At 02:29 AM 10/12/2001, Curtis Poe wrote: >--- Wagner Garcia Campagner <[EMAIL PROTECTED]> wrote: > > > > This site doesn't need so much security so I'm not worryed if someone is > > using a sniffer... > >Wagner, > >That is begging for trouble. My apologies in advance for the rather >serious tone here. Here's a >quote from a friend's email:
Well, I am not sure I understand this response. I thought Wagner wasn't referring to the security of the ports and hardening of the OS itself. He was referring to the security of the login mechanism not making use of SSL. I think he struck a nerve with you, but I am not sure how you go from talking about login security to talking about general box security. I would agree that not all sites require SSL for username/password security. However, perhaps more relevant to Wagner is break apart his assumption that sniffer is the only problem with not using SSL for username/password based portals. Another issue not mentioned is caching. Nearly all browser implementations disable on-disk caching of data when SSL is in use. This is not true for normal browsing. Thus, if someone logs on without SSL at a cyber cafe, anyone else can look at the cache and see potentially sensitive data. Perhaps not so sensitive as to have thought someone would have to set up a sniffer at the ISP but sensitive enough that any Joe can basically see what was being done on the website. At minimum, a rule of thumb when not using SSL for sites that need a password but don't really consider it a strong threat is to disable caching for any information possibly construed as sensitive. As an aside, I don't really agree that forced legislation about making all sysadmins and ISPs legally responsible for the boxes security will be very productive or enforceable. Nor will it be enforceable all over the world which is what you would truly require. Without the rest of the world participating in unison, I doubt that the US government is going to kick its own economy in the teeth by forcing more IT expenditure which won't translate to bringing in more money from other countries. What you will see happen more likely is that critical industries such as banking, government, and military may create their own Internets that satisfy their own security requirements (hence the govnet thing shown recently on slashdot). So I don't believe in govt control in this aspect. What I do believe in is that people will become more aware of security issues and problems through natural learning. Maybe this learning will happen fast enough, maybe it won't. But will likely happen is that as awareness grows, more clients who buy ISP accounts will be discerning about security and will be willing to pay more money than going to an ISP that has no security policy. And of course, advertising you are secure without being secure is already enforceable through other means. I guess I am not a fan of forcing people to do anything and I am more a fan of market economy driving the world. I think this is where you will get increased security, and it will come out of many factors merging together rather than through top down control. But this is a digression where I am sure people will agree and disagree with me. Mostly these things are best hashed out over beers. Because really it's all about looking in crystal balls and such things are better done over alcohol. :) >------------------------------- >[A friend] found I had been running the server for a few months, and asked >what kind of security I >was running. I chuckled and told him there was no need, since the computer >had no valuable >information on it. > >He gave me a funny look, and he started port-scanning my machine. As you >would expect, just about >everything was open. As we looked further and further in to it, things >starting looking bad. There >was evidence that someone else had been in my system. > >The clincher came when we found a SQL server database of news groups on my >server. Chances are I >was used to spam these news groups. >-------------------------------- > >Here's a quote from me (I just made this up for this email :): >-------------------------------- >"What are you going to do when your lax security allows someone else to >crack your box and uses it >to launch a denial of service attack on the FBI's Web site?" >-------------------------------- > >Right now, the Web is this wild, wild West with credit card numbers, >social security numbers, and >other bits of sensitive information just lying around in the dirt. Sooner >or later, someone is >going to pass legislation to ensure that programmers and sys admins can be >held accountable for >data or resource theft that is due, in part, to their negligence. > >I can't wait for that day for two reasons: > >1. It will force people to be more conscientuous lest they face the >consequences. >2. My rates will go up. > >Until such time that this legislation passes (mark my words, it will, >sooner or later), it's still >unethical to knowingly fail to provide the best security that meets the >client's needs (note the >qualifier on that sentence -- no need to provide Fort Knox to protect a >simple bulletin board >script). > >Now, let's imagine that you're not worried about people with sniffers >grabbing your user names and >passwords because you're *positive* that no long-term damage could >occur. Here's the rub: people >reuse usernames and passwords all the time. Even if this information >doesn't allow someone to >cause you problems, they still might be able to access other accounts that >your users have because >*you* didn't protect their sensitive data. > >Again, sorry for the rather serious tone, but it's a rather serious subject. > >Cheers, >Curtis "Ovid" Poe > >===== >Senior Programmer >Onsite! Technology (http://www.onsitetech.com/) >"Ovid" on http://www.perlmonks.org/ > >__________________________________________________ >Do You Yahoo!? >Make a great connection at Yahoo! Personals. >http://personals.yahoo.com > >-- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] __________________________________________________ Gunther Birznieks ([EMAIL PROTECTED]) eXtropia - The Open Web Technology Company http://www.eXtropia.com/ -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
