.NET in General

[Joe]

Hi all,

I'm not a web programmer (currently an app programmer) but studying to be.
However, I need to vent and want feedback. I have no problem with the .NET
concept under certain circumstances and am currently using it for a stock
application - nothing else could be better for such. It sounds like the greatest
idea on earth for learning experiences, etc. but for OPERATING SYSTEMS?!!!
Be real! Microsoft can't even protect itself from hackers why on earth is
he demanding all businesses to make themselves entirely vulnerable?!! Until
security is spotless, I don't see how Microsoft can ask businesses to put
their entire business on the web? Am I severely misunderstanding .NET or
do you all agree?!!

Thanks for listening.

[Jason Bock]

Joe <maui664@capital.net> wrote in message news:3a7a1fdf$1@news.devx.com...
>
> Hi all,
>
> I'm not a web programmer (currently an app programmer) but studying to be.
> However, I need to vent and want feedback. I have no problem with the .NET
> concept under certain circumstances and am currently using it for a stock
> application - nothing else could be better for such.

It can also be used for a lot of other programming tasks. Keep playing with
it - it's fun.

> It sounds like the greatest
> idea on earth for learning experiences, etc. but for OPERATING SYSTEMS?!!!
> Be real! Microsoft can't even protect itself from hackers why on earth is
> he demanding all businesses to make themselves entirely vulnerable?!!

"He" being who?

> Until
> security is spotless, I don't see how Microsoft can ask businesses to put
> their entire business on the web?

Which web site is completely secure from any form of an attack?

Every site is vulnerable.

> Am I severely misunderstanding .NET or
> do you all agree?!!

I think you misunderstand how security works in general.

Jason

[Mike Mitchell]

On Thu, 1 Feb 2001 21:49:01 -0600, "Jason Bock" <jrbock@execpc.com>
wrote:

>> Until
>> security is spotless, I don't see how Microsoft can ask businesses to put
>> their entire business on the web?
>
>Which web site is completely secure from any form of an attack?
>
>Every site is vulnerable.
>

Ah, but it's not every web site that is asking to host our data. Those
web sites that do, really do need to be secure. If they can't provide
data mirroring they're not worth considering as a viable storage
medium. Imagine your finance department is about to forward the
monthly salaries to the banks, and all of a sudden a key web site over
which you have absolutely no control goes down? How do you think your
employees are going to react on hearing the news "...Every site is
vulnerable." ?

>> Am I severely misunderstanding .NET or
>> do you all agree?!!
>
>I think you misunderstand how security works in general.

What? That "every site is vulnerable", that's it?

MM

[Sjoerd Verweij]

> Until security is spotless

Security is never spotless. Ever. On any platform. Besides, if you have a
foolproof way to prevent DoS attacks, I think there are a few companies that
might want to talk to you.

HTH,
Sjoerd

[Mike Mitchell]

On Fri, 2 Feb 2001 10:12:11 -0800, "Sjoerd Verweij"
<nospam.sjoerd@sjoerd.org> wrote:

>> Until security is spotless
>
>Security is never spotless. Ever. On any platform. Besides, if you have a
>foolproof way to prevent DoS attacks, I think there are a few companies that
>might want to talk to you.
>

Like the banks, credit card companies, building societies, Western
Union, etc? You don't hear too much about *their* security being
compromised. My bank, for example. I've been with it for twenty years,
and never a mention of any outage. And yet Microsoft, the most
significant software company on planet earth (we are led to believe),
suffers not one, but two outages in the space of a few days.

For example, where I work we have to change passwords regularly. Does
Hotmail ever prompt me to change my password? No, it never did.

MM

[Sjoerd Verweij]

> Like the banks, credit card companies, building societies, Western
> Union, etc? You don't hear too much about *their* security being
> compromised.

Correct me if I'm wrong, but the incidents have been human error (password
security and router misconfiguration) and a DoS attack. If I had your bank
manager's passwords, I could go to town. And if someone did a good DoS
attack on your bank's website...

