[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security

To: "Geoincidents" <geoincidents@getinfo.org>, "Full Disclosure" <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
From: George Capehart <capegeo@opengroup.org>
Date: Tue, 4 Nov 2003 11:21:16 -0500

On Tuesday 04 November 2003 06:03 am, Geoincidents wrote:
> > But IMHO, that *is* the point.  If it's on the Internet, it's
> > exposed . . . And if a stored procedure is exposed, then the whole
> > system is exposed . . .
>
> Nonsense, you read to many MS papers <g>. Lots of ISP's run SQL
> servers on the internet for radius authentication, where the database
> and stored procedures are not exposed. Just because MS describes
> something you don't consider safe, you are assuming there isn't a
> safe way to do it?

Heh.  We're in violent agreement on this issue.  My thrust wasn't that 
it is not *possible* to run a database where the database and stored 
procedures are not exposed . . . it was that the corporate vice 
president, SQL Server Team is saying that Yukon is designed to support 
stored procedures being exposed as Web services.  Put another way, 
they're purposely designing a system so that it that can be easily used 
in a *very* unsecure way, and touting it as a design coup.  I have a 
hard time reconciling that with the notion that Microsoft has the 
slightest clue about system security and secure system design.  This is 
a shining example of "innovation and enhanced feature/function" 
trumping secure system design.

>
> If what you say is true, then all the MS databases where they store
> registration information, windows update information, activation
> information, they must all be exposed so how about posting exploits
> for them so we can get MS to secure our data? Or are those on the net
> yet not exposed?

Don't know.  I have never been in a situation where anybody had *any* 
database exposed to the Internet.  There have always been several 
layers of software and firewalls between the Internet and a production 
database . . . and there has always been a distinction between "DMZ" 
databases and production databases.  DMZ databases may keep some state 
information, cache, and, maybe even some "local" authentication 
information in them.  But databases that held production data and which 
would have stored procedures that provide business function (or 
service), are on the internal network 'way far away from the Internet.

/g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
  - From: "Beaty, Bryan" <Bryan.Beaty@vector.com>
- Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
  - From: George Capehart <capegeo@opengroup.org>
- Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
  - From: "Geoincidents" <geoincidents@getinfo.org>

Prev by Date: RE: [Full-Disclosure] Fw: Red Hat Linux end-of-life update andtransition planning
Next by Date: [Full-Disclosure] Re: Re: Virginity Security Advisory 2003-002 : Tritanium Bulletin Board - Read and write from/to internal (protected) Threads
Previous by thread: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
Next by thread: Re: [Full-Disclosure] Gates: 'You don't need perfect code' for good security
Index(es):
- Date
- Thread