems more a "contour problem" to me, that is: how much is your computer exposed?
Moreover, you should really assess whether a potential attacker could be really interested in losing time to find the secret: if you keep $1000 average dollars in your bank account, is a $1000 (add zeroes at will) attack worth the trouble for h(er|im)? The level of security should be such that an attack would be too expensive with respect the reward; unluckly, this has little to do with Perl, I fear, even if it might help :P
As a side note, you could afford some kind of compromise keeping the secret (a GPG secret key, for example) always with you with an USB disk, and feed it to a daemon when it's needed. If you spend some time near your server, you could plug the disk when you arrive and unplug it when you go away, keeping it with you all the time or at least keeping it separate from the server. This would make it necessary to set up a physical attack to your premises to have access to the USB disk. Then, you could have some script in the cron table that regularly checks for the presence of the key and does its scraping work; just be sure that the secret remains in memory as little time as possible and does not get swapped on disk!
-- Don't fool yourself.