Re: Re^2: What do people think of the YaBB forum script?

In merlyn's words, it's better to have a non-functional, secure site than a functional, insecure site.

I have to agree with gryphon on this issue. That depends on your requirements. An intranet server is the perfect example of a case where security may be a low priority but there are others. Many personal sites which aren't meant for a lot more than communicating with family or friends don't have to be too concerned about security.

I'm paranoid about the sites that make sense for me to be paranoid about. Basically, that means the ones that might cause myself or my employer a loss if they were hacked. I keep in mind that a loss could include intangibles such as reputation.

-sauoq
"My two cents aren't worth a dime.";

Comment on Re: Re^2: What do people think of the YaBB forum script?

Replies are listed 'Best First'.
Re^4: What do people think of the YaBB forum script? by Aristotle (Chancellor) on Sep 22, 2002 at 11:40 UTC
I will concede the point about intranet servers, though not without pointing out that many intruders are employees or generally supposedly trustworthy subjects. In the case of a publicly accessible server though, I disagree, even if it's just a personal site for family communication. I remember someone's story whose home machine, hooked up on a cable connection, was hacked. When the box was examined, an SQL server with an email address database that wasn't there before was found - spammers had probably abused the machine as a relay. The rules have changed: a box on a static IP is not a crackworthy target if you have critical data on it - it's a crackworthy target in and of itself. The various honeynet projects offer impressive proof of the fact. Do not make yourself guilty of negligence. Makeshifts last the longest.	[reply]

Replies are listed 'Best First'.

Re^4: What do people think of the YaBB forum script?
by Aristotle (Chancellor) on Sep 22, 2002 at 11:40 UTC

I will concede the point about intranet servers, though not without pointing out that many intruders are employees or generally supposedly trustworthy subjects.

In the case of a publicly accessible server though, I disagree, even if it's just a personal site for family communication. I remember someone's story whose home machine, hooked up on a cable connection, was hacked. When the box was examined, an SQL server with an email address database that wasn't there before was found - spammers had probably abused the machine as a relay. The rules have changed: a box on a static IP is not a crackworthy target if you have critical data on it - it's a crackworthy target in and of itself. The various honeynet projects offer impressive proof of the fact. Do not make yourself guilty of negligence.

Makeshifts last the longest.

[reply]