Menu
▾
▴
sql-ledger-users
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-10 02:34:09
|
On Sunday 10 September 2006 11:32, David Tangye wrote: > On Fri, 2006-09-08 at 09:13 -0400, David J Patrick wrote: > > You, Dr E, are the most belligerent, obnoxious "contributor" to a > > mailing list that I have read in quite some time. > > I cannot agree with that statement, as Dr E is actually the most > belligerent and obnoxious person I have EVER seen on any list anywhere. > My, what I distinction, he has earned himself. Keep up the attitude, E, > its only your own hole that you are digging. :-) Actually it isn't. He is a gynaecologist. (Sorry I just couldn't resist this one) |
|
From: david <da...@ke...> - 2006-09-10 03:06:06
|
On Sun, 2006-09-10 at 12:34 +1000, GeorgeOsvald wrote: > On Sunday 10 September 2006 11:32, David Tangye wrote: > > On Fri, 2006-09-08 at 09:13 -0400, David J Patrick wrote: > > > You, Dr E, are the most belligerent, obnoxious "contributor" to a > > > mailing list that I have read in quite some time. > > > > I cannot agree with that statement, as Dr E is actually the most > > belligerent and obnoxious person I have EVER seen on any list anywhere. > > My, what I distinction, he has earned himself. Keep up the attitude, E, > > its only your own hole that you are digging. :-) > > Actually it isn't. He is a gynaecologist. > (Sorry I just couldn't resist this one) You really have to be kidding... poor women :( If he behaves with his patients as he does here, he'd make them want a sex change. Mind you he has added a whole new dimension to the concept of "thick-skinned" (or should I say "insensitive"?) Wait there! It was me that posted about not being personal! I'm really sorry Doctor. |
|
From: Dr E. L. <el...@li...> - 2006-09-10 04:57:26
|
The problem with mailing list and Usenet News is that they allow children to post. And forgers, plagiarists, Open Source Zealots. And me. el on 9/10/06 5:07 AM david said the following: > On Sun, 2006-09-10 at 12:34 +1000, GeorgeOsvald wrote: >> On Sunday 10 September 2006 11:32, David Tangye wrote: >>> On Fri, 2006-09-08 at 09:13 -0400, David J Patrick wrote: >>>> You, Dr E, are the most belligerent, obnoxious "contributor" to a >>>> mailing list that I have read in quite some time. >>> I cannot agree with that statement, as Dr E is actually the most >>> belligerent and obnoxious person I have EVER seen on any list anywhere. >>> My, what I distinction, he has earned himself. Keep up the attitude, E, >>> its only your own hole that you are digging. :-) >> Actually it isn't. He is a gynaecologist. >> (Sorry I just couldn't resist this one) > > You really have to be kidding... poor women :( > > If he behaves with his patients as he does here, he'd make them want a > sex change. > > Mind you he has added a whole new dimension to the concept of > "thick-skinned" (or should I say "insensitive"?) > > Wait there! It was me that posted about not being personal! I'm really > sorry Doctor. |
|
From: Trevor H. <tre...@th...> - 2006-09-07 22:06:39
|
Christopher Murtagh wrote: > On 9/7/06, Trevor Hennion <tre...@th...> wrote: >> So using SSL WILL protect MOST of the users of SQL-Ledger - > > No, it will not. If the user can forge the credentials trivially (in > the case of the current SQL-Leger), adding encryption will not buy you > ANYTHING. Adding SSL will only be a benefit once some sort of proper > authentication mechanism is in place. > >> Undoubtedly the problem should be fixed - but it does NOT affect all >> SQL-Ledger users, so I think some proper reporting of the vulnerability >> is required - currently it sounds like scare mongering - or does it just >> happen to coincide with this fork? > > That is total BS. There are people who are using internet facing > installations of SL, this can be demonstrated by a google search for > 'SQL-Ledger version'. They have a right to know that their application > is severely flawed. Numerous attempts to get Dieter to fix this > problem have been ignored, only by going public with this did he start > to make noises about fixing it. While we were talking to him off list > about it, he kept on insisting that it wasn't a security problem. If > this is so, why is he fixing it now that it is public? It's either a > problem or it's not. > > Cheers, > > Chris > How do they get past the username and login required by the Secure server? If people use the same username and password for ALL access then they deserve to be shafted but using a separate username and password for the secure server login to that required by SQL-Ledger WILL protect them! Seems like I've touched a raw nerve! Good night Trevor Hennion http://www.infocentrality.co.uk |
