Maybe that's what you use it for, but generally speaking portmappers are for discovering how to connect to specific RPC services. Windows includes a number of RPC services that are useful on a LAN, the same as many Unix-type systems do.
Re:I have plenty of reasons to dislike Microsoft..
on
The BBC's Honeypot PC
·
· Score: 1
This is a pretty bogus test. Obviously they didn't install security updates before going about their business, made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago.
You know what: most people don't install the updates. Unless they're prompted to during installation, which was added with SP2.
Do you have a linux box on the public net with SSH open?
Yes.
I gaurantee you are getting more than 1000 attempted logins per day.
Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.
Well, first of all, of course you can switch the firewall off. You have to be able to switch it off, because there is a reason why these exploitable services are network services, and that's because in some situations you might want another machine to connect to them.
Secondly, the design fault of not activating the firewall by default was fixed with SP2. To have it disabled by default on a new install now, you'd have to be installing from an old disc.
Did I say that? It just happened that that particular search was for a common error in many PHP scripts.
Finding errors in C would likely be much harder, because typically you would need to analyse multiple lines of code to find them. A good start might be searching for strcpy(), but that'll give a lot of results with only a very small minority being exploitable. Whereas a use in PHP of $_POST without some kind of escaping function is highly likely to be an error.
Also, for a while now PHP's default configuration has been to add slashes to $_POST/etc input, so most of these scripts would be safe even if they are poorly written.
Yeah. This works right until somebody asks "how do I get rid of all those \'s that turn up in stuff?" and the answer is "oh, disable magic_quotes_gpc." I've seen it happen before, and I'm sure it'll happen again. Relying on particular settings being enabled for security reasons in a disaster waiting to happen.
Oh, yeah. My current day-job is as a PHP+javascript programmer. I know the messes of code you see from a variety of sources. I've read the textbooks and see how they instruct beginners down the path to security failure at every turn. You're preaching to the choir.
But it is that easy. Back in the original slashdot article concerning the search tool, somebody posted a link to a result page that included a rather large number of php scripts that were vulnerable to SQL injections. Other common flaws should also be easy to search for.
The problem is, not all developers perform this kind of search over their code. They may not even be aware that it's helpful.
Do you know how many gun massacres we've had since the gun laws came in vs 'the land of the free'.
And do you know how many we would have had, had the gun laws been more liberal?
Look at it this way: gun crime has not dropped in frequency or seriousness since posession of handguns was criminalised in 1997; in fact, until this year, gun crime figures have risen for every year since that criminalisation:
It is a legitimate business practice to buy cheap & shoddy hardware and spend the necessary time replacing it. If you have the staff to handle it (perhaps because you need to have that staff anyway for other reasons), it can save you quite a bit of cash.
If MS refuse to activate my copy of XP when it comes time for me to replace my motherboard, they'll be on the receiving end of a breach-of-contract lawsuit pretty quickly.
And if the printer is capable of causing a security issue, you need to change your OS.
If you're printing untrusted documents, any printer bug could be a security issue, whatever the situation. Even if the printer driver runs in a completely isolated, unpriveleged environment, it'll be undesirable. I don't know of any OS that does that.
No matter how wide your demographic is, it'll be self selecting to some degree.
Here's the stats for a site my company runs; again, no IT-related content, primarily UK visitors, etc., in fact bias is probably towards people who have little interest in IT. Figures are aggregate for last 3 months, because I can't be bothered to run a direct comparison with yours.
Internet Explorer 6.x 80.91% Firefox 6.05%
Yes, I think 15% is an exaggeration. I suspect the real value (for UK users) might be as high as 7%. It is still increasing.
It is the weirdest thing. There's nothing remotely unusual about the systems this happens on. A friend of mine has the problems on his machine, whereas I don't on mine. I've looked very carefully trying to figure out the difference between the two machines. We both have long-running Firefox processes that are hibernated on a regular basis. We both actively use tabs, opening a tab to read an article and closing it immediately afterwards. We're running the same version of firefox, with the same versions of the same extensions. Yet for some reason the memory usage on his machine seems to grow fairly consistently and quickly (taking ~2-3 days to reach the point of unusability), whereas mine takes much longer to become a problem (uptimes of 2 weeks aren't rare for me).
many web developers seem to be unaware that you even can leak memory in JavaScript
If you can leak memory in JavaScript and it isn't reclaimed when you navigate to a new page, it's a bug in the JavaScript implementation, not the web dev's code. Of course, it is the developer's responsibility to *work around* bugs in browsers (where possible), but you can't expect them to be aware of them all. A polite e-mail to webmaster@... would be useful in many cases.
But anyway, web developers should not be using SQL any more, except in some very rare cases. We now have things like EJB3 and Hibernate which remove 99% of the need for any SQL within an application.
There are good reasons for using SQL over and above an object persistence layer (which is what I believe both of these are, although I've never used either). SQL is easier to search, easier to analyze in arbitrary ways, and easier to edit by hand if something goes wrong and the system needs fixing.
Portmappers are for network file systems
Maybe that's what you use it for, but generally speaking portmappers are for discovering how to connect to specific RPC services. Windows includes a number of RPC services that are useful on a LAN, the same as many Unix-type systems do.
This is a pretty bogus test. Obviously they didn't install security updates before going about their business, made apparent by the fact that the system was vulnerable to viruses that came out over 3 years ago.
You know what: most people don't install the updates. Unless they're prompted to during installation, which was added with SP2.
Do you have a linux box on the public net with SSH open?
Yes.
