[CT] Attachments....

[Daniel Moran]

At 04:29 PM 7/15/2002 -0600, Daniel Dvorkin wrote:
>... and yet the vast majority of "Internet worms" that have done real 
>damage are actually "IIS worms."  The conclusion is inescapable:  Apache 
>is simply more secure than IIS (as well as being a better Web server in 
>just about every way.)  And since the same company which gave us IIS also 
>gave us VBScript and Outlook Express and Internet Explorer and SQL Server 
>-- basically all the "security holes disguised as applications" which have 
>been responsible for just about every major virus and worm in the last few 
>years -- it is not unreasonable to believe that it is that company's lousy 
>coding, and not simply its inexplicable popularity, which is responsible.

I have to back Daniel up on this. While there's sure a huge difference 
between a well-configured install copy of SQL Server and a badly configured 
install, over the years that I've been responsible for making sure SQL 
Server databases were secure, I must have seen a dozen exploits that would 
completely subvert even a well-designed SQL Server instillation -- about 
half of them buffer overruns of one sort of another. I've never had a 
server subverted that I know of, but I've sure had a couple attacks using 
exploits that would have worked if I hadn't religiously been applying 
patches as they were issued. I'm _really good_ at this ... and under 
real-world conditions I'm skeptical that I could secure one of my own 
servers against myself.

____________________________
continuing-time mailing list
continuing-time at ralf.org
http://www.ralf.org/mailman/listinfo/continuing-time