The issue about security is that whoever creates this web server-based application will be storing information about *minor children* (am I the only one with this concern?) in a semi-public manner. Most websites that store information have some clause that says something like no one under 18 without a parent's permission may use this website. Even Disney is constantly saying "make sure you have your parent's permission...". That's a lame phrase, but it does show this issue is real. Congress is, right now, considering legislation to punish those websites who don't take 'sufficient measures' to secure their website. What are the ramifications of that? Since that thought is extremely subjective, the risk one would be taking is completely unknown.
The other issue is what value would a centralized database really offer? For day-to-day usage, it would offer zero value. If a scout moved wards, it would allow his records to be transferred. However, much of that is maintained by BSA, anyway. If local databases were used, then 'transferrable data objects' could be used to transfer information between databases from the old ward to the new. The reason that I proposed the non-centralized storage option is that not that security is more or less, but because attacks on very small databases yield very small rewards. In contrast, attacks on highly-centralized databases offer greater rewards for the attacker. Given all of this, if the rewards for a centralized database are minor, are they really worth the potential risk? I know it's 'cool' to build a web app, but we need to consider non-technological issues, too. The biggest problem with any tracking process is that the Scoutmasters are usually quite lax about record keeping, in the first place. If one or several parents abstained from allowing their children's information to be stored on a website, then it would create *2 processes* for the Scoutmaster to use for record keeping -- if they were to use the online system. Do you think that they will use both? Having been a Scoutmaster, I would say no. That will cause the online system to suffer in favor of good ol' pencil and paper. IOW, in order to make an online database about kids, it must be really, really secure. My point is that you can't guarantee anything and is it worth the risk... Steve > -----Original Message----- > From: Stacey [mailto:[EMAIL PROTECTED] >... So why would someone take the time and effort it would take to >hack a well secured web site? Take a look at some of the BlackHat/DefCon proceedings... There are a myriad of reasons... the challenge, illegal activities, notoriety, 'helping' to 'increase' security, ... > However, it doesn't matter how strong the encryption is people still use very poor passwords. ... Many of the passwords on Church systems are favorite scripture references and such. An examination of password 'recovery' stats show that passwords in general are a poor method of security, anyway. >At least on a web based system who, and who tried to, access the data can be log and audited. Ok, maybe not necessarily "who" but the last IP address they came from and filtering can be done. I don't mean to be rude, but .... are you kidding me??? Not likely. _______________________________________________ Ldsoss mailing list [email protected] http://lists.ldsoss.org/mailman/listinfo/ldsoss
