Petr, Since this is the SQLite mailing list, we are moving away from the intentions of the list, however I think your points need addressing as they may be relevant to other people using this mailing list. I apologise to other people if this is off topic but I think its important enough to answer.
> On 11 Sep 2015, at 18:38, Petr L?z?ovsk? <lazna at volny.cz> wrote: > >> 1. Security through obscurity is your first mistake. There is no such thing. > > Interesting.... It does not exist, but it have article on wikipedia. Sounds > like UFO or Yetti? Security through obscurity means that you assume that because nobody knows your system or knows your code then you are secure. That is what I was referring to. The article I assume you refer to https://en.wikipedia.org/wiki/Security_through_obscurity <https://en.wikipedia.org/wiki/Security_through_obscurity> makes this very point. > >> 2. Assuming that nobody is writing CGI scripts on Windows Servers is your >> next mistake. A lot of systems still do this, a lot of old systems still use >> this technique and some new ones, The attack vector is not necessarily >> through your CGI script itself but through the Windows Web server. Unless >> you have patched and patched and patched your web server, you will be >> attacked. > > Of course I keep my web server software up-to-date, why do you think I do not > did it? I am talking here about my scripts, not about the server SW. But the > server SW is relatively rare too... I do not know what you do with your server, I would like to think you keep it patched up, but since you did not say all I can do is assume the worst and be proven wrong. However have you locked down every port, have you removed everything that is not needed, have to configured your applications that are front facing to be as secure as possible, have you put https for the web traffic that needs to be transmitted, have you checked that another machine on your local internet cannot get access to your machine, a side door approach. The scripts themselves may be secure, but the mechanism needed to run them needs to be just as secure. > >> 3. You assume that nobody is interested in your machine. Wrong. A lot of >> people are very interested as they can add your hacked server to their >> bonnet and sell your resources on. Your machine does not have to be >> publicised at all. As an example, I have a private server which I use. It >> has no DNS entry (a common way to search for machines), so is only >> accessible through an IP address which has never been published. It only has >> a single ssh port open and port 80 for a private web server running some >> software there rest of the machine is locked down as best I can. The lock >> down took me a day to do. It is not trivial. My last weekly report showed >> over 200,000 attempts to break into the machine via ssh, http, and various >> CGI exploits. Thats 200,000 robot attempts, the most prevalent was an ssh >> attempt from a single machine which accounted for 72,000 goes. A public web >> server I have has over 1M hacking attempts per week. This is for a low usage >> machine. > > Script kiddies starting codes writen to attack widely spreaded systems, > otherwise it will be not much fun. Some of this codes could be specialized to > intrude minor systems, but I have doubts there are number of working scripts > to successfuly intrude systems with rare occurance. > > Real hackers, those who are experienced in writing WORKING code targeted to > intrude one specific rare system, need a REAL reason to did such job. My > system does not offer such reason?. If you are using a Windows OS then your system is widely available. There may be millions of machines running your version of the OS, so you are a target from script kiddies. This comes back to Security through Obscurity. Your system is not unique and the resources it offers of an internet connection and processing power makes it attractive. The people searching the internet do not know the details of your machine, they are looking for machines to add to botnets. The fact you run a local database on it is of no interest, they want the machines to use to rent out for a DDOS attack or password cracking or spam sending. > >> I give your machine less than 24 hours once it is live on the internet if >> you put it on without taking security seriously. You need to get the OS >> patched up, the ports closed down, the web server patched up and correctly >> configured. Out of the box the security on a Windows server (depending on >> the version) is poor. You need to learn what you need to do (and there are >> loads of guides on the internet) otherwise your server will be owned by >> somebody else very quickly. > > As I already wrote, not using IIS. OS is protected by manualy configured > firewall. By concept Security through obscurity using this one > http://wipfw.sourceforge.net/ Intruding script perform OS detection first, > but do not expect BSD firewall on Windows... Simple as it. Did you > understand STO concept now? > I will repeat, Security through Obscurity is no defense. Perhaps the worlds most recognisable expert on security Bruce Schneier hammers on and on about this. This a great blog about security and its well written which is a bonus https://www.schneier.com <https://www.schneier.com/> WIPFW is a start but it is not the end. Security is an ongoing, dynamic activity and requires careful thought end to end. Every time you change something you need to think hard, what have I done that opens up my system to bad people. This stuff is hard, people make mistakes, govts make mistakes, look at the US govt who lost all their personal records. Nobody said its easy. > L. > > BTW: There is smile next this "trust me" this obviously means: Do not took it > too seriously.... > >> To be blunt you have misunderstood computer security, Saying ?trust me? >> doesn?t work. I will not clog up this mailing list anymore. I have stated my views, its up to you how you handle security. Rob >
