--- Wagner Garcia Campagner <[EMAIL PROTECTED]> wrote: > > This site doesn't need so much security so I'm not worryed if someone is > using a sniffer...
Wagner, That is begging for trouble. My apologies in advance for the rather serious tone here. Here's a quote from a friend's email: ------------------------------- [A friend] found I had been running the server for a few months, and asked what kind of security I was running. I chuckled and told him there was no need, since the computer had no valuable information on it. He gave me a funny look, and he started port-scanning my machine. As you would expect, just about everything was open. As we looked further and further in to it, things starting looking bad. There was evidence that someone else had been in my system. The clincher came when we found a SQL server database of news groups on my server. Chances are I was used to spam these news groups. -------------------------------- Here's a quote from me (I just made this up for this email :): -------------------------------- "What are you going to do when your lax security allows someone else to crack your box and uses it to launch a denial of service attack on the FBI's Web site?" -------------------------------- Right now, the Web is this wild, wild West with credit card numbers, social security numbers, and other bits of sensitive information just lying around in the dirt. Sooner or later, someone is going to pass legislation to ensure that programmers and sys admins can be held accountable for data or resource theft that is due, in part, to their negligence. I can't wait for that day for two reasons: 1. It will force people to be more conscientuous lest they face the consequences. 2. My rates will go up. Until such time that this legislation passes (mark my words, it will, sooner or later), it's still unethical to knowingly fail to provide the best security that meets the client's needs (note the qualifier on that sentence -- no need to provide Fort Knox to protect a simple bulletin board script). Now, let's imagine that you're not worried about people with sniffers grabbing your user names and passwords because you're *positive* that no long-term damage could occur. Here's the rub: people reuse usernames and passwords all the time. Even if this information doesn't allow someone to cause you problems, they still might be able to access other accounts that your users have because *you* didn't protect their sensitive data. Again, sorry for the rather serious tone, but it's a rather serious subject. Cheers, Curtis "Ovid" Poe ===== Senior Programmer Onsite! Technology (http://www.onsitetech.com/) "Ovid" on http://www.perlmonks.org/ __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