|
From: Josh B. <jo...@ag...> - 2006-09-07 22:21:32
|
Trevor, > How do they get past the username and login required by the Secure > server? If people use the same username and password for ALL access then > they deserve to be shafted but using a separate username and password > for the secure server login to that required by SQL-Ledger WILL protect > them! Let me see if I can explain it clearly. The current identity cookie used by SQL-Ledger is very simple and easy to reverse engineer (guess) if you just know someone's user name. Thus, if you have any access to the web server at all ... you don't need even a valid login ... you can forge the cookie and assume that user's identity if they've been logged in recently. That's called "session hijacking". It can be used either for an outside attacker to get into SQL-Ledger, or (more likely) for an internal user to escalate their permissions. Chris's patch makes the cookie harder to guess/forge, making session hijacking by cookie forging much more difficult. It does *not* protect against the other likely source of session hijacking, which is browser compromises which let a remote attacker read the cookies on your machine. Combined with SSL, Chris's patch should make session hijacking difficult enough that attackers will look for other means of access. Does that help any? -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-07 22:56:40
|
On Friday 08 September 2006 08:06, Trevor Hennion wrote: > > How do they get past the username and login required by the Secure server? > If people use the same username and password for ALL access then they > deserve to be shafted but using a separate username and password for the > secure server login to that required by SQL-Ledger WILL protect them! > > Seems like I've touched a raw nerve! > > Good night Not to mention that you can use many other means to protect your server like anything else that is live on line 24/7. You can not rely only on what you download of the net. My server is safe no matter what happens in the background. When it comes to asshole employees - I can deal with that some other way. |
|
From: Gavin C. <ga...@op...> - 2006-09-08 00:19:06
|
On Thu, Sep 07, 2006 at 11:06:30PM +0100, Trevor Hennion wrote: > Christopher Murtagh wrote: > > On 9/7/06, Trevor Hennion <tre...@th...> wrote: > >> So using SSL WILL protect MOST of the users of SQL-Ledger - > > > > No, it will not. If the user can forge the credentials trivially (in > > the case of the current SQL-Leger), adding encryption will not buy you > > ANYTHING. Adding SSL will only be a benefit once some sort of proper > > authentication mechanism is in place. > > > >> Undoubtedly the problem should be fixed - but it does NOT affect all > >> SQL-Ledger users, so I think some proper reporting of the vulnerability > >> is required - currently it sounds like scare mongering - or does it just > >> happen to coincide with this fork? > > > > That is total BS. There are people who are using internet facing > > installations of SL, this can be demonstrated by a google search for > > 'SQL-Ledger version'. They have a right to know that their application > > is severely flawed. Numerous attempts to get Dieter to fix this > > problem have been ignored, only by going public with this did he start > > to make noises about fixing it. While we were talking to him off list > > about it, he kept on insisting that it wasn't a security problem. If > > this is so, why is he fixing it now that it is public? It's either a > > problem or it's not. > > How do they get past the username and login required by the Secure server? > If people use the same username and password for ALL access then they > deserve to be shafted but using a separate username and password for the > secure server login to that required by SQL-Ledger WILL protect them! > > Seems like I've touched a raw nerve! You have touched a raw nerve because you are spreading FUD rather than contributing to people understanding the problem. Adding SSL to the mix does nothing to protect you against an authentication problem like this. SSL secures the transport, not the authentication mechanism. They're different things. If you are saying that you have added an additional *authentication* layer on top the of standard SL one, then you have two-layer authentication and you probably *are* cushioned from the impact of this SL vulnerability. But the SL vulnerability stands, and it is your additional authentication layer that is protecting you. Most SL installations (particularly those of less technical users) won't have this extra layer, and the vulnerability should be reported and treated seriously. Cheers, Gavin -- Gavin Carr Open Fusion - Open Source Business Solutions [ Linux - Perl - Apache ] http://www.openfusion.com.au - Fashion is a variable, but style is a constant - Programming Perl |
