I'm not exactly sure what patch you're talking about, I would have to look and see why the patch was issued.
As far as not announcing the username, and not putting your name on the mailbox, that's all security by obscurity. It will work for a little while, but the problem is that most people use security by obscurity as the only form of security. For example: if you don't put your name on your mailbox, you will think that you're more secure from thieves, and therefore won't be as careful to lock your back door. You'll think "But the thief won't know if I'm home or not, so he'll be too afraid to come through my back door." This, of course, is ridiculous. Instead of relying on security by obscurity, you should make sure your doors are locked, that you have good locks, good doors and windows, and a good security system. In the computer world it's the same. Instead of hiding your username and server ip, make sure you have a strong password. Make sure you don't have any unnecessary services running. Make sure that you have proper permissions on your files and databases. So take it from me. Security by obscurity only works if it's used in combination with other, more powerful forms of security, and most of the time just gets in the way of usability. Don't let your guard down just because you've 'hidden' something. The thieves and hackers have ways of finding that stuff out, ways that you might have never though of. Russ -----Original Message----- From: Munson, Jacob [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 11, 2006 2:11 PM To: CF-Talk Subject: RE: Professional Opinions on HostMySite.com I was watching a show about house security once, and they said you should never put your name on your mailbox (nor anywhere visible). Why not? Because a thief can have a phone book in his car, and look up your phone number from the name and address, then give a call to see if you're not home. Would you announce to the world what your username is? Sure nobody has your password, but giving out your username (or your DB name) gives a hacker one less thing to figure out. What about paths in your web server? Could a hacker wipe out all of your custom tags if he knew what folder they were in? Probably not, but if he didn't have to discover that much information, his job is that much easier. Again, I think if it weren't a security risk, MS would not have put out a patch. > -----Original Message----- > From: Russ > > Well maybe you shouldn't be storing your username and pw in > your datasource > in the first place. Security by obscurity is never a good > idea, and the > name of your datasource shouldn't be equivalent to a password. > > You should be using username and pw in all your queries if you're on a > shared host. You should store them somewhere like > application.cfm. Now, if > someone can read your files, then they'll get your password > anyway, but > that's a whole different security hole. You shouldn't just let people > access your datasource just because they know its name. > > So, like I said, it's not a security issue per se, more of an > annoyance. In > theory you shouldn't see datasources that you don't have > access to if you > choose not to see them, but you could argue either way. I > wouldn't want > somebody creating a database on my server, and then not > giving me access to > it, and for enterprise manager to not even show that database > to me. That's > an even bigger security hole. (Think Sony with their DRM rootkit > technology). > > Russ > -----Original Message----- > From: Munson, Jacob [mailto:[EMAIL PROTECTED] > Sent: Wednesday, January 11, 2006 1:36 PM > To: CF-Talk > Subject: RE: Professional Opinions on HostMySite.com > > Would you want your DB to be visible to all other customers > on a shared > host? I know I sure wouldn't...even if they can only look at things, > it's still scary and if nothing else, a bad idea. If it weren't a > security issue, I don't think MS would have put out a patch. [INFO] -- Access Manager: This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. A2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229238 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
