Re: WebDNA security

This WebDNA talk-list message is from

2004


It keeps the original formatting.
numero = 58996
interpreted = N
texte = We get that all the time from IT shops at county and state governments. In an election last winter a group of right wing militant hackers from the Spokane/Idaho area threatened publicly to break into the Spokane County election system (our VoteWashington.Org) to expose the vulnerabilities of elections. We took some routine measures to change passwords, reviewed all possible areas of vulnerability, changed some directory names as a precaution, and alerted our ISP (Digital Forest) who brought in some security folks to take a look. They did not succeed, if they even attempted to at all. The day before the election they got headlines bragging about what they were going to do. The day after they were nowhere to be seen in the press. Our main client, the WA Secretary of State, was hacked about 2 months ago - they made havoc of the election department's site, but made no progress trying to follow the thread into our system, which is separate. We have been running WebCat/WebDNA since 1998 and have never been compromised. Our election sites on election week take 10-12 million hits with data entry from 40 separate sources - Sec State and 39 counties. Not authoritative analysis, but real time experience nonetheless. Larry On Aug 6, 2004, at 8:30 AM, Patrick McCormick wrote: > I sat through a meeting with an IT department at an insurance company > yesterday. The head of IT told the group that he had never heard of > WebDNA and that it was "...a weird, third-party, add-on" and further, > that he wouldn't even consider it for his web server because of all > the publicity PHP has received for its security flaws. > > Yes, the stench of self-preservation is one of very few constants in > business. > > One particular point that IT dude was trying to make is that simply > running WebDNA on a machine exposes that machine to hacking. I'm > wondering if anyone on the lise has had a security analysis done on a > running copy of WebDNA, possibly by an organization specializing in > security analysis. > > I think all of us recognize that the quality of our code has much more > impact on security than simply running a copy of WebDNA. But, > separating that code from the discussion, is there any information > about the security pros and cons of WebDNA versus alternatives? > > Thanks, > Pat McCormick > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > Larry Hewitt360.807.1100 OFFICE HCO, LLC360.807.1103 FAX 109 No. Tower360.880.4855 CELL P.O. Box 1017larryh@hewittco.com Centralia, WA 98531www.votewashington.org www.hewittco.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Associated Messages, from the most recent to the oldest:

    
  1. Re: WebDNA security ( Patrick McCormick 2004)
  2. Re: [OT] Security in general [Was] Re: WebDNA security ( Matthew A Perosi 2004)
  3. Re: WebDNA security ( Bob Minor 2004)
  4. Re: WebDNA security ( Larry Hewitt 2004)
  5. Re: WebDNA security ( Patrick McCormick 2004)
  6. Re: WebDNA security ( "Sal D'Anna" 2004)
  7. Re: [OT] Security in general [Was] Re: WebDNA security ( "WebDna @ Inkblot Media" 2004)
  8. Re: WebDNA security ( John Peacock 2004)
  9. Re: WebDNA security ( Donovan Brooke 2004)
  10. [OT] Security in general [Was] Re: WebDNA security ( Alan White 2004)
  11. Re: WebDNA security ( Alan White 2004)
  12. Re: WebDNA security ( John Peacock 2004)
  13. WebDNA security ( Patrick McCormick 2004)
We get that all the time from IT shops at county and state governments. In an election last winter a group of right wing militant hackers from the Spokane/Idaho area threatened publicly to break into the Spokane County election system (our VoteWashington.Org) to expose the vulnerabilities of elections. We took some routine measures to change passwords, reviewed all possible areas of vulnerability, changed some directory names as a precaution, and alerted our ISP (Digital Forest) who brought in some security folks to take a look. They did not succeed, if they even attempted to at all. The day before the election they got headlines bragging about what they were going to do. The day after they were nowhere to be seen in the press. Our main client, the WA Secretary of State, was hacked about 2 months ago - they made havoc of the election department's site, but made no progress trying to follow the thread into our system, which is separate. We have been running WebCat/WebDNA since 1998 and have never been compromised. Our election sites on election week take 10-12 million hits with data entry from 40 separate sources - Sec State and 39 counties. Not authoritative analysis, but real time experience nonetheless. Larry On Aug 6, 2004, at 8:30 AM, Patrick McCormick wrote: > I sat through a meeting with an IT department at an insurance company > yesterday. The head of IT told the group that he had never heard of > WebDNA and that it was "...a weird, third-party, add-on" and further, > that he wouldn't even consider it for his web server because of all > the publicity PHP has received for its security flaws. > > Yes, the stench of self-preservation is one of very few constants in > business. > > One particular point that IT dude was trying to make is that simply > running WebDNA on a machine exposes that machine to hacking. I'm > wondering if anyone on the lise has had a security analysis done on a > running copy of WebDNA, possibly by an organization specializing in > security analysis. > > I think all of us recognize that the quality of our code has much more > impact on security than simply running a copy of WebDNA. But, > separating that code from the discussion, is there any information > about the security pros and cons of WebDNA versus alternatives? > > Thanks, > Pat McCormick > > > ------------------------------------------------------------- > This message is sent to you because you are subscribed to > the mailing list . > To unsubscribe, E-mail to: > To switch to the DIGEST mode, E-mail to > > Web Archive of this list is at: http://webdna.smithmicro.com/ > > Larry Hewitt360.807.1100 OFFICE HCO, LLC360.807.1103 FAX 109 No. Tower360.880.4855 CELL P.O. Box 1017larryh@hewittco.com Centralia, WA 98531www.votewashington.org www.hewittco.com ------------------------------------------------------------- This message is sent to you because you are subscribed to the mailing list . To unsubscribe, E-mail to: To switch to the DIGEST mode, E-mail to Web Archive of this list is at: http://webdna.smithmicro.com/ Larry Hewitt

DOWNLOAD WEBDNA NOW!

Top Articles:

Talk List

The WebDNA community talk-list is the best place to get some help: several hundred extremely proficient programmers with an excellent knowledge of WebDNA and an excellent spirit will deliver all the tips and tricks you can imagine...

Related Readings:

PSC recommends what date format yr 2000??? (1997) possible, WebCat2.0 and checkboxes-restated (1997) WebCat2 - many [carts] on one template page? (1997) &max= (2003) Error -108 (1997) pop up menu's (1998) WebSTAR 2.1 freezes my Mac (1997) This message couldn't reach the list! (multi-column (1998) Snake Bites (1997) select multiple (1997) HELP WITH DATES (1997) caching -check- (2001) WebCat2 - Getting to the browser's username/password data (1997) Still ignoring the 3.x bugs? (2000) emailer (1997) ShowNext (1997) Problem in 4.0 store thankyou page (2000) WebCat consulting $ (1998) customizing the color of user's pages (1997) selectively replacing records within a [founditems] (2000)