[Lispweb] Araneida

[Daniel Barlow]

John Foderaro <jkf at franz.com> writes:
| I'm not sure how you're applying the million monkey principle.  
| They way I see it there are a million monkeys out there trying to
| crack Apache (again),  some for the challenge and some for the substantial
| payoff from the criminal element.   Exploits travel very fast now
| and when the next one is found your system running Apache likely 
| will be compromised before you can patch it.  Large organizations can 
| afford to run Apache outside the firewall and so are relatively safe
| as long as they treat the machine running apache as likely compromised.

I'm looking at the apacheweek "overview of security vulnerabilities"
page <http://www.apacheweek.com/features/security-13> and not seeing
the gloomy picture that you're painting.  If you configure Apache to
(a) not include any module you're not using (for example, none of
mod_cgi, mod_perl, mod_include, mod_php, or mod_rewrite are needed for
ww.telent.net) and (b) run it on a system which does not provide
shells to untrusted users, you have to go back some considerable
distance before you find a real problem.  Of course, these are only
the problems they're admitting to ...

On the matter of whether using an unusual language constitutes
"security through obscurity" and is threfore a bad thing, I don't
think it does - or if it does then I think there's a legitimate role
for said "security through obscurity" as an _extra_ level of defence.
As a substitute for security we can all agree it's a dumb idea, but
I'm still slightly happier about my (non-root, read-only, chrooted)
anon cvs server because it's on an Alpha, just because the people who
make rootkits for script kiddies their scripts usually concentrate on
x86.  Defence in depth.

This is veering kind of off-topic for a Lisp list (although it's a
pleasant change to get any discussion at all, granted) and I'm off to
Amsterdam now so may not have time to read replies until Monday.
Enjoy your weekend.


-dan