I heard that the web was slow today.

George Toft plug-discuss@lists.plug.phoenix.az.us
Tue, 28 Jan 2003 00:04:00 -0500 

Ed Skinner wrote:
> 
>      When an auto manufacturer builds an Edsel do we blame the mechanic at
> the corner gas station? I might be tempted to switch mechanics to keep the
> thing running but if Ford keeps sending out recall notices, at some point I'm
> gonna start looking at a new car, maybe from Finland.
> 
> --
> Ed Skinner, ed@flat5.net, http://www.flat5.net/
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


When you drive that car in the sand, and it gets stuck, maybe it's not
Ford's fault?  Why, oh why, does anyone put a database server with any
interface exposed to the Internet?  WTF are these people thinking?  The
spread of the worm is not Microsoft's fault (directly) - it is the fault
of whoever put together the architecture that puts a database on the
Internet without a couple firewalls and an App server in front of it. 
That is probably caused by the Cracker Jacks Box MCSE's that are
clueless about security, which *is* Microsoft's fault as their
curriculum doesn't (or didn't anyway) discuss basic security.

I have a database server and an LDAP server.  There are two firewalls
between the Internet and the databases.  And this is my home network!


And that Finnish car?  Hmmm... let's see, I discovered and reported two
security exposures/vulnerabilities two weekends ago in SSH and MySQL. 
One allows you to remotely discover the root password on a system
configured to block root logins, and the other allows you to recall
administrator commands (which may contain passwords) as a regular user. 
I also discovered you can ftp into an account using Midnight Commander
without presenting the credentials if you logged in once before.  Some
may call it a convenience - I call it a gaping hole.  This is corrected
in the current release.


As I see it, each manufacturer has their own set of problems - it's up
to us as intelligent architects to not do stupid things with our cars.


George Toft
Sr. Computer Security Tech