[Sinned]

Nice explanation.

You say:
It depends all on the software (with holes) installed by the users.
GunnerInc said:
Hardware is the first point of worrying.

conflicting???

But to get back to you explanation:
All holes in a server are caused by the weakness of the software. (And the miss-connecting between them)

So, technically everything should work as I said, when I build my own OS? (And all libraries on it)
(This is almost impossible, but technically this should be the safest, right?)

----------------------------------------------------

modi123_1, on 12 January 2012 - 08:09 AM, said:

Quote

So this is how I think about computers.
I don't understand how it can get harmed if everything should work fairly.

Then you should take off the rose colored glasses and get out of the idealized world. The only certain way to not get attacked via your connection is to unplug the system from the net or any network attached to the net.

And in my opinion it's always better to have a positive view on the world.

[modi123_1]

Quote

You say:
It depends all on the software (with holes) installed by the users.
GunnerInc said:
Hardware is the first point of worrying.

conflicting???

Are we the same person? No. Are either of us the end-all-be-all holders of supreme infosec knowledge? No. We are two people that approach the same problem differently.

Quote

So, technically everything should work as I said, when I build my own OS? (And all libraries on it)
(This is almost impossible, but technically this should be the safest, right?)

No. If anything this will be worse. sure it's off the normal reservation for people but I be there will be more holes in there than swiss cheese. Seriously - people who write server OS are exceedingly good at what they do and balance security, ease of use, and functionality damn well. I could only imagine how skewed one of those corners would be in a hobbiest's server.

Quote

And in my opinion it's always better to have a positive view on the world.

Then information security is not a field for you.

[wordswords]

So.. unless your software is going to be deployed to thousands of computers, or ran on a network that is likely to be targetted by hackers (ie financial networks, government networks) it is unlikely that anyone will bother developing a custom exploit for your software. If you publish the source code of your software on a site, then in theory someone could download it and try and find a problem with it, and then exploit it.

In practice, it is far more likely to get exploits targetting the operating system or webserver or other server setup that your program will run on. Most hackers are creatures of oppertunity - they will scan hundreds of thousands of hosts for a particular problem, and then break into a percentage of those hosts.

That said, you have to be aware of standard security measures when developing a client/server application, such as not passing sensitive data in cleartext, preventing SQL injections, not giving direct access to operating system commands, and so on.

[GunnerInc]

Actually, I never mentioned hardware. You said:

Quote

I'm working on a server, running on a linux OS.
I'm developing it in C/C++.

A server is a computer that is all, it does noting and knows nothing without software. Your software is what interacts with the internet.

@wordswords, so if I develop server software (or any software) that is only for my use, I should not worry about exploits and just program away without worrying? Never, you should ALWAYS check array bounds, and length of your strings you are putting into buffers... that is just plain ole basic programming.

[wordswords]

GunnerInc, on 12 January 2012 - 04:35 PM, said:

@wordswords, so if I develop server software (or any software) that is only for my use, I should not worry about exploits and just program away without worrying? Never, you should ALWAYS check array bounds, and length of your strings you are putting into buffers... that is just plain ole basic programming.

That wasn't really my point. You should be aware of those things, as I said. I suppose they are obvious to me, most of the security programming rules are just common sense.