lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 21 Dec 2012 10:16:58 +1300
From: "Nick FitzGerald" <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Question regarding script vulnerabilities

Rand wrote:

> I was curious, if you have a virtual dedicated server or a dedicated
> server, and a reasonably trustworthy hosting service, are malicious scripts
> planted by external people a big concern? If so why?

If you have a web server, malicious scripts should be a big concern to 
you, yes.

Why would you NOT be concerned that the integrity of your site and the 
server running it may be compromised?

Answering your "why" question is focussing on the wrong issue, as 
you've rather glibly skipped over a much more important issue -- what 
is the basis of your assessment that a hosting service is "reasonably 
trustworthy"?

Every site owner/admin on every one of the hundreds of compromised 
sites I've had dealings with this year alone was (at least before they 
finally recognized they were hosed) of the opinion that their hosting 
provider was (at least) "reasonably trustworthy".

They were all -- clearly -- wrong _if_ by that assessment they (and 
presumably you) were of the opinion that a "reasonably trustworthy" 
hosting provider will not have site/server compromise issues.

I have to assume that they are representative of the many, many, many 
hundreds more site owners/operators who never engaged further with my 
response to their request for information about why their site was 
"blacklisted".

So, what critical baggage are you hiding inside your assessment that a 
hosting provider is "reasonably trustworthy"?



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