|
From: David T. <ta...@ex...> - 2006-09-07 22:20:34
|
Well from watching this on the sidelines, and based on a couple of emails to Chris and others ... On Thu, 2006-09-07 at 17:41 -0400, Christopher Murtagh wrote: > On 9/7/06, Trevor Hennion <tre...@th...> wrote: > > So using SSL WILL protect MOST of the users of SQL-Ledger - > > No, it will not. If the user can forge the credentials trivially (in > .... Many thanks to Chris T and Chris M for raising this issue, especially for going to such lengths to fully explaining to us exactly what the problem is and how it happens and how and why their fix works, oh and actually providing a fix. I feel a lot more confident knowing other people with clear insight into this aspect of web applications are making the effort to contribute something positive. (Plus now I have a much better idea about exactly what cookies are and how they can work, or not.) > > is required - currently it sounds like scare mongering - or does it just > > happen to coincide with this fork? > > That is total BS. >From what I have seen, I have to agree. It is apparent to me that the fork was caused partly as a result of there not looking like any fix being provided by Dieter, not the other way around. To suggest scare mongering it inappropriately offensive. More importantly though: It also appears that the fork was caused by a perception that requests for fixes/patches/enhancements were going nowhere, and even sensible discussion on an issue was simply not happening. This is certainly not the first time I have seen this happen here, and I guess one day, inevitably it will lead to a successful open source accounting system project springing up somewhere. Whether LedgerSMB will be that project is to be seen. In the meantime, today, I still find nothing (yet) to match sql-ledger... and believe me, due to the way this project is run, I for one, and I am sure many others, do keep looking. |
|
From: Josh B. <jo...@ag...> - 2006-09-07 22:37:28
|
David, > More importantly though: It also appears that the fork was caused by a > perception that requests for fixes/patches/enhancements were going > nowhere, and even sensible discussion on an issue was simply not > happening. True, as far as I'm concerned. I don't exactly have a lot of spare time to work on non-core projects. But, Dieter recommended the current course of action: if we don't like the way SQL-Ledger is run, go to another project. So I'm just following his advice. > This is certainly not the first time I have seen this happen > here, and I guess one day, inevitably it will lead to a successful open > source accounting system project springing up somewhere. Whether > LedgerSMB will be that project is to be seen. Well, this is partly up to you. We're doing all we can to ensure that LedgerSMB will not have the same issues. But success in OSS is really dependant on people joining. Frankly, my fantasy is that LedgerSMB is so successful that Dieter realizes that he could do more, and make more money, with a popular OSS project than with a tiny non-public niche project supported only by him, and that the two projects re-merge as the #1 OSS accounting application they were meant to be. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-07 23:02:03
|
On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > That is total BS. There are people who are using internet facing > installations of SL, this can be demonstrated by a google search for > 'SQL-Ledger version'. This is a total pile of crap. There is no way you could find my SQL-Ledger installation on the net. If anyone is so naive and is letting this happen then it is there fault but you should not say that every installation of SL is under threat. That is bullshit. |
|
From: Dr E. L. <el...@li...> - 2006-09-08 04:46:32
|
on 9/8/06 1:01 AM GeorgeOsvald said the following: > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > >> That is total BS. There are people who are using internet facing >> installations of SL, this can be demonstrated by a google search for >> 'SQL-Ledger version'. > > This is a total pile of crap. There is no way you could find my SQL-Ledger > installation on the net. If anyone is so naive and is letting this happen > then it is there fault but you should not say that every installation of SL > is under threat. That is bullshit. It's not crap, it's FUD. And I think this is intentional. Call it a power struggle, the same people having tried to get control for a while now... -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (Saar) el...@li... el108-ARIN / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 \ / Please send DNS/NA-NiC related e-mail Bachbrecht, Namibia ;____/ to dns...@na... |
|
From: Ian H. <li...@ho...> - 2006-09-07 23:23:47
|
George. while you might be technically savvy and understand the dangers of having a open installation on a public site, others may not be. this publicly disclosed vulnerability, is a major problem for them. why.. well imagine this pseudo code get list of sites showing SQL-ledger from google for each on the list try creating a cookie with a basic guess-able name.. (eg guest/demo/ admin/<list of 100,000 common names) for each one that works flag it for later exploitation by a human this would probably take about a minute (or less) for each exposed site.. I could get quite a couple vulnerable systems in a couple of hours. unfortunately the people with open installations are probably not subscribed to this list, and are probably not even aware that there is a vulnerability. This is why I hate full disclosure so much. he is doing a disservice to everyone by detailing the exploit on a public list. On 08/09/2006, at 9:01 AM, GeorgeOsvald wrote: > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > >> That is total BS. There are people who are using internet facing >> installations of SL, this can be demonstrated by a google search for >> 'SQL-Ledger version'. > > This is a total pile of crap. There is no way you could find my SQL- > Ledger > installation on the net. If anyone is so naive and is letting this > happen > then it is there fault but you should not say that every > installation of SL > is under threat. That is bullshit. > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users -- Ian Holsman Ia...@Ho... join http://gypsyjobs.com the marketplace for django developers |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-08 05:45:08
|
On Friday 08 September 2006 09:15, Ian Holsman wrote: > George. > while you might be technically savvy and understand the dangers of > having a open > installation on a public site, others may not be. > > this publicly disclosed vulnerability, is a major problem for them. > > why.. well imagine this pseudo code > > get list of sites showing SQL-ledger from google And that was exaclty my point. That is what you have to avoid. There is no reason why your SQL-LEDGER server should be visible to robots. Unless you know exactly where to go or try to piggyback my connection you will simply not find my server. I can connect to it from home or anywhere but it is very not visible at all. > for each on the list > try creating a cookie with a basic guess-able name.. (eg guest/demo/ > admin/<list of 100,000 common names) > for each one that works flag it for later exploitation by a human > > this would probably take about a minute (or less) for each exposed > site.. I could get quite a couple vulnerable systems > in a couple of hours. > > unfortunately the people with open installations are probably not > subscribed to this list, and are probably not even > aware that there is a vulnerability. > > This is why I hate full disclosure so much. he is doing a disservice > to everyone by detailing the exploit on a public list. > > On 08/09/2006, at 9:01 AM, GeorgeOsvald wrote: > > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > >> That is total BS. There are people who are using internet facing > >> installations of SL, this can be demonstrated by a google search for > >> 'SQL-Ledger version'. > > > > This is a total pile of crap. There is no way you could find my SQL- > > Ledger > > installation on the net. If anyone is so naive and is letting this > > happen > > then it is there fault but you should not say that every > > installation of SL > > is under threat. That is bullshit. > > > > ---------------------------------------------------------------------- > > --- > > Using Tomcat but need to do more? Need to support web services, > > security? > > Get stuff done quickly with pre-integrated technology to make your > > job easier > > Download IBM WebSphere Application Server v.1.0.1 based on Apache > > Geronimo > > http://sel.as-us.falkag.net/sel? > > cmd=lnk&kid=120709&bid=263057&dat=121642 > > _______________________________________________ > > sql-ledger-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users > > -- > Ian Holsman > Ia...@Ho... > join http://gypsyjobs.com the marketplace for django developers > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users |
|
From: <psc...@mi...> - 2006-09-08 11:12:57
|
