[Kitetoa, les pizzaïolos du Ouèb

An interview of r.f.p., from Wiretrip and ADM

"Whenever you implement a production server on the internet, you have to think twice about *everything*"


<Kitetoa> - r.f.p., you've published an advisory called "NT ODBC Remote Compromise". Could you explain within some lines in untechnical words ;) what it is about? I mean what, basically can you do on a remote machine running NT and IIS apart from "everything"?

<r.f.p.> - The problem is with ALL windows (NT, 95, and maybe 98).  ODBC is a generic way for the system to use a database.  The problem is one type of database from Microsoft, the MS Access database (which uses what is called the Jet engine) has a small secret feature that allow you to run special commands to do anything on the server.  So if someone can use your database, someone can do bad things.  The tricky part is that MS Access/Jet databases are the 'free' ones that come with NT, and are very popular/easy to use.  Even your MS Access that comes with Office 97 has the same problem.

<Kitetoa> - Did Miscrosoft publish a patch or a security advisory, and where can an admin find it?

<r.f.p.> - I have not seen *anything* from Microsoft on this topic.  I think this is because of 2 reasons: 

1. It was a 'feature'--it was there *on purpose*.  It was not a bug.  It
was just undocumented, except for *one* place I found 2 sentances
describing it. 

2. MDAC 2.1.1 was released, which fixed this problem silently.  They just removed this feature.  Well, so it seems.  I haven't finished my testing yet.


<Kitetoa> - Do you think that the the fact that there is the eEye bug, your advisory, BO2K, and, I guess, many other exploits out there for NT and/or IIS, should make people think about it twice before making a choice on what OS and server they are going to use for a Web site?

<r.f.p.> - Quite honestly, whenever you implement a production server on the internet, you have to think twice about *everything*.  The problem is that some corporations have standardized on Windows.  That means, even if Linux looks like a good idea, they will not--they only use Windows, and that's policy.  So rather than complain that you want to use Linux, figure out how to make NT secure.

<Kitetoa> - NeonSurge says he can... Is there, in your opinion, ways of really securing an NT box running IIS ?

<r.f.p.> - Yes there are.  The problem is that it's usually stuff you have to dig and find out yourself, and only the better experts (like NeonSurge) know how to do it--it's not default.  And Microsoft doesn't help you any.  IIS ships with a few holes open *by default*.  Not many people know where to look and what to close.  And with Microsoft's big push to make NT administration 'easy', that means we are having more and more 'less-technical' admins surface, compared to the unix gurus of the old day.  They just don't know how to do some of the technical stuff.

<Kitetoa> -Do you think Internet should be used to conduct e-commerce? Mudge and Kitetoa  (yes, he is smarter ;) ... ) think that it has not been disigned to be secure... Let's put it in another way: companies are linking in a way or another their information systems (which is the heart of their business capabilities) to the net. In many cases they put themselfs at risks. Is that wise?

<<r.f.p.> - I have to say yes and no.  I don't think the Internet has been designed securely enough for e-commerce.  Well, what I really mean is that *there are secure ways to do e-commerce*.  They do exist.   Unfortunately, a bunch of humans run it, and humans are less than perfect.   The create bugs, holes, and otherwise break that secure model.  To be a hacker, you only have to find one hole.  To be an admin, you have to patch *all* the holes.

Now, when we start making it so that servers are easier to administer, we get sysadmins that aren't exactly as aware of the big picture as they should be.

If I was a company, and I put the heart of my corporation on the Internet, I would want to make sure my admins were 'the best', and not just 'ok'.

<Kitetoa> - What would be your advice for a sysadmin so that he could get all the needed  information to keep his/her domain secure? What should he/she read? What  mailing list, what Web server?

<r.f.p.> - Best advice is 'don't assume anything'.  Pretend you're a secret government agent--only give people 'what they need to know'.  Keep everything as minimal as you need it.  Go over everything with a fine-tooth comb.   Understand how it works on the lowest level...don't assume it just 'works'.   When you get intimate with the technology and understand it, you'll also know how to protect yourself.


Retour à la page précédente


Liens de navigation

Naviguer, lire....

Page d'accueil


Le Sommaire



Le Forum

Nous écrire

Les mailing-lists

Les stats du serveur

Qui sommes-nous?

Les rubriques!

Les livres publiés par Kitetoa

Les interviews


Fonds d'écran et autres trucs

Les rubriques!




la malle de Kitetoa
(vieilleries du site)

Les dossiers

Le monde fou des Admins

Tati versus Kitetoa

Tegam versus Guillermito

Malade mental...

Qui est Jean-Paul Ney,
condamné pour
menaces de mort
réitérées contre Kitetoa?

Le texte de la condamnation
de Jean-Paul Ney
(résumé html)
(complet pdf)

Malade mental, bis repetita

Jean-Paul Ney condamné
pour diffamation
à l'encontre du webmaster
de Kitetoa.com

Condamnation de Jean-Paul Ney
pour diffamation (pdf)

D'autres choses...



L'association Kite-Aide


sur le site

et sur le Net...

Jean-Paul Ney

Jean-Paul Ney