lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 20 Dec 2012 22:07:57 +0000
From: Philip Whitehouse <philip@...uk.com>
To: Nick FitzGerald <nick@...us-l.demon.co.uk>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Question regarding script vulnerabilities

Personally I wouldn't equate a trustworthy host to mean they had 'bulletproof' servers. Even if it were possible its not the normal definition of trust.

In any case it's irrelevant - it's what you run that typically exposes your site to the most risk

Philip Whitehouse

On 20 Dec 2012, at 21:16, "Nick FitzGerald" <nick@...us-l.demon.co.uk> wrote:

> Rand wrote:
> 
>> I was curious, if you have a virtual dedicated server or a dedicated
>> server, and a reasonably trustworthy hosting service, are malicious scripts
>> planted by external people a big concern? If so why?
> 
> If you have a web server, malicious scripts should be a big concern to 
> you, yes.
> 
> Why would you NOT be concerned that the integrity of your site and the 
> server running it may be compromised?
> 
> Answering your "why" question is focussing on the wrong issue, as 
> you've rather glibly skipped over a much more important issue -- what 
> is the basis of your assessment that a hosting service is "reasonably 
> trustworthy"?
> 
> Every site owner/admin on every one of the hundreds of compromised 
> sites I've had dealings with this year alone was (at least before they 
> finally recognized they were hosed) of the opinion that their hosting 
> provider was (at least) "reasonably trustworthy".
> 
> They were all -- clearly -- wrong _if_ by that assessment they (and 
> presumably you) were of the opinion that a "reasonably trustworthy" 
> hosting provider will not have site/server compromise issues.
> 
> I have to assume that they are representative of the many, many, many 
> hundreds more site owners/operators who never engaged further with my 
> response to their request for information about why their site was 
> "blacklisted".
> 
> So, what critical baggage are you hiding inside your assessment that a 
> hosting provider is "reasonably trustworthy"?
> 
> 
> 
> Regards,
> 
> Nick FitzGerald
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