I heard that the web was slow today.

George Toft plug-discuss@lists.plug.phoenix.az.us
Tue, 28 Jan 2003 08:37:31 -0500 

"der.hans" wrote:
> =

> Am 28. Jan, 2003 schw=E4tzte George Toft so:
> =

> > When you drive that car in the sand, and it gets stuck, maybe it's no=
t
> > Ford's fault?  Why, oh why, does anyone put a database server with an=
y
> > interface exposed to the Internet?  WTF are these people thinking?  T=
he
> > spread of the worm is not Microsoft's fault (directly) - it is the fa=
ult
> =

> It is directly m$'s fault. m$ quietly installs m$sql for several softwa=
re
> packages. It's part of their m$de that's reportedly installed for certa=
in
> releases of packages like visio, m$ project, and m$ office. So not only=
 does
> it default to a bad setup, but people don't even know it's installed. T=
hey
> should know, but that's discouraged in the m$ce world...


Doooh!!!

I stand corrected.



> > of whoever put together the architecture that puts a database on the
> > Internet without a couple firewalls and an App server in front of it.=

> > That is probably caused by the Cracker Jacks Box MCSE's that are
> > clueless about security, which *is* Microsoft's fault as their
> > curriculum doesn't (or didn't anyway) discuss basic security.
> =

> That and they have traditionally made it difficult to find out what's
> running on the box.
> =

> > I have a database server and an LDAP server.  There are two firewalls=

> > between the Internet and the databases.  And this is my home network!=

> >
> >
> > And that Finnish car?  Hmmm... let's see, I discovered and reported t=
wo
> > security exposures/vulnerabilities two weekends ago in SSH and MySQL.=

> > One allows you to remotely discover the root password on a system
> > configured to block root logins, and the other allows you to recall
> > administrator commands (which may contain passwords) as a regular use=
r.
> > I also discovered you can ftp into an account using Midnight Commande=
r
> > without presenting the credentials if you logged in once before.  Som=
e
> > may call it a convenience - I call it a gaping hole.  This is correct=
ed
> > in the current release.
> =

> I won't claim Free Software is free of bugs or security holes. The
> databases ( PostgreSQL and MySQL at least ), however, no longer listen =
for
> network connections by default.
> =

> Also, for the last SSH update, did it require me to get the MySQL patch=
 as
> well?  Did it require me to allow the SSH developers to break into my b=
ox
> anytime they feel like it?
> =

> As for all the worms against m$, build it ( shoddy security infrastruct=
ure )
> and they ( script kiddies and worms ) will come.
> =

> > As I see it, each manufacturer has their own set of problems - it's u=
p
> > to us as intelligent architects to not do stupid things with our cars=
=2E
> =

> I agree it's up to us to know what we're doing with our boxen. That's
> generally encouraged in the *NIX world, but not for the m$ or mac.
> =

> ciao,
> =

> der.hans
> --
> #  https://www.LuftHans.com/    http://www.TOLISGroup.com/
> #  "Science is like sex: sometimes something useful comes out, but
> #  that is not the reason we are doing it." -- Richard Feynman
> =

> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



I love this list! =


George
-- =

This e-mail message certified virus-free
as it was generated on a Linux system.

http://www.georgetoft.com/linux/index.html