I heard that the web was slow today.
George Toft
plug-discuss@lists.plug.phoenix.az.us
Tue, 28 Jan 2003 00:04:00 -0500
Ed Skinner wrote:
>
> When an auto manufacturer builds an Edsel do we blame the mechanic at
> the corner gas station? I might be tempted to switch mechanics to keep the
> thing running but if Ford keeps sending out recall notices, at some point I'm
> gonna start looking at a new car, maybe from Finland.
>
> --
> Ed Skinner, ed@flat5.net, http://www.flat5.net/
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
When you drive that car in the sand, and it gets stuck, maybe it's not
Ford's fault? Why, oh why, does anyone put a database server with any
interface exposed to the Internet? WTF are these people thinking? The
spread of the worm is not Microsoft's fault (directly) - it is the fault
of whoever put together the architecture that puts a database on the
Internet without a couple firewalls and an App server in front of it.
That is probably caused by the Cracker Jacks Box MCSE's that are
clueless about security, which *is* Microsoft's fault as their
curriculum doesn't (or didn't anyway) discuss basic security.
I have a database server and an LDAP server. There are two firewalls
between the Internet and the databases. And this is my home network!
And that Finnish car? Hmmm... let's see, I discovered and reported two
security exposures/vulnerabilities two weekends ago in SSH and MySQL.
One allows you to remotely discover the root password on a system
configured to block root logins, and the other allows you to recall
administrator commands (which may contain passwords) as a regular user.
I also discovered you can ftp into an account using Midnight Commander
without presenting the credentials if you logged in once before. Some
may call it a convenience - I call it a gaping hole. This is corrected
in the current release.
As I see it, each manufacturer has their own set of problems - it's up
to us as intelligent architects to not do stupid things with our cars.
George Toft
Sr. Computer Security Tech