|
|
Warp wrote:
> Didn't seem to be such a problem in the unix world.
Thinking on it, there are a whole bunch of "patches" made in the UNIX world
to account for bad security. The whole thing with "xhost" and the magic
cookies. Taking "." out of the default path. Sticky bits on directories.
Shadow password files. The vipw command. The -print0 option on find.
Poisoned DNS caches (which affected everyone, really). All *kinds* of stuff
in UUCP. All kinds of race conditions for files in /tmp/. Why people
switched from rcp to scp. Why people switched from http to https. Why FTP
runs in a chroot cell, and still failed that on occasion if one
misconfigured it. Why it used to be easy to find thousands of /etc/passwd
files on the web when search engines first came out. Why Kerberos used to
let you download the whole list of encrypted passwords for off-line cracking
before you identified yourself.
It's just that most of the breaks these changes fixed happened before
networking was really ubiquitous, and before taking advantage of them was
worth huge amounts of money.
Yes, MS was somewhat late to the party, but it's not like UNIX escaped being
broken into over, and over, and over again, simply because it has always
been multi-user. It's only relatively recently that people in general
started worrying about these things on a systematic basis, because it has
only been relatively recently that it was more valuable to break into it
than getting your college class grades changed. ;-)
Oh, and by the way:
http://en.wikipedia.org/wiki/Christmas_Tree_EXEC
So, yeah. Would never happen on a *real* system.
--
Darren New, San Diego CA, USA (PST)
Serving Suggestion:
"Don't serve this any more. It's awful."
Post a reply to this message
|
|