On Tue, 1 Mar 2005 16:24:58 -0000, Robertson-Ravo, Neil (RX) <[EMAIL PROTECTED]> wrote: > Agreed, that original statement reeks of idiocy itself.
How many of your servers have open, externally accessible MS-SQL ports? Maybe you should go open your MS-SQL box to the world because you certainly wouldn't be an idiot to keep it open, right? Ignoring *fundamental* security issues is at best, negligent. Ignoring know, common, dangerous, documented, publicized security issues seems to me to count as "idiotic" but you can call it "poor practice", "negligent", "a mistake" or some other less offensive word if you need to. > From: Dave Watts [mailto:[EMAIL PROTECTED] > > As an aside, there are *plenty* of ways to scan for open SQL > > Sever ports on your network to find those MSDE installs, so > > I'll maintain that anyone with an unsecured SQL Server of any > > type is, in fact, and idiot. > > That's all well and good, but many people using products which include MSDE > aren't network administrators, and don't know about port scanning or any > other things that network administrators might know about, and they > shouldn't have to know those things. Not knowing things like this doesn't > make one "and idiot". That's true, not "and idiot", but "an idiot" :) If they are putting a server on a naked Internet connection with an external address, they certainly *should* be aware of basic security. Even "normal" home users are aware of the need for firewall (and av) software. A $40 dsl/cable/etc router contains a decent enough firewall to protect a MS-SQL server behind it with no more work than plugging it in and turning it on. Seriously, running any externally facing app without basic security precautions makes you *not* an idiot? The level of even basic security-awareness should be part of every developer's toolbox -- at least any one worth hiring. And the excuse that "I didn't know MSDE was part of the application" or "I'm not a sysadmin" is a pretty poor one. How hard is the Microsoft Baseline Security Analyzer to use? How hard is it to read the docs? Of course securing the port doesn't prevent weak passwords. Or the possiblilty of SQL Injection attacks. Or any of a myriad other common security weaknesses. The assumption that "I didn't know" is an acceptable excuse relating to security, whether it's configuration (e.g. firewall settings) or code (e.g. SQL injection vunerabilities) is a key reason why people get cracked. And frankly, I care less about someone with poor security getting hacked (something along the lines of "getting what you deserve") than what their zombie server can do to my sites or one of the sites I count on -- or about the consequences of the use/misuse of my data they're storing. When a security issue can affect *me*, then I've got a stake in making sure people do the right thing -- I think security is black and white (you don't see a "Grey Hat" security conference...) Maybe there are varying *degrees* of security idiocy, but all things considered, I'll err on the side of spending the time/money/effort on security instead of taking the risk of being a victim of the "security is too hard" syndrome. -- John Paul Ashenfelter CTO/Transitionpoint (blog) http://www.ashenfelter.com (email) [EMAIL PROTECTED] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Find out how CFTicket can increase your company's customer support efficiency by 100% http://www.houseoffusion.com/banners/view.cfm?bannerid=49 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:196975 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
