Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gates: 'You don't need perfect code' for good security

From: George Capehart <capegeo () opengroup org>
Date: Tue, 4 Nov 2003 11:21:16 -0500
On Tuesday 04 November 2003 06:03 am, Geoincidents wrote:

But IMHO, that *is* the point.  If it's on the Internet, it's
exposed . . . And if a stored procedure is exposed, then the whole
system is exposed . . .


Nonsense, you read to many MS papers <g>. Lots of ISP's run SQL
servers on the internet for radius authentication, where the database
and stored procedures are not exposed. Just because MS describes
something you don't consider safe, you are assuming there isn't a
safe way to do it?


Heh.  We're in violent agreement on this issue.  My thrust wasn't that 
it is not *possible* to run a database where the database and stored 
procedures are not exposed . . . it was that the corporate vice 
president, SQL Server Team is saying that Yukon is designed to support 
stored procedures being exposed as Web services.  Put another way, 
they're purposely designing a system so that it that can be easily used 
in a *very* unsecure way, and touting it as a design coup.  I have a 
hard time reconciling that with the notion that Microsoft has the 
slightest clue about system security and secure system design.  This is 
a shining example of "innovation and enhanced feature/function" 
trumping secure system design.
 


If what you say is true, then all the MS databases where they store
registration information, windows update information, activation
information, they must all be exposed so how about posting exploits
for them so we can get MS to secure our data? Or are those on the net
yet not exposed?


Don't know.  I have never been in a situation where anybody had *any* 
database exposed to the Internet.  There have always been several 
layers of software and firewalls between the Internet and a production 
database . . . and there has always been a distinction between "DMZ" 
databases and production databases.  DMZ databases may keep some state 
information, cache, and, maybe even some "local" authentication 
information in them.  But databases that held production data and which 
would have stored procedures that provide business function (or 
service), are on the internal network 'way far away from the Internet.

/g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: