Re: ASPNET User Problem in Shared Hosting Environment

From: al (news@thispartisfake-13c.com)
Date: 08/01/02 

From: "al" <news@thispartisfake-13c.com>
Date: Thu, 1 Aug 2002 12:29:31 -0700

I meant mad props to MR Snorkel! 

--
al.NET
It's not my website it's me dammit!
"al" <news@thispartisfake-13c.com> wrote in message
news:OxLa12YOCHA.1736@tkmsftngp13...
> Well, Well, Well,
> This is so damn frustrating. I have been screaming at Microsoft and
> Newsgroups about a similar issue with the FrontPage 2002 Extensions use of
> the Network and Interactive groups. For over a year. Apparently the
> trustworthy computing thing is Pure BS because they are completely aware
of
> these problems. They are completely aware that it is IIS exploits (second
> only to mail client vulnerabilities)  has got them this bad reputation.
But
> they continue down the same path of features over security.
>
> First a bunch of toadies on the newsgroups will say:
> "no that can't be the case...", then you call MS and they try to convince
> you it is not the case with a low level flunkey. Then finally if you feel
> like wasting your time because for some fool reason you have staked your
> career on providing shared hosting with Microsoft technology, you may get
to
> someone at MS who says, "we admit it is a problem and it will be addressed
> in a future release.".
>
> Meanwhile your paranoia grows...
>
> But it is clear that secure shared hosting is not a priority, in fact it
has
> got to be last on the list. Except in the Marketing department.
>
> And full mad props to you Arild for keeping your socks up! The rest of you
> toadies better make some noise or MS will keep ignoring this issue.
Remember
> they do respond to customer pressure and public humiliation.
>
> --
> al.NET
> It's not my website it's me dammit!
> "Chip C" <chip@chipcom.net> wrote in message
> news:MPG.17aefd687cbbfca4989937@news-server.neo.rr.com...
> > On 29 Jul 2002 04:17:29 -0700,  Mr Snorkel allegedly wrote...
> >
> > > Sounds good - I think it would be possible to lock things down enough
> > > to bring risks within acceptable limits under the kind of controlled
> > > conditions you're talking about. I'd be interested to hear exactly
> > > what you've done with the ASPNET user's privileges & permissions.
> > >
> > > I'm more concerned about the generic hosting companies. I've seen some
> > > pretty serious business sites beginning to bubble up on shared hosting
> > > services, and I don't imagine most of their owners understand how
> > > vulnerable their content is. Some of the big hosting companies
> > > *certainly* don't (poke around a bit, and you'll find their laxity
> > > hair-raising). What bothers me is that if no-one tackles this very
> > > soon, a big scandal will hit, and damage the image of ASP.NET as a
> > > secure web application platform in the eyes of business. As a .NET
> > > developer, that's the last thing I want to see.
> > >
> >
> > It already has had an effect. Two projects that we were originally
> > going to do with .Net are now going to be done with either classic
> > ASP or PHP because the client is using a shared environment
> > (webhost4Life). Did MS' newfound commitment to security not apply to
> > the release of .Net?
> >
> > --
> > Chip Ciammaichella
> > Manager of Technology
> > Q4-2, Inc.
> >
> > Personal Sites:
> > http://www.chipcom.net/
> > http://www.christmas-stories.com/
>
>