labtastic

Fucking microsoft, asshats.
send me a security appraisal why don’t they…
anyway, my response ::
Hi Clive,
I have had a quick look at what appears to be a copy
and paste security assessment below.
While security is obviously important to us, there is
much in the assessment which is unrelated to our
current configuration. This server is not used as a
mail server and there are, as such no logins or
accounts; concerns client may hold concerning this are
entirely unfounded. We don’t use php session ID’s..
etc…
Any half decent security consultant will understand
that system security is only as strong as its weakest
link. And in this situation with a large percentage
of client machines running Microsoft’s Internet
Explorer, I would respectfully suggest that this is
our weakest link in content delivery.
A simple web search of “internet explorer exploits” ::
www.google.co.uk/search?hl=en&q=internet+explorer+exploits&btnG=Search&meta=
returns 1,830,000 pages
An article from leading UK technology portal The
Register states that “Internet Explorer exploits posed
the fastest growing web security threat to enterprises
in the last quarter, according to web security
services firm ScanSafe.”
I also understand that many of the machines used by
editorial staff to include content run this software,
and would be surprised if client were not also
utilising their own products.
If we move the focus away from packages and back to
the operating system the situation is no more rosy for
our clients architecture. I am sure we all have seen
windows update applying “security hotfixes” on a
nearly daily basis. Without a guarantee from client
that the most recent “hot fix” will be the last it
seems that this is tacit acknowledgment of serious
security holes currently pervading in their software.
A simple search of “Windows Exploits” ::
www.google.co.uk/search?hl=en&q=windows+exploits&btnG=Search&meta=
returns around 3,880,000 results
Again, stepping our security analysis up some levels,
I would like to leave this with a story imparted to me
by security consultant working for a national
government :: “The thing with system security, is that
it can never be 100% watertight. Imagine a situation
in which any of the people trusted with access
received a phone call from people holding their family
at gunpoint”
My take on the situation is that any potential
attackers are much more likely to use the widespread
and easily exploitable security problems in clients
products, than attack our Linux box. Quite why they
would want to is another matter.
We will work to applying the latest Red Hat updates
and trust that this continues to ensure that our
infrastructure continues to be the strongest link in
the chain.
Bests,
om
_________________________________________________________________
Change the world with e-mail. Join the i’m Initiative from Microsoft.
im.live.com/Messenger/IM/Join/Default.aspx?source=EML_WL_ChangeWorld