Protecting the application from theft from the server

Started by Adam Greer, Jul 11, 2022, 03:46 AM

Previous topic - Next topic

Adam GreerTopic starter


Just to be clear: I'm a zero in this area. After reading a couple of topics, I learned that Apache is not only a helicopter)). Google helped me, the main thing is to understand only the possibility of implementing the necessary software or the reasons for its impossibility.

There is a program that does some analysis and calculation. It has certain input data. There are consistent formats for incoming and outgoing data: the program takes an A.txt file with incoming information and produces a B.txt file.
During the final tests, a trusted person (me) was sitting and doing a stupid job - receiving files like A.txt by e-mail and sending answers like B.txt. Further requests will be many and automation is needed.

Debugging and tests have already been completed and now we need to automate the process described above. The problem is that software costs money - it will make a profit, but if it is stolen, they will refuse me and I will be left with nothing.
I would hate to be thrown out, especially given the amount of my efforts, money and time invested, such an outcome would be just a disaster. Therefore, they abandoned the local program.

Essence:

It is necessary to make a server with which several computers can communicate.
The method of communication is the reception and transmission of .txt files. There is no site where you can look for a hole, only the reception and transmission of .txt files.
The .txt file itself is a set of parameters for running the necessary functions, so the presence of any left commands inside the .txt file is not scary for us.
As I understand it, some tricky file name should not cause problems either. And it seems that no SQL injection can be used.

I do not need protection against DDoS attacks - no one will do them, no one is interested in this.

The main thing is that it is impossible to steal the main program even with a large investment of effort / money.
My guess is that this is either real and done quite often, or there are never any guarantees.
If yes, I will be glad of your paid assistance in resolving this issue. If not, I'm curious to know why.

Thanks in advance for your attention and advices.
  •  

AliceFowell89

The program itself cannot be remotely stolen, unless its sources are in a shared folder.
Although, as my teacher said, you can steal everything, but this is another question - a question of goals and finances.

The only thing you need to decide when automating is that your server does not do its job to everyone. otherwise some Tom will send the input data, and the result will automatically come back to him, and he does not need to pay for your services - he will receive everything for free.

There are several options here, some are easier (make registration for clients, then you will either need a site that you don't want, or your own client, which theoretically can be downloaded, although this can be solved),
Others are more complex.
Send the results in encrypted in the form of everyone in a row, and give clients personal keys that will decrypt the data, change the keys every N days\weeks\months\years.
This option is not convenient if the calculations are very large and time-consuming, then they can deliberately put your server down, filling it with meaningless requests.
  •  

Optimitron

The admin from the hosting provider needs to:
1. View your image for the hashes of the pairs and keys. - this is the junior level.
If the root is encrypted, then he will have to insert a hole in the hypervisor or organize the MiTM during installation. - an admin with a slightly above average level will cope with that.
2. In any case, if critical data is encrypted, you will have to use MiTM when you log in via ssh to gain access to encrypted data (stolen hashes and keys will be useful for this),
Even with password hashes and ssh keys (the user's public key + the entire set of server keys), it is still problematic to get full access to the web system. Especially if the entrance is only by key, the password for a certain time can be selected by hash.
Again, the level is slightly above average.

As a result, we can conclude that such nonsense will be dealt with if initially the theft and sale of data is one of the types of business of web hosting provider. They say there are such, but I haven't heard of anyone in particular.

PS. I have considered only the idin of the variants. Others are possible, up to the embedding of "bugs" in the iron.
With such an assumed value of data and fear of theft, it is still better to have your own server (at home or at least in the datacenter). Not because the data will actually be hunted, but to avoid nightmares with detective stories.
  •