> For example, where I work we have to change passwords regularly. Does
> Hotmail ever prompt me to change my password? No, it never did.

What does Hotmail have to do with it?

[Jonathan Allen]

> > For example, where I work we have to change passwords regularly.

That has the greatest potential for security leaks in many companies. By
forcing the user to change their password on a regular basis, many employees
start to have trouble remembering their latest password. This causes them to
do dangerous things like writing it on a post-it note and placing it under
the keyboard or on top of a drawer.

--
Jonathan Allen


"Sjoerd Verweij" <nospam.sjoerd@sjoerd.org> wrote in message
news:3a7b1244$1@news.devx.com...
> > Like the banks, credit card companies, building societies, Western
> > Union, etc? You don't hear too much about *their* security being
> > compromised.
>
> Correct me if I'm wrong, but the incidents have been human error (password
> security and router misconfiguration) and a DoS attack. If I had your bank
> manager's passwords, I could go to town. And if someone did a good DoS
> attack on your bank's website...
>
> > For example, where I work we have to change passwords regularly. Does
> > Hotmail ever prompt me to change my password? No, it never did.
>
> What does Hotmail have to do with it?
>
>
>

[Jeff Peil]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message
news:3a7b0dd4.3495944@news.devx.com...
> Like the banks, credit card companies, building societies, Western
> Union, etc? You don't hear too much about *their* security being
> compromised. My bank, for example. I've been with it for twenty years,
> and never a mention of any outage. And yet Microsoft, the most
> significant software company on planet earth (we are led to believe),
> suffers not one, but two outages in the space of a few days.
>

Mike,

Banks have historically had all kinds of problems with crackers breaking in
and stealing from them. However banks have always taken extreme steps to
keep consumers from hearing about it. Even then, if you take the time to do
a little research, I think you'll find that they have all sorts of headaches
and that it was particularly bad for them in the 80s.

[Karl E. Peterson]

ForumMonster --

> Like the banks, credit card companies, building societies, Western
> Union, etc? You don't hear too much about *their* security being
> compromised. My bank, for example. I've been with it for twenty years,
> and never a mention of any outage. And yet Microsoft, the most
> significant software company on planet earth (we are led to believe),
> suffers not one, but two outages in the space of a few days.

Two salient points:

* They probably wouldn't be _your_ bank if you heard their security was
compromised.

* Microsoft is the most hacked domain on the planet.

Later... Karl
--
http://www.mvps.org/vb

[Alessandro Coppo]

Jonathan Allen wrote in message <3a7b17db@news.devx.com>...
>That has the greatest potential for security leaks in many companies. By
>forcing the user to change their password on a regular basis, many
employees
>start to have trouble remembering their latest password. This causes them
to
>do dangerous things like writing it on a post-it note and placing it under
>the keyboard or on top of a drawer.


<sarcasm mode="on">
You are right. Password scheduling is useless. By the way, why don't give
every user a default, unchangeable password using e.g. (in US) is IRS
number? easy to remember and they won't write it down because Uncle Sam has
already done it...
</sarcasm>

Alessandro Coppo
a.coppo@iol.it

P.S.: visit http://www.counterpane.com/labs.html

[Mike Mitchell]

On Fri, 2 Feb 2001 12:00:37 -0800, "Sjoerd Verweij"
<nospam.sjoerd@sjoerd.org> wrote:

>Correct me if I'm wrong, but the incidents have been human error (password
>security and router misconfiguration) and a DoS attack. If I had your bank
>manager's passwords, I could go to town. And if someone did a good DoS
>attack on your bank's website...

No, you're not wrong, they were human error. And in an organisation
that is hoping to assume responsibility for looking after billions of
our dollars, there isn't room for human error. Dos attack? How do we
know if that was really the case? Maybe there was too much egg flying
around...

Yes, if you had the bank's passwords...but the point is, really
effective security will try very hard to stop you from getting them.
Banks sometimes have DoS attacks, too, in the form of physical
hold-ups and robberies. But those isolated cases affect but one branch
at a time, not the entire world, like the MS outages did.