>> get list of sites showing SQL-ledger from google >> > > > And that was exaclty my point. That is what you have to avoid. There is no > reason why your SQL-LEDGER server should be visible to robots. Unless you > know exactly where to go or try to piggyback my connection you will simply > not find my server. I can connect to it from home or anywhere but it is very > not visible at all. > > And it would be much more helpful if you explain how to achieve this (robots.txt ?) Regards Philippe |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-08 12:36:15
|
On Friday 08 September 2006 21:12, Philippe Schelt=E9 wrote: > >> get list of sites showing SQL-ledger from google > > > > And that was exaclty my point. That is what you have to avoid. There is > > no reason why your SQL-LEDGER server should be visible to robots. Unless > > you know exactly where to go or try to piggyback my connection you will > > simply not find my server. I can connect to it from home or anywhere but > > it is very not visible at all. > > And it would be much more helpful if you explain how to achieve this > (robots.txt ?) The safest way is to have your SL server on a dedicated web server. That wa= y=20 you can have nothing (not even robots.txt) in your web root directory and y= ou=20 can hide your SL installations in directories not normally accessible. Ther= e=20 is a lot of things you can do and I could go through different settups for= =20 hours but generally it could look something like this: I am assuming you have an internet connection with static IP. You do not ha= ve=20 to do everything I am listing here. I am simply listing stuff that I can=20 think off the top off my head. It all depends how much hassle you are willi= ng=20 to go through. Going from the top to bottom: Internet =2D------------------ 1. Your DSL modem =2D running standard firewall open 80 and 443 (all DSL modems do) =2D running NAT - this will switch network class and redirect from port 80 = to=20 port 443 (or whatever SSL port you want) =2D If you are really paranoid you can also redirect port 80 to a honey-pot= =20 system and catch the bastards there. =2D------------------ 2. You could stick a proxy server here restricting access to internal network.= =20 (and vice versa) Again anyone who manages to get through the first firewall and NAT and trie= s=20 to acces port 80 or wrong directory gets redirected to honey-pot. You can also create a DMZ between the proxy and the modem. Firewall has onl= y=20 open 443 at this point (unless you also need 22 - SSH in which case proxy i= s=20 a waste of time) Switch the network class again. =2D------------------ 3. Your SQL-SERVER. Here you could have another firewall with open 443 (and 22 if you want) Depending on your needs you can run Apache at runtime or fire it up from=20 xinetd (or inetd). Ideally only run Apache in SSL mode. Do not allow access= =20 to user directories. Dissable browsing. By using xinetd you can also again= =20 limit access to your apache server.=20 Install SQL-LEDGER in to a unique directory on the server not the standard= =20 name that everybody uses. Also the alias in Apache httpd.conf should be=20 unique. Place nothing (other than icon) in the server root directory and ru= n=20 SSL only in the directory that is used by SQL-LEDGER. You can further=20 restrict access with .htaccess file but I this at this stage it would be a= =20 complete overkill and you might get timeout errors. I am also running crontab on firewall log files and apache error files....a= nd=20 so on. In case of error or a new entry it gets printed out on my printer=20 sitting on my desk.=20 If anyone tries to connect to your server unless they know the port number = of=20 your SSL, directory that it is running from and are autorised to access the= =20 network they get nothing. Robots will bounce off the first firewall or they= =20 get stuck in the honey-pot. Anyway. That is just what I could think off.=20 There is other stuff that can be done if you are extremely paranoid but it= =20 would require much more detailed explanation. As I said before it is not=20 neccesary to do all the steps mentioned. If anyone finds any crap in what I= =20 have just written feel free to correct me. George |
|
From: Dr E. L. <el...@li...> - 2006-09-08 17:38:56
|
su cat > /srw/www/htdocs/robots.txt User-Agent: * Disallow: / ^D on 9/8/06 1:12 PM Philippe Schelt=E9 said the following: > And it would be much more helpful if you explain how to achieve this=20 > (robots.txt ?) |
|
From: Toni M. <sup...@oe...> - 2006-09-16 16:31:03
|
