[2116] in WWW Security List Archive
Re:Macintosh Web Server Issues
daemon@ATHENA.MIT.EDU (Tim Dierks)
Mon May 20 03:12:10 1996
Date: Sun, 19 May 1996 21:49:03 -0700
To: Enrico Cantu <ecantu@uh.edu>
From: Tim Dierks <tim@dierks.org>
Cc: www-security@ns2.rutgers.edu, kgmlists@3rdmill.com
Errors-To: owner-www-security@ns2.rutgers.edu
At 2:02 PM 5/19/96, Enrico Cantu wrote:
>There is one more item of concern that I have not seen brought up on this
>issue. Everyone has been talking about attacks via TCP over a network. A
>WebStar-based server (or even more interestingly, Apache running on MachTen
>or something :-) ) can be configured to be as secure a one wants given
>appropriate diligence, but even wearing my Mac evangelist hat (when not
>wearing my UNIX one), I have to say that the greatest threat to a Mac-based
>server would be a person who sits at the machine. You see, unless you are
>using FolderBolt or some other login utility, anyone can come by and drag
>your http server straight to the trash--end of web service. At least with
>a UNIX box you have a login, or if a session is in use at console, you can
>xlock the screen.
If you don't have physical control of your hardware, you have nothing; I
don't care how secure you believe your software is. I'm willing to wager a
bundle of dough that if you give me five minutes with your server, I can
interrupt your web service. I don't need passwords or operating systems,
keyboards or displays; all I need is a hammer and a wire cutters.
While someone doesn't have to be quite as determined to interrupt service
via software, that's a fine and possibly meaningless distinction.
- Tim
PS - There are a number of adequate console security tools for the Mac;
maybe nothing of C2 class security, but strong enough that using a hammer
is easier than getting by them.
Tim Dierks - Software Haruspex - tim@dierks.org
"That's the trouble with technology. It attracts people who have nothing
to say." - Muffey Kibbey, mother [Wall Street Journal, May 10 1996]
