Peter Beckman wrote: > On Tue, 10 Mar 2009, SIP wrote: > > >> Responsibility? That's a difficult word. Is it irresponsible to build a >> program without additional security if building in that security is >> possible? >> > > No. Network and software security is the responsibility of the admin. If > to get the Asterisk Install to work they open the box to the world, then > they will likely get a costly lesson in network and system security due to > insecure logins to Asterisk. > > Asterisk/Digium is NOT responsible for securing your server -- YOU are. > Just like Microsoft is not responsible for keeping spyware and viruses off > your computer. > > Beckman > > PS -- YOU being the server admin, not anyone specifically, in case you were > feeling singled out, YOU. > > I was not feeling singled out, but I would like to add that I disagree with your opinion (but that I respect your right to have a different one from mine).
Any software developer either knows or SHOULD know about software security. If he doesn't, he's deluding himself into thinking he's an actual software developer and not a second-rate code monkey. Software security is everything from verifying (and cleaning) user inputs to ensure nothing snaps to, in the case of a networked piece of software, ensuring that the networked code is not abused. In something complex like Asterisk, I imagine they take reasonable care to ensure that it can't write to locations it's not supposed to write to, that it doesn't get easily tricked into reading from locations it's not supposed to read from, and that the data it sends either to local files or via the network is handled with a certain level of integrity. After all, there are incredibly rudimentary ACL controls built into Asterisk already, so clearly SOMEone thought that a certain level of security was the purvey of the developers and not to be left to system admins or crazy, random chance. Why not build in something stronger if it CAN be done? As for Microsoft not keeping spyware off your machine... try telling that to the press that loves to lambast them whenever there's a virus or bit of spyware that makes it past their rudimentary security. There's a REASON MS has been beefing up their security in their software. People don't run software that's commonly accepted to be insecure and full of possible holes. It's a bit like driving without brakes and no seatbelt. It works just fine in only extremely limited situations. If that's the reputation you want for Asterisk, to be lumped in there with the software people love to joke about because it's both dangerous and senseless to use, then by all means ignore the idea that any level of security needs to be included. However, I will continue to think it's a bad idea. N. _______________________________________________ --Bandwidth and Colocation Provided by http://www.api-digital.com-- asterisk-biz mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-biz