>> For example, where I work we have to change passwords regularly. Does
>> Hotmail ever prompt me to change my password? No, it never did.
>
>What does Hotmail have to do with it?
>

I was merely illustrating how a Microsoft division treats some of its
password protection, i.e. you can keep a Hotmail account active with
the same password for ever, I suppose. No one will ever ask you to
change it for security reasons. You'd think they would at least remind
you every month that changing it would be a good idea.

MM

[Mike Mitchell]

On Fri, 2 Feb 2001 12:20:21 -0800, "Jonathan Allen"
<greywolfcs@bigfoot.com> wrote:

>> > For example, where I work we have to change passwords regularly.
>
>That has the greatest potential for security leaks in many companies. By
>forcing the user to change their password on a regular basis, many employees
>start to have trouble remembering their latest password. This causes them to
>do dangerous things like writing it on a post-it note and placing it under
>the keyboard or on top of a drawer.
>

So what's the alternative? You never have them change their passwords,
and they still share them (we know they do). They say "Tracey, if you
need to access my spreadsheet while I'm out of the office the password
is..." We know this happens. And then Tracey leaves the company for
whatever reason and because that password has been lingua franca for
so long, she won't forget it in a hurry. A new boyfriend perhaps, and
soon that password is winging its way across the city. But if Tracey's
colleague had changed the password regularly, then the knowledge that
Tracey had would have naturally timed out over time. Surely it isn't
too difficult to enter a different password once in a while and
remember it without writing it down?

Just no one THINK of getting one of those retinal scanners looking in
MY eyes, thanks all the same! Only needs one recalibration snafu and
my eyes are toast. Same with the daft fingerprints. How long will it
be before someone gets their finger chopped off for nefarious
purposes? Else if it catches on, people will walk around the whole
time with their hands in their pockets and bump into things.

MM

[Mike Mitchell]

On Fri, 2 Feb 2001 12:31:01 -0800, "Jeff Peil" <jpeil@bigfoot.com>
wrote:

>Banks have historically had all kinds of problems with crackers breaking in
>and stealing from them. However banks have always taken extreme steps to
>keep consumers from hearing about it. Even then, if you take the time to do
>a little research, I think you'll find that they have all sorts of headaches
>and that it was particularly bad for them in the 80s.

Bad in the 80's, and then they learned their lesson and improved their
security. This needs to happen in the online world, and fast. For
example, people have been talking FOR YEARS about microcash for online
payments, and still the only one way that is acceptable all over is
the credit card. Why isn't there a credit card that is valid for only
a single transaction? That's why all the DotComs went bust recently.
No one wants to trust them by buying anything.

MM

[Mike Mitchell]

On Fri, 2 Feb 2001 13:50:41 -0800, "Karl E. Peterson" <karl@mvps.org>
wrote:

>
> * Microsoft is the most hacked domain on the planet.
>

Seems like exactly the wrong place to upload anything of worth to,
then, doesn't it?

MM

(Oh, sorry, almost forgot, you can't say...!)

[Jonathan Allen]

Do you have any real arguments to contradict me, or are you just grasping at
straws?

--
Jonathan Allen


"Alessandro Coppo" <a.coppo@iol.it> wrote in message
news:3a7b2eaa@news.devx.com...
> Jonathan Allen wrote in message <3a7b17db@news.devx.com>...
> >That has the greatest potential for security leaks in many companies. By
> >forcing the user to change their password on a regular basis, many
> employees
> >start to have trouble remembering their latest password. This causes them
> to
> >do dangerous things like writing it on a post-it note and placing it
under
> >the keyboard or on top of a drawer.
>
>
> <sarcasm mode="on">
> You are right. Password scheduling is useless. By the way, why don't give
> every user a default, unchangeable password using e.g. (in US) is IRS
> number? easy to remember and they won't write it down because Uncle Sam
has
> already done it...
> </sarcasm>
>
> Alessandro Coppo
> a.coppo@iol.it
>
> P.S.: visit http://www.counterpane.com/labs.html
>
>
>