Hello Ian, On Fri, 08.09.2006 at 09:15:50 +1000, Ian Holsman <li...@ho...> wrote: > This is why I hate full disclosure so much. he is doing a disservice > to everyone by detailing the exploit on a public list. this might be very inconvenient for many, but the sad experience has shown that only full disclosure creates enough heat for manufacturers to actually do something about such problems. Otherwise, such holes keep lingering for months (as in this case) and years, and the damage will probably continuously be below the threshold where real publicity starts. With full disclosure, you get a warning and a fix, so the problem will only keep affecting ignorants. You also can't force people to fasten their seatbelts, only advise them to do so, and punish if they don't... Best, --Toni++ |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-07 23:09:21
|
On Friday 08 September 2006 05:59, Ed W wrote: > Dr Eberhard Lisse wrote: > > Where the f***k is the evidence about censoring, not that looking at the > > headers it is even remotely possible, and not that sourceforge would > > stand for it. Other than you forging the headers, perhaps, again. > > > > There has never anyone been banned, in particularily not for content, > > your truly is an example of what they have put up with, and subscription > > to this list is an automated process. > > I don't know if it's deliberate or not, but I have posted a fair number > of questions to this list which have simply not shown up? > > I don't have this problem with other Yahoo lists. I had assumed that > this list was somewhat moderated and perhaps my posts were being > disregarded... Not sure what moderator controls there are with Yahoo? > Didn't think that anything I had previously posted was controversial, > but perhaps...? My current user name is the third one that I am using for this list. I was banned on this list once and had to use a different username to gain access again. You want proof? I could give you my other two user names off the list if I could be bothered. It is still possible to search for those in the archives. |
|
From: Chris C. <cc...@sp...> - 2006-09-07 23:30:18
|
I have also had Email not show up on this list. The best of all worlds would be for the developers to work together. There is more to this than meets the eye. I don't necessarily fully believe that the SL developer is all bad, but I do feel that this product is a very closed OS product. As others have said, join or fork. It's all good as far as I'm concerned. If the fork improves the product, then all the better. From my own perspective, I sent in money for support and the manual. I got the manual, but I have not been satisfied with the support I have received, so I just stopped requesting it. I have been happy (in the past) with paid support I have received from Chris Travers. If I was to criticize Chris, it's that he is not available for me as much as I wished. At the same time, Deiter's product has served me well and I thank him for that. I will continue to use the SL product, and I will also watch the fork closely, and possibly switch if that is in my best interest. In the big picture, debate is something that is good. In the US, open public debate has been all but squashed for the last few years, and many have paid with their lives for the lack of it. Like forking in OS, we have elections to correct the complete loss of accountability, honesty, credibility, and integrity many of us have had to live through these last few years. Let the debate continue. It's healthy, but sometimes uncomfortable! Chris Curtis Non racist, non sexist, pro-choice, and like my favorite person (jesus), a liberal! On Sep 7, 2006, at 4:09 PM, GeorgeOsvald wrote: > On Friday 08 September 2006 05:59, Ed W wrote: >> Dr Eberhard Lisse wrote: >>> Where the f***k is the evidence about censoring, not that looking >>> at the >>> headers it is even remotely possible, and not that sourceforge would >>> stand for it. Other than you forging the headers, perhaps, again. >>> >>> There has never anyone been banned, in particularily not for >>> content, >>> your truly is an example of what they have put up with, and >>> subscription >>> to this list is an automated process. >> >> I don't know if it's deliberate or not, but I have posted a fair >> number >> of questions to this list which have simply not shown up? >> >> I don't have this problem with other Yahoo lists. I had assumed that >> this list was somewhat moderated and perhaps my posts were being >> disregarded... Not sure what moderator controls there are with >> Yahoo? >> Didn't think that anything I had previously posted was controversial, >> but perhaps...? > > My current user name is the third one that I am using for this > list. I was > banned on this list once and had to use a different username to > gain access > again. You want proof? I could give you my other two user names off > the list > if I could be bothered. It is still possible to search for those in > the > archives. > > ---------------------------------------------------------------------- > --- > Using Tomcat but need to do more? Need to support web services, > security? > Get stuff done quickly with pre-integrated technology to make your > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users |
