"der.hans" wrote:
> =
> Am 28. Jan, 2003 schw=E4tzte George Toft so:
> =
> > When you drive that car in the sand, and it gets stuck, maybe it's no=
t
> > Ford's fault? Why, oh why, does anyone put a database server with an=
y
> > interface exposed to the Internet? WTF are these people thinking? T=
he
> > spread of the worm is not Microsoft's fault (directly) - it is the fa=
ult
> =
> It is directly m$'s fault. m$ quietly installs m$sql for several softwa=
re
> packages. It's part of their m$de that's reportedly installed for certa=
in
> releases of packages like visio, m$ project, and m$ office. So not only=
does
> it default to a bad setup, but people don't even know it's installed. T=
hey
> should know, but that's discouraged in the m$ce world...
Doooh!!!
I stand corrected.
> > of whoever put together the architecture that puts a database on the
> > Internet without a couple firewalls and an App server in front of it.=
> > That is probably caused by the Cracker Jacks Box MCSE's that are
> > clueless about security, which *is* Microsoft's fault as their
> > curriculum doesn't (or didn't anyway) discuss basic security.
> =
> That and they have traditionally made it difficult to find out what's
> running on the box.
> =
> > I have a database server and an LDAP server. There are two firewalls=
> > between the Internet and the databases. And this is my home network!=
> >
> >
> > And that Finnish car? Hmmm... let's see, I discovered and reported t=
wo
> > security exposures/vulnerabilities two weekends ago in SSH and MySQL.=
> > One allows you to remotely discover the root password on a system
> > configured to block root logins, and the other allows you to recall
> > administrator commands (which may contain passwords) as a regular use=
r.
> > I also discovered you can ftp into an account using Midnight Commande=
r
> > without presenting the credentials if you logged in once before. Som=
e
> > may call it a convenience - I call it a gaping hole. This is correct=
ed
> > in the current release.
> =
> I won't claim Free Software is free of bugs or security holes. The
> databases ( PostgreSQL and MySQL at least ), however, no longer listen =
for
> network connections by default.
> =
> Also, for the last SSH update, did it require me to get the MySQL patch=
as
> well? Did it require me to allow the SSH developers to break into my b=
ox
> anytime they feel like it?
> =
> As for all the worms against m$, build it ( shoddy security infrastruct=
ure )
> and they ( script kiddies and worms ) will come.
> =
> > As I see it, each manufacturer has their own set of problems - it's u=
p
> > to us as intelligent architects to not do stupid things with our cars=
=2E
> =
> I agree it's up to us to know what we're doing with our boxen. That's
> generally encouraged in the *NIX world, but not for the m$ or mac.
> =
> ciao,
> =
> der.hans
> --
> # https://www.LuftHans.com/ http://www.TOLISGroup.com/
> # "Science is like sex: sometimes something useful comes out, but
> # that is not the reason we are doing it." -- Richard Feynman
> =
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
I love this list! =
George
-- =
This e-mail message certified virus-free
as it was generated on a Linux system.
http://www.georgetoft.com/linux/index.html
(text/plain)