[penguicon-general] anyone out there know....??

STeve Andre' andres at msu.edu
Mon Sep 8 13:38:09 EDT 2008 

One comment about all this, and I don't think I have all the data
on this, but:  If you have a limit of items returnable per search,
you must also make a system to limit the number of queries that
an entity can make, else they can get all of the data by successive
requests.  Several years ago I helped a friend obtain about 16,000
student names from his school's ldap machine.  There was a rule
about how much you could get at a time, with no limit on how 
often it could be asked for.

Once data is out there on the net, it really isn't possible to restrict
it.  If this is sensitive, it shouldn't be availble via a web interface at
all until a really secure system has been made, and independantly
tested.  A recent survey of bank online systems suggests that 75%
of them had problems, for example.  If you provide FTP access, people
can sniff the wire and get passwords to the FTP account, so  only SFTP
should be used.

The entire concept of "limiting" access to things on the web is very
tricky.

--STeve Andre'

On Monday 08 September 2008 13:18:06 Lady Sarah wrote:
> Oh, the other company is getting an FTP feed from us.  However, they are
> required to take all possible steps to prevent others from scraping our
> data off their site.  This is why our board decided there should be a limit
> on the number of listings returned per search; their theory was if you had
> to return to a search page and enter new criteria to get more listings the
> data would not be anywhere near as likely to be scraped.
>
> If we are completely off base with this, please let me know because it
> could change everything!
> Sarah
>
> *~*~*~*~*~*~*~*
> Lady Sarah, que_sara_sara
> "It only takes 20 years for a liberal to become a conservative without
> changing a single idea." ~~Robert Anton Wilson
> Music Programming, Penguicon 7.0
> The Chocolate Goddess, coming soon to a con near you
> Warrior Princess of the Clan of the Lonely Goatherd
> IWG Wench #539 MCL, Local 69
> Scarlet B. Harlot, Figure Head for the Scarlet Harlot -- Privateer #36
> W3NCH, the HAM Radio Wench
> "...because you can't spell Wench with an 8!"
>
> On Mon, Sep 8, 2008 at 12:56 PM, Clay Dowling <clay at lazarusid.com> wrote:
> > On Mon, 8 Sep 2008, Lady Sarah wrote:
> > > You have found my opinion exactly; though I'm not 100% sure about the
> >
> > "use
> >
> > > it elsewhere" part, personally I'm voting on the whiny "we don't want
> > > to rewrite all of our code to conform to your rules" variant right now.
> > >  I would LOVE to tell him that, "hey, we'll just save your broker the
> >
> > $10/month
> >
> > > and turn this off now, ok?" but the powers above me are insisting to
> > > researching this programming language and another point we're sticking
> > > on before going that route.  I'm afraid I'm just not that patient.
> >
> > Scraping data is always the wrong solution to any problem.  If your
> > company wants to share this data with another company, it is a lot more
> > sensible to work out a proper data exchange format.  Since this is using
> > Ajax, XML is probably the right format.
> >
> > If you would like contact me off list and I can be of some assistance. 
> > Or call me.
> >
> > Clay Dowling
> > 810-869-4390
> > _______________________________________________
> > penguicon-general mailing list
> > penguicon-general at penguicon.org
> > http://penguicon.org/mailman/listinfo/penguicon-general

More information about the penguicon-general mailing list