Re: ASPNET User Problem in Shared Hosting Environment

From: al (news@thispartisfake-13c.com)
Date: 08/01/02 

From: "al" <news@thispartisfake-13c.com>
Date: Thu, 1 Aug 2002 12:01:53 -0700

Well, Well, Well,
This is so damn frustrating. I have been screaming at Microsoft and
Newsgroups about a similar issue with the FrontPage 2002 Extensions use of
the Network and Interactive groups. For over a year. Apparently the
trustworthy computing thing is Pure BS because they are completely aware of
these problems. They are completely aware that it is IIS exploits (second
only to mail client vulnerabilities) has got them this bad reputation. But
they continue down the same path of features over security.

First a bunch of toadies on the newsgroups will say:
"no that can't be the case...", then you call MS and they try to convince
you it is not the case with a low level flunkey. Then finally if you feel
like wasting your time because for some fool reason you have staked your
career on providing shared hosting with Microsoft technology, you may get to
someone at MS who says, "we admit it is a problem and it will be addressed
in a future release.".

Meanwhile your paranoia grows...

But it is clear that secure shared hosting is not a priority, in fact it has
got to be last on the list. Except in the Marketing department.

And full mad props to you Arild for keeping your socks up! The rest of you
toadies better make some noise or MS will keep ignoring this issue. Remember
they do respond to customer pressure and public humiliation. 

--
al.NET
It's not my website it's me dammit!
"Chip C" <chip@chipcom.net> wrote in message
news:MPG.17aefd687cbbfca4989937@news-server.neo.rr.com...
> On 29 Jul 2002 04:17:29 -0700,  Mr Snorkel allegedly wrote...
>
> > Sounds good - I think it would be possible to lock things down enough
> > to bring risks within acceptable limits under the kind of controlled
> > conditions you're talking about. I'd be interested to hear exactly
> > what you've done with the ASPNET user's privileges & permissions.
> >
> > I'm more concerned about the generic hosting companies. I've seen some
> > pretty serious business sites beginning to bubble up on shared hosting
> > services, and I don't imagine most of their owners understand how
> > vulnerable their content is. Some of the big hosting companies
> > *certainly* don't (poke around a bit, and you'll find their laxity
> > hair-raising). What bothers me is that if no-one tackles this very
> > soon, a big scandal will hit, and damage the image of ASP.NET as a
> > secure web application platform in the eyes of business. As a .NET
> > developer, that's the last thing I want to see.
> >
>
> It already has had an effect. Two projects that we were originally
> going to do with .Net are now going to be done with either classic
> ASP or PHP because the client is using a shared environment
> (webhost4Life). Did MS' newfound commitment to security not apply to
> the release of .Net?
>
> --
> Chip Ciammaichella
> Manager of Technology
> Q4-2, Inc.
>
> Personal Sites:
> http://www.chipcom.net/
> http://www.christmas-stories.com/