I gaurantee you are getting more than 1000 attempted logins per day.
Uh, no. On the occasional day I get a sustained attempt to guess a username/password combo, and such an attempt may well get up to 1,000 attempts, but in the last 4 days' log (all I keep), I don't see any such attempt. There were a couple of attempts on my FTP server, but it looks like the attacker closed the connection as soon as they saw the welcome banner; scanning for a particular server/version in the connection report, I guess.
Well, first of all, of course you can switch the firewall off. You have to be able to switch it off, because there is a reason why these exploitable services are network services, and that's because in some situations you might want another machine to connect to them.
Secondly, the design fault of not activating the firewall by default was fixed with SP2. To have it disabled by default on a new install now, you'd have to be installing from an old disc.
Did I say that? It just happened that that particular search was for a common error in many PHP scripts.
Finding errors in C would likely be much harder, because typically you would need to analyse multiple lines of code to find them. A good start might be searching for strcpy(), but that'll give a lot of results with only a very small minority being exploitable. Whereas a use in PHP of $_POST without some kind of escaping function is highly likely to be an error.
Also, for a while now PHP's default configuration has been to add slashes to $_POST/etc input, so most of these scripts would be safe even if they are poorly written.
Yeah. This works right until somebody asks "how do I get rid of all those \'s that turn up in stuff?" and the answer is "oh, disable magic_quotes_gpc." I've seen it happen before, and I'm sure it'll happen again. Relying on particular settings being enabled for security reasons in a disaster waiting to happen.
Oh, yeah. My current day-job is as a PHP+javascript programmer. I know the messes of code you see from a variety of sources. I've read the textbooks and see how they instruct beginners down the path to security failure at every turn. You're preaching to the choir.
But it is that easy. Back in the original slashdot article concerning the search tool, somebody posted a link to a result page that included a rather large number of php scripts that were vulnerable to SQL injections. Other common flaws should also be easy to search for.
The problem is, not all developers perform this kind of search over their code. They may not even be aware that it's helpful.
Lib Dems have only historically been to the right of Labour. These days, I think labour have moved far enough right to have passed them.
And do you know how many we would have had, had the gun laws been more liberal?
Look at it this way: gun crime has not dropped in frequency or seriousness since posession of handguns was criminalised in 1997; in fact, until this year, gun crime figures have risen for every year since that criminalisation:
So why do you think such laws have improved anything?
Established the idea, perhaps. But while you've been talking about, both Windows and Linux have actually done it.
Funny, I never realised that supporting ANSI SQL was a mandatory feature for databases.
Nope, we both have less. I have 384, he has 320.
Please, tell me what practical difference exists, besides the usage of maybe a couple of hundred K of your precious disk space?
It is a legitimate business practice to buy cheap & shoddy hardware and spend the necessary time replacing it. If you have the staff to handle it (perhaps because you need to have that staff anyway for other reasons), it can save you quite a bit of cash.
If MS refuse to activate my copy of XP when it comes time for me to replace my motherboard, they'll be on the receiving end of a breach-of-contract lawsuit pretty quickly.
And if the printer is capable of causing a security issue, you need to change your OS.
If you're printing untrusted documents, any printer bug could be a security issue, whatever the situation. Even if the printer driver runs in a completely isolated, unpriveleged environment, it'll be undesirable. I don't know of any OS that does that.
Heh. That's a good one. Bugs reported for RC1 implemented in RC2.
There are bugs still in there that were first reported in 1999.
No matter how wide your demographic is, it'll be self selecting to some degree.
Here's the stats for a site my company runs; again, no IT-related content, primarily UK visitors, etc., in fact bias is probably towards people who have little interest in IT. Figures are aggregate for last 3 months, because I can't be bothered to run a direct comparison with yours.
Internet Explorer 6.x 80.91%
Firefox 6.05%
Yes, I think 15% is an exaggeration. I suspect the real value (for UK users) might be as high as 7%. It is still increasing.
It is the weirdest thing. There's nothing remotely unusual about the systems this happens on. A friend of mine has the problems on his machine, whereas I don't on mine. I've looked very carefully trying to figure out the difference between the two machines. We both have long-running Firefox processes that are hibernated on a regular basis. We both actively use tabs, opening a tab to read an article and closing it immediately afterwards. We're running the same version of firefox, with the same versions of the same extensions. Yet for some reason the memory usage on his machine seems to grow fairly consistently and quickly (taking ~2-3 days to reach the point of unusability), whereas mine takes much longer to become a problem (uptimes of 2 weeks aren't rare for me).
I know of few programs on the same level of complexity as Firefox that wouldn't have some memory issues after multiple days of active use.
Internet Explorer. Opera. Konqueror. None of these have similar issues, in my experience.
My understanding is that that particular bug is both known and fixed in 2.0.
many web developers seem to be unaware that you even can leak memory in JavaScript
If you can leak memory in JavaScript and it isn't reclaimed when you navigate to a new page, it's a bug in the JavaScript implementation, not the web dev's code. Of course, it is the developer's responsibility to *work around* bugs in browsers (where possible), but you can't expect them to be aware of them all. A polite e-mail to webmaster@... would be useful in many cases.
But anyway, web developers should not be using SQL any more, except in some very rare cases. We now have things like EJB3 and Hibernate which remove 99% of the need for any SQL within an application.
There are good reasons for using SQL over and above an object persistence layer (which is what I believe both of these are, although I've never used either). SQL is easier to search, easier to analyze in arbitrary ways, and easier to edit by hand if something goes wrong and the system needs fixing.