----- Original Message -----
From: "Ansgar Wiechers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 01, 2003 1:52 AM
Subject: Re: Ten least secure programs
> I'm not sure if this discussion will be productive in any way, since you
> seem to concentrate too much on the software and ignore layer 8, which
> is (IMHO) the major problem. But anyway, here you go:
>
> On 2003-06-28 Chris Berry wrote:
> > I'm putting together a list of what seem to be the ten least secure
> > computer items in use today with the idea of having a set of things to
> > recommend AGAINST people using, probably to be posted on the IT room
> > door with a note like "NO, you cannot use the following!!". Here is
> > what I have so far, I'm looking for additions and comments. The list
> > is in order from with the worst offender being number one. These
> > should be products whose inheirent design is flawed, not that are just
> > difficult to secure. I expect vigorous discussion. *putting on flame
> > retardent garments* Oh, and leave Operating systems out of this one.
>
> I'm not sure if this discussion will be productive in any way, since you
> seem to concentrate too much on the software and ignore layer 8, which
> is (IMHO) the major problem. But anyway, here we go:
>
> > 1) Microsoft Outlook
>
> I beg to differ on this one. Outlook is a groupware client and is
> therefore *designed* to be insecure.
It's not designed to be insecure. The difference is that it's accepting
content it should not and processing that content in a manner it should not.
It, like most MS products, do not comply to RFC's and that alone opens big
holes. That is not always the issue and it's not the only problem, but this
is not built to run in an insecure manner as you suggest, as if people are
using the wrong tool and it's their fault. I can agree in some ways it's
the wrong tool, but it's not supposed to be.
>
> > 2) Telnet
> > 3) Sendmail
> > 4) IIS Server
> > 5) Wireless networking
> > 6) PHP
> > 7) ?
> > 8) ?
> > 9) ?
> > 10) ?
>
> You might want to add FTP in general and BIND (at least earlier than
> version 9) here.
Are insecure programs and the protocols to connect to them now resulting in
the program itself being insecure? So, is I tunnel to an FTP server or use
sftp on the same FTP service, that means the FTP service isn't a less secure
program now?
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
