----- Original Message -----
From: "Nick Warr" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, July 02, 2003 9:08 AM
Subject: Re: Ten least secure programs
>
> ----- Original Message -----
> From: "Chris Berry" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, July 01, 2003 1:00 AM
> Subject: Re: Ten least secure programs
>
>
> > >From: Patrick Boucher <[EMAIL PROTECTED]>
> > >Greetings,
> > >
> > >The first one i would use would be "Internet Explorer" There are so
many
> > >bugs and work around holes.. I think it is worst then Outlook, Or
Outlook
> > >express.
> > >
> > >That's my No. 1.
> >
> > Well, I wasn't concerned with feature or useability bugs, only security
> > ones, so I don't agree. If your IE is fully patched and configured it's
> not
> > that bad. (though I personally use Mozilla instead because of the nice
> > features).
> >
>
> Why then are you putting sendmail on the list?
> Sendmail can be quite secure if kept up to date patchwise and configured
> properly (although I'd use qmail or postfix personally).
Most programs can be secure, provided you keep them (some of them,
constantly) patched. The point being, you have to keep patching it and it
has a lot of problems, beyond how it's configured. While compared, other
mail programs/services don't have the history, and compared to even other
programs that provide different services, it's high on the list for good
reason.
> Same thing with IIS and PHP, if they're patched and well configured,
they're
> definitely no worse than IE...
Right, so should we just list programs that don't have the vendor (or
community) offer patches for?
> I really don't see where you're coming from with this list, you need to
> decide on your criteria, and stick to them.
Agreed.
> For example,
>
> 1. Inherently Flawed (kind of hard to quantify, but I guess outlook's
> execute code without user input is probably a good example, or telnet's
> complete lack of encryption).
While Outlook executes things it is not supposed to, it's a program that is
exploitable, telnet is a service and although some telnet programs have been
exploited in the past (such as telnetd), it serves it's purpose and as long
as the program itself isn't exploitable, it shouldn't make the list of
exploitable programs. The rm command isn't vulnerable, but it sure could be
used for the wrong thing, but it serves its' purpose. In other words, this
is how I saw the list and questions. What is this list about exactly anyway
then, does anyone know?
> 2. Too difficult for beginning user to configure securely (any product
badly
> configured is a risk)
That plays a role, but someone know having the knowledge to secure,
configure or tun a program properly isn't the program's fault.
> 3. Under a lot of scrutiny for security holes (as many MS products are,
like
> IE and outlook, IIS, etc).
I think any program with security holes, be it they release patches or not,
eventually add up to a poorly secure program.
> Each of these has to be considered/balanced when you try and make a "least
> secure list", which of these is the most important to you?
Those are valid points. They all do play a role anyway, but we should
change the subject of this thread if that's the case and it's no longer
about programs alone... which sucks if someone builds a completely secure
program and no one ever used it because people don't have the skills to set
it up properly or don't run it like it's supposed to be (just an example).
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
