Am 28. Jan, 2003 schw=E4tzte George Toft so: > When you drive that car in the sand, and it gets stuck, maybe it's not > Ford's fault? Why, oh why, does anyone put a database server with any > interface exposed to the Internet? WTF are these people thinking? The > spread of the worm is not Microsoft's fault (directly) - it is the fault It is directly m$'s fault. m$ quietly installs m$sql for several software packages. It's part of their m$de that's reportedly installed for certain releases of packages like visio, m$ project, and m$ office. So not only doe= s it default to a bad setup, but people don't even know it's installed. They should know, but that's discouraged in the m$ce world... > of whoever put together the architecture that puts a database on the > Internet without a couple firewalls and an App server in front of it. > That is probably caused by the Cracker Jacks Box MCSE's that are > clueless about security, which *is* Microsoft's fault as their > curriculum doesn't (or didn't anyway) discuss basic security. That and they have traditionally made it difficult to find out what's running on the box. > I have a database server and an LDAP server. There are two firewalls > between the Internet and the databases. And this is my home network! > > > And that Finnish car? Hmmm... let's see, I discovered and reported two > security exposures/vulnerabilities two weekends ago in SSH and MySQL. > One allows you to remotely discover the root password on a system > configured to block root logins, and the other allows you to recall > administrator commands (which may contain passwords) as a regular user. > I also discovered you can ftp into an account using Midnight Commander > without presenting the credentials if you logged in once before. Some > may call it a convenience - I call it a gaping hole. This is corrected > in the current release. I won't claim Free Software is free of bugs or security holes. The databases ( PostgreSQL and MySQL at least ), however, no longer listen for network connections by default. Also, for the last SSH update, did it require me to get the MySQL patch as well? Did it require me to allow the SSH developers to break into my box anytime they feel like it? As for all the worms against m$, build it ( shoddy security infrastructure = ) and they ( script kiddies and worms ) will come. > As I see it, each manufacturer has their own set of problems - it's up > to us as intelligent architects to not do stupid things with our cars. I agree it's up to us to know what we're doing with our boxen. That's generally encouraged in the *NIX world, but not for the m$ or mac. ciao, der.hans --=20 # https://www.LuftHans.com/ http://www.TOLISGroup.com/ # "Science is like sex: sometimes something useful comes out, but # that is not the reason we are doing it." -- Richard Feynman