Warp wrote:
>   Didn't seem to be such a problem in the unix world.

Thinking on it, there are a whole bunch of "patches" made in the UNIX world 
to account for bad security. The whole thing with "xhost" and the magic 
cookies. Taking "." out of the default path. Sticky bits on directories. 
Shadow password files. The vipw command. The -print0 option on find. 
Poisoned DNS caches (which affected everyone, really). All *kinds* of stuff 
in UUCP. All kinds of race conditions for files in /tmp/. Why people 
switched from rcp to scp. Why people switched from http to https. Why FTP 
runs in a chroot cell, and still failed that on occasion if one 
misconfigured it. Why it used to be easy to find thousands of /etc/passwd 
files on the web when search engines first came out. Why Kerberos used to 
let you download the whole list of encrypted passwords for off-line cracking 
before you identified yourself.

It's just that most of the breaks these changes fixed happened before 
networking was really ubiquitous, and before taking advantage of them was 
worth huge amounts of money.

Yes, MS was somewhat late to the party, but it's not like UNIX escaped being 
broken into over, and over, and over again, simply because it has always 
been multi-user. It's only relatively recently that people in general 
started worrying about these things on a systematic basis, because it has 
only been relatively recently that it was more valuable to break into it 
than getting your college class grades changed. ;-)

Oh, and by the way:

http://en.wikipedia.org/wiki/Christmas_Tree_EXEC

So, yeah. Would never happen on a *real* system.

-- 
Darren New, San Diego CA, USA (PST)
   Serving Suggestion:
     "Don't serve this any more. It's awful."

Post a reply to this message