|
From: Christopher M. <chr...@gm...> - 2006-09-07 23:12:28
|
On 9/7/06, GeorgeOsvald <geo...@ya...> wrote: > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > > > That is total BS. There are people who are using internet facing > > installations of SL, this can be demonstrated by a google search for > > 'SQL-Ledger version'. > > This is a total pile of crap. There is no way you could find my SQL-Ledger > installation on the net. If anyone is so naive and is letting this happen > then it is there fault but you should not say that every installation of SL > is under threat. That is bullshit. And where exactly did I say this? I said that the application is critically flawed and that there are users who have internet facing installations. Claiming that these people were naive in trusting Dieter's work is unfair, most of them have never met him and, thanks to his censoring haven't seen the security complaints. That makes about as much sense as saying that Dell laptop users who got burned were too naive and should have never used the batteries. Cheers, Chris |
|
From: Dr E. L. <el...@li...> - 2006-09-08 04:49:18
|
on 9/8/06 1:12 AM Christopher Murtagh said the following: > And where exactly did I say this? I said that the application is > critically flawed and that there are users who have internet facing > installations. Claiming that these people were naive in trusting > Dieter's work is unfair, most of them have never met him and, thanks > to his censoring haven't seen the security complaints. That makes > about as much sense as saying that Dell laptop users who got burned > were too naive and should have never used the batteries. There are idiots on the Internet, this can be demonstrated by reading your posts. FUD, FUD and more FUD. And of course ulterior motives. el -- Dr. Eberhard W. Lisse \ / Obstetrician & Gynaecologist (Saar) el...@li... el108-ARIN / * | Telephone: +264 81 124 6733 (cell) PO Box 8421 \ / Please send DNS/NA-NiC related e-mail Bachbrecht, Namibia ;____/ to dns...@na... |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-07 23:31:38
|
On Friday 08 September 2006 09:12, Christopher Murtagh wrote: > On 9/7/06, GeorgeOsvald <geo...@ya...> wrote: > > On Friday 08 September 2006 07:41, Christopher Murtagh wrote: > > > That is total BS. There are people who are using internet facing > > > installations of SL, this can be demonstrated by a google search for > > > 'SQL-Ledger version'. > > > > This is a total pile of crap. There is no way you could find my > > SQL-Ledger installation on the net. If anyone is so naive and is letting > > this happen then it is there fault but you should not say that every > > installation of SL is under threat. That is bullshit. > > And where exactly did I say this? I said that the application is > critically flawed and that there are users who have internet facing > installations. Claiming that these people were naive in trusting > Dieter's work is unfair, I am not saying they are naive if they trusted Dieter. What I say is that there is a lot more to security then just the application itself. Anyone who just slaps anything on a web server without any additional precautions is naive. Dieter does behave strangely sometimes I admit but he can not be held responsible for every one who just blindely installs SL and then hopes for the best. I understand that there is a problem, my point is though that if your server is safe there is no way anyone from outside (not an employee) can do anything if your setup is half sane. > most of them have never met him and, thanks > to his censoring haven't seen the security complaints. That makes > about as much sense as saying that Dell laptop users who got burned > were too naive and should have never used the batteries. > > Cheers, > > Chris > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier Download IBM WebSphere Application Server v.1.0.1 based on Apache > Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > sql-ledger-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sql-ledger-users |
|
From: David T. <ta...@ex...> - 2006-09-07 23:44:48
|
