____________________________________________________________ \ / Scott Fosseen - Systems Engineer - Arrowhead AEA 5 \ www.aea5.k12.ia.us/aeaphone.nsf/Web/FosseenScott /____________________________________________________________ ----- Original Message ----- From: "Internet Security Focus at Builder.com" <Online#[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, July 01, 2002 2:30 AM Subject: [Builder.com] Why Apache doesn't get an A+ for security
> Surprise! Apache isn't perfectly secure either > Visit Builder.com | July 1, 2002 > > > > > Copyright Information > > This e-newsletter may contain links to sites on the Internet that are owned and operated by third parties. CNET Networks, Inc. is not responsible for the content of any such third-party site. > > > Copyright 2002 CNET Networks, Inc. All rights reserved. Builder.com is a trademark of CNET Networks, Inc. > > > > > > Surprise! Apache isn't perfectly secure either > > Longtime subscribers of this e-newsletter are well aware of my soft spot for open source software. There are a number of reasons why I use open source software when possible, including the fact that I don't have to pay for it and the software's source code is readily accessible. > > Since the source code is available, open source software bugs are fair game for anyone smart enough to find and report them. This isn't to imply that open source software undergoes more scrutiny than commercial software. > > In a perfect world, we could expect commercial software to be bug-free and more secure and reliable than open source software. If a software product delivers on its promises (open source or commercial), people will use it. If it doesn't, people will find a substitute. > > Sometimes I'm critical of commercial software companies because they're in the business of producing software for a profit. I have the (perhaps unrealistic) expectation that a commercial software product should be more secure than open source software. Although open source software bugs aren't as newsworthy as commercial software bugs, they still exist. Case in point is the latest Apache vulnerability. > > Since Internet Security Systems (ISS) recently reported a somewhat major bug in the open source Apache Web server, there's been some bad blood between Apache and ISS because of how and when the public was informed. While it didn't shock me to learn about the Apache bug, the way IIS handled the situation did surprise me. > > I agree with Apache that ISS jumped the gun on announcing this exploit. When a software product with a large-scale deployment has a vulnerability or exploit, people need to know how to fix it. Usually the people responsible for the software product are the first to learn about a vulnerability, which allows them time to devise an acceptable solution for the problem. > > For instance, in the past, ISS did a remarkable job finding and reporting software bugs in Microsoft's Web server software--while still allowing Microsoft to come up with a fix before informing the public. I'm not sure what went wrong with the Apache situation. > > I believe that discovering bugs in widely distributed software is a noble task, but one that requires some responsibility to the public. Since Apache is the leading Web server platform, the risks of releasing details about the bug before an acceptable solution was found was irresponsible of ISS. > > Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP. > > We want your feedback > > Tell us what you think about the latest Apache vulnerability. Share your comments in our discussion forum. > > Notice to Subscribers > > Due to the upcoming U.S. holiday, we will not be delivering newsletters on July 4 and 5. Internet Security Focus will be back to its normal schedule the following work week. > > In addition, our systems will be down that weekend, as we switch to a new server-hosting facility. You may notice irregularities when viewing newsletter content during that time. We thank you for your patience. > > > Serious vulnerability discovered in Apache chunk handling > Apache admins need to be aware of a dangerous flaw in the Windows and 64-bit UNIX versions of Apache. The vulnerability has led to some friction between Apache and the security company ISS, which released a patch that Apache says is incomplete. > > Five tips for configuring Apache > Apache server coughing up smoke? Give it a tune-up with these five tips, and tweak the number of requests the box can handle. > > > > > > > > Use JCE to share Java cryptography keys > The Java Cryptography Extension (JCE) simplifies the process of using encryption and digital signatures and allows the necessary keys to be shared with non-Java systems. Here's one way to use this powerful feature. > > Accessing flat files with Oracle SQL > A major Oracle9i enhancement is the ability to access non-Oracle data from flat files via Oracle SQL. Don Burleson shows you how to utilize this new feature in your applications. > > Easily retrieve drive and system information in VB > Working with the Windows API can be cumbersome when you're trying to access system or drive information. Visual Basic simplifies the process with built-in objects. > > > > > Is your network safe and sound? > Where do vulnerabilities lie on your network? What are the latest security updates and fixes? How can hackers infiltrate your system? If you can't answer these three questions without hesitation, then your network is in immediate danger. TechRepublic's Network Security TechMail, delivered every Wednesday, will help you breathe a sigh of relief. Instantly sign up! > > > > > > > > Update subscriptions | Unsubscribe from this mail |Questions & comments | Visit Builder > > > --- [This E-mail scanned for viruses by Declude Virus] > --- [This E-mail scanned for viruses by Declude Virus] --------------------------------------------------------- Archived messages from this list can be found at: http://www.mail-archive.com/tech-cord@aea5.k12.ia.us/ ---------------------------------------------------------