Cris Bailiff <c.bailiff+bugtraq@devsecure.com> writes: > Because apache is so great, and has had a history of very few serious > security bugs, older versions are embedded in a wide variety of > products and systems, (Not in any way criticizing your "blowchunks" work -- just using this as a jumping off point...) This has always been a mistake. Apache is a nice program designed by good people, but it was never designed with security in mind. Indeed, most systems are not designed with security in mind. A few systems have been -- postfix and qmail for example -- but for the most part, raging paranoia is the only way to treat software. Just because it doesn't have a bad record doesn't mean someday someone isn't going to crack it like an egg. Design for security, folks. Just because the ostrich can't see the predator doesn't mean it isn't there. Don't trust your servers. Someday they'll be cracked. If you're a vendor, assume your software can be attacked and make sure it won't cause much harm when it is. If you don't know how to do that, study programs done by people who do. That also means don't design systems so they can't be upgraded. If you're a user, design your networks and your business processes on the assumption that portions of a system can and will be compromised someday. By the way, hats off to Niels Provos for his recent work on systrace in OpenBSD (recently ported to NetBSD) -- it is a subsystem that lets you go beyond just chrooting a vulnerable server and actually say "this program isn't allowed to run fork or exec or open a file for write" and such, thus preventing exploits from being able to do very much once they've taken over a vulnerable server process. Not foolproof, but certainly an excellent tool in a world where product vendors spend so rarely design for security. Perry