On Fri, 2006-09-08 at 09:31 +1000, GeorgeOsvald wrote: > What I say is that > there is a lot more to security then just the application itself. Anyone who > just slaps anything on a web server without any additional precautions is > naive. Dieter does behave strangely sometimes I admit but he can not be held > responsible for every one who just blindely installs SL and then hopes for > the best. I think I probably disagree here. I SHOULD be able to just slap SL onto my machine and be safe. You see my machine is behind a firewall, but if I open the web ports, the webserver is till safe due to it being installed as recommended, excepting for the SL part, ie all my account data! Why? Because the SL security is not as per how LedgerSMB does it, or equivalent. > I understand that there is a problem, my point is though that if > your server is safe there is no way anyone from outside (not an employee) can > do anything if your setup is half sane. Hmm. Sorry, this is too simplistic to be of any help to me. Hopefully, if you read what I write above it should be apparent why. In a nutshell the contention is that the server is safe except for the SL part, because its setup is not half sane. |
|
From: Josh B. <jo...@ag...> - 2006-09-07 23:54:47
|
George, > I am not saying they are naive if they trusted Dieter. What I say is > that there is a lot more to security then just the application itself. > Anyone who just slaps anything on a web server without any additional > precautions is naive. Dieter does behave strangely sometimes I admit but > he can not be held responsible for every one who just blindely installs > SL and then hopes for the best. I understand that there is a problem, my > point is though that if your server is safe there is no way anyone from > outside (not an employee) can do anything if your setup is half sane. Well, security is something you implement at every level, not just at the gateway. So: SSL: yes, Domain limits: Yes, server lockdown: yes, strong passwords: yes, secure session tracking: yes, database security: yes, database auditing: yes. What you *don't* do is implement security in one area (like SSL or VPN) and expect that you don't need to worry about security anywhere else. That's a fast way to get hacked. Also, I'll tell you as someone who occasionally used to do database forensics professionally, 90% of hacks against a financial application happen from *inside* your organization. The most likely reason for someone to hack SL is to commit malfeasance which is almost always going to be an employee. So the fact that SL (or whatever) "isn't on the web" isn't a security policy. -- --Josh Josh Berkus PostgreSQL @ Sun San Francisco |
|
From: GeorgeOsvald <geo...@ya...> - 2006-09-08 05:57:26
|
On Friday 08 September 2006 09:55, Josh Berkus wrote: > George, > > > I am not saying they are naive if they trusted Dieter. What I say is > > that there is a lot more to security then just the application itself. > > Anyone who just slaps anything on a web server without any additional > > precautions is naive. Dieter does behave strangely sometimes I admit but > > he can not be held responsible for every one who just blindely installs > > SL and then hopes for the best. I understand that there is a problem, my > > point is though that if your server is safe there is no way anyone from > > outside (not an employee) can do anything if your setup is half sane. > > Well, security is something you implement at every level, not just at the > gateway. So: SSL: yes, Domain limits: Yes, server lockdown: yes, strong > passwords: yes, secure session tracking: yes, database security: yes, > database auditing: yes. What you *don't* do is implement security in one > area (like SSL or VPN) and expect that you don't need to worry about > security anywhere else. That's a fast way to get hacked. You can do bit more than that depending on your level of paranoia. I am extremely paranoid. When it comes to security redundancy is a good thing. > Also, I'll tell you as someone who occasionally used to do database > forensics professionally, 90% of hacks against a financial application > happen from *inside* your organization. The most likely reason for > someone to hack SL is to commit malfeasance which is almost always going > to be an employee. So the fact that SL (or whatever) "isn't on the web" > isn't a security policy. When it comes to employee honesty there is nothing you can do. I know people who keep there passwords in their wallets just to remember. Dishonest person could take that password and access SL normally. Frankly If I had an employee who would be able to hack SL he/she would not be working as an accountant. You can still search the logs to find out who was logged in and did what. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X