lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <200311041121.16181.capegeo@opengroup.org>
From: capegeo at opengroup.org (George Capehart)
Subject: Gates: 'You don't need perfect code' for good security

On Tuesday 04 November 2003 06:03 am, Geoincidents wrote:
> > But IMHO, that *is* the point.  If it's on the Internet, it's
> > exposed . . . And if a stored procedure is exposed, then the whole
> > system is exposed . . .
>
> Nonsense, you read to many MS papers <g>. Lots of ISP's run SQL
> servers on the internet for radius authentication, where the database
> and stored procedures are not exposed. Just because MS describes
> something you don't consider safe, you are assuming there isn't a
> safe way to do it?

Heh.  We're in violent agreement on this issue.  My thrust wasn't that 
it is not *possible* to run a database where the database and stored 
procedures are not exposed . . . it was that the corporate vice 
president, SQL Server Team is saying that Yukon is designed to support 
stored procedures being exposed as Web services.  Put another way, 
they're purposely designing a system so that it that can be easily used 
in a *very* unsecure way, and touting it as a design coup.  I have a 
hard time reconciling that with the notion that Microsoft has the 
slightest clue about system security and secure system design.  This is 
a shining example of "innovation and enhanced feature/function" 
trumping secure system design.
 
>
> If what you say is true, then all the MS databases where they store
> registration information, windows update information, activation
> information, they must all be exposed so how about posting exploits
> for them so we can get MS to secure our data? Or are those on the net
> yet not exposed?

Don't know.  I have never been in a situation where anybody had *any* 
database exposed to the Internet.  There have always been several 
layers of software and firewalls between the Internet and a production 
database . . . and there has always been a distinction between "DMZ" 
databases and production databases.  DMZ databases may keep some state 
information, cache, and, maybe even some "local" authentication 
information in them.  But databases that held production data and which 
would have stored procedures that provide business function (or 
service), are on the internal network 'way far away from the Internet.

/g

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