Re: [Full-Disclosure] Re: Microsoft Coding / National Security Risk

• Previous message: Geoincidents: "[Full-Disclosure] Re: Addressing Cisco Security Issues"
• In reply to: madsaxon: "RE: [Full-Disclosure] Re: Microsoft Coding / National Security Risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: LC <full-disclosure@lists.netsys.com>
Date: Tue, 30 Mar 2004 08:50:10 +0200

madsaxon wrote:

> The US military is considerably more rigorous than the civilian
> government in this regard, but even then there are systems which
> have slipped through the cracks. Evidence for this is the fact that
> Web defacement mirrors still occasionally contain both .gov and
> .mil entries.

Not to rain on your parade, but public web site defacements in the gov
sector certainly show very little of the state of internal network
security. Nowadays public web servers are often outsourced to a colo
facility, and are not very much locked down either, since these are
often not the same systems that provide the intranet services that the
organisation depends on. While having a breach on your public web
servers doesn't look nice, it's mostly not critical either, you simply
take the server off the net and rebuild it when you have time. After
all, it is more for information of the public than for anything else:
nice to have, but nothing breaks if it doesn't work. Therefore the costs
of locking it down may outweigh the possible cost of compromise. It is
like saying: since there is graffiti on the walls of the police station,
the police force sucks. I'd rather they went after the more serious
offenses instead of making sure that nobody can spray their walls.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Geoincidents: "[Full-Disclosure] Re: Addressing Cisco Security Issues"
• In reply to: madsaxon: "RE: [Full-Disclosure] Re: Microsoft Coding / National Security Risk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: HLP PLZ: New exchange server, what to do with old data. ... The issue I have is with regard to Single Instance Storage. ... I have a new org, and did'nt move all the old crap so was ... Are the two 5.5 servers in the ... >> Not really found any good options for moving data, ... (microsoft.public.exchange.admin) Public Web Site ... For those of us who are willing to take the risk of hosting our public web ... site on our SBS2003 servers, where is the best place to put the files. ... The other was to use features of IIS 6.0 not offered by my ISP. ... (microsoft.public.windows.server.sbs) RE: Advanced Server - Enterprise Linux ? ... does anyone know where RedHat stand with regard to bulk ... We are looking into changing a load of servers from ... Advanced Server - Enterprise Linux? ... -- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe ... (RedHat) Re: Remote desktop connection ... > we have recently upgraded windows 2000 servers to 2003 ... > i conect through RDC to other offices system. ... > can anybody help me in this regard ... (microsoft.public.win2000.ras_routing) Re: Unix virus protection? ... > I've recently deployed several UnixWare7 web servers for some clients. ... > Since this is the first time I've used this OS for a public web ... These servers are running Apache ... Do I need to concern myself with virus protection? ... (comp.security.unix)