"der.hans" wrote: > = > Am 28. Jan, 2003 schw=E4tzte George Toft so: > = > > When you drive that car in the sand, and it gets stuck, maybe it's no= t > > Ford's fault? Why, oh why, does anyone put a database server with an= y > > interface exposed to the Internet? WTF are these people thinking? T= he > > spread of the worm is not Microsoft's fault (directly) - it is the fa= ult > = > It is directly m$'s fault. m$ quietly installs m$sql for several softwa= re > packages. It's part of their m$de that's reportedly installed for certa= in > releases of packages like visio, m$ project, and m$ office. So not only= does > it default to a bad setup, but people don't even know it's installed. T= hey > should know, but that's discouraged in the m$ce world... Doooh!!! I stand corrected. > > of whoever put together the architecture that puts a database on the > > Internet without a couple firewalls and an App server in front of it.= > > That is probably caused by the Cracker Jacks Box MCSE's that are > > clueless about security, which *is* Microsoft's fault as their > > curriculum doesn't (or didn't anyway) discuss basic security. > = > That and they have traditionally made it difficult to find out what's > running on the box. > = > > I have a database server and an LDAP server. There are two firewalls= > > between the Internet and the databases. And this is my home network!= > > > > > > And that Finnish car? Hmmm... let's see, I discovered and reported t= wo > > security exposures/vulnerabilities two weekends ago in SSH and MySQL.= > > One allows you to remotely discover the root password on a system > > configured to block root logins, and the other allows you to recall > > administrator commands (which may contain passwords) as a regular use= r. > > I also discovered you can ftp into an account using Midnight Commande= r > > without presenting the credentials if you logged in once before. Som= e > > may call it a convenience - I call it a gaping hole. This is correct= ed > > in the current release. > = > I won't claim Free Software is free of bugs or security holes. The > databases ( PostgreSQL and MySQL at least ), however, no longer listen = for > network connections by default. > = > Also, for the last SSH update, did it require me to get the MySQL patch= as > well? Did it require me to allow the SSH developers to break into my b= ox > anytime they feel like it? > = > As for all the worms against m$, build it ( shoddy security infrastruct= ure ) > and they ( script kiddies and worms ) will come. > = > > As I see it, each manufacturer has their own set of problems - it's u= p > > to us as intelligent architects to not do stupid things with our cars= =2E > = > I agree it's up to us to know what we're doing with our boxen. That's > generally encouraged in the *NIX world, but not for the m$ or mac. > = > ciao, > = > der.hans > -- > # https://www.LuftHans.com/ http://www.TOLISGroup.com/ > # "Science is like sex: sometimes something useful comes out, but > # that is not the reason we are doing it." -- Richard Feynman > = > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss I love this list! = George -- = This e-mail message certified virus-free as it was generated on a Linux system. http://www.georgetoft.com/linux/index.html