FilePro Happy faces

Fairlight fairlite at fairlite.com
Tue Aug 10 16:00:13 PDT 2004 

With neither thought nor caution, Bob Rasmussen blurted:
> 
> If you study the list of things fixed in Windows updates, you will find
> that well over half of them are security fixes. That is, Microsoft finds
> or hears about holes, and fixes them. Often when a hole is reported, and
> exploit appears in VERY short order.

WinNuke:  1 month for NT, 3 months for Win9x.  That's just the first
example that comes to mind.

Later attacks, even this year alone, you'll see a report on SANS and while
another 11 holes have been found, confirmed, and patched by the vendors by
the time SANS advertises the exploits, M$ has yet to even -confirm- the
existance of a single hole out of 5+ reported ones in the same bulletin.

No offense, but I don't call that very short order.

> By not installing security updates, you leave yourself vulnerable to
> hacks, virii, worms, etc., that might a) damage your own systems, and/or
> coopt your system into an attack on other sites.

Then again, you maintain the ability to use features that are parts of
standards that MS signed off on as part of the W3C but has since
unilaterally decided they needed to abandon because doing so would fix
entirely different problems.  Witness the \001 with user:pass at host URI
syntax.  It was a -display- issue that caused a security vulnerability.
Instead of fixing the display issue, they simply disabled the entire use of
that (useful, valid, approved) part of the standards draft.  How quaint.

Let's not get into the patches that they need to release to fix their own
patches.  They're not alone in this lately, but they're by far the biggest
offender.  

But yes, you're (in general) better off installing security patches than
not doing so.

> If your machine is isolated from the world, I could condone an attitude
> such as you express, but if it's connected, I don't think it's wise or
> helpful.

If your machine is connected to the world enough to use Anzio to connect
to another box, I'd think that it's unwise to ship with remote command
execution enabled, given how easy it would be to slide a little something
into /etc/issue or /etc/motd.  What's your point?  Nothing personal, but
that's a bit of a double standard, and you've already flat-out said that
you never intended on changing that, despite the fact that I drew attention
to it and recommended that should not be the default setting for security
reasons.  I don't think I could condone -either- attitude, but I'm sure you
don't think that makes me right based on your response last time.

mark->
-- 
Bring the web-enabling power of OneGate to -your- filePro applications today!

Try the live filePro-based, OneGate-enabled demo at the following URL:
               http://www2.onnik.com/~fairlite/flfssindex.html

More information about the Filepro-list mailing list