[REBOL] Re: OT: SSH and secure servers, WAS: XML / dialects
From: jason:cunliffe:verizon at: 7-Jan-2002 15:55
Brian Wilson
<[bwilson--ihpva--org]> wrote:
> There are numerous totally free ssh and ssl cross platform solutions.
> See http://www.clickshift.com/ssh/ for some info + links on ssh.
> BUT they only in keep data from being sniffed as it passes over the 'net.
Hi Brian
Thanks.
> I bet your compromise came by exploiting a buffer overflow or some
> stupid scripting configuration problem. Would this not include badly
> written REBOL scripts?
It could indeed, especialy as people are tempted to adjust permissions to
get REBOL or other cgi working. Once it is they tend to forget and move on.
As it turns out the compromise came via some skilled peopel exploiting SSH1
weaknes. You can read about it here:
http://www.incidents.org
http://www.incidents.org/diary/diary.php?id=138
> IMHO you have much more to worry about from security holes
> unintentionally installed by yourself (NEVER happens to ME of course!
> HA HA) and by the providers of your various server tools such as BIND,
> Apache, MS Exchange and so on.
Yes. As someone said/wrote "security is not a product, its a process." My
main security argument has been for that we need very careful use of
permissions. People want to believe in a golden tool/bullet. I inherited
sysadmin role for a very messy undocumented system. Decided to take it right
down and rebuild from scratch.
The major part of the learning curve, no matter what OS, and or whatever
versions of each element, still all comes down to the user/group/other
permission structure. How that is planned and maintained. I welcome any
advice, good reading especially to help the strategic planning stages.
I am hoping that REBOL will beocme a valuable tool in this process. A big
question is how to use it well for secure custom remote sysadmin. Working
between REBOL/Command on the server and REBOL/ViewPro and/or REBOL/Command
on clients.
Does anyone have any experience with this?
./Jason