Mailing-List: contact cygwin-help AT sourceware DOT cygnus DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT sourceware DOT cygnus DOT com>
List-Archive: <http://sourceware.cygnus.com/ml/cygwin/>
List-Post: <mailto:cygwin AT sourceware DOT cygnus DOT com>
List-Help: <mailto:cygwin-help AT sourceware DOT cygnus DOT com>, <http://sourceware.cygnus.com/ml/#faqs>
Sender: cygwin-owner AT sourceware DOT cygnus DOT com
Delivered-To: mailing list cygwin AT sourceware DOT cygnus DOT com
Message-ID: <20000116151753.16092.qmail@web805.mail.yahoo.com>
Date: Sun, 16 Jan 2000 07:17:53 -0800 (PST)
From: "John van V." <john_van_v AT yahoo DOT com>
Reply-To: john AT thinman DOT com
Subject: Security Documentation, SSH
To: Chris Faylor <cgf AT cygnus DOT com>
Cc: cygwin AT sourceware DOT cygnus DOT com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

> This is not going to happen.  We understand the security vunerabilities
> of Cygwin very well.  The security model is basically security through
> obscurity which, I'm sure you are aware, is no security at all.

I personally appreciate candor in this area having experineced breakin attempts
amied at such insider plums as the Moody's Ratings DB, or the Barings
Securities Position tables.

But from what I read, it is an issue of using an NT box as a multiuser system.
Now my post suggesting using the regular UNIX login system for SSH and limiting
the box to a single user makes even more sense.  Telent could also be ported in
this way.



> Although, now that I think of it, if you're running any CGI scripts on
> this theoretical web site then you are at risk since Cygwin's security
> model is wide open to a craftily written perl script.

Perl is equipped to solve these problems, if you know the language.  You simply
encapsulate the input to prevent it from being evaluated.  The input struture,
for instance, keeps scalars as elements of an array.  Side effect or clever
feature, I'm not sure...


> We would certainly consider changing this if a customer wanted to pay
> for this work.  It would be a very interesting project.

I, for one, am getting a little tired of hearing this from your organization.
I am founding a perl group which will not only preach to educators the cost
effectiveness of our swiss-army-chain-saw, but teach business types as well,
for free.

An this w/o the support of our employers.  You guys, on the other hand are
rolling in dough, spending millions on NY apartments, etc, etc...

Linux and the whole public s/w venue is a gift, but only if the given to keep
on giving.

Consider this in the light that it is meant.



=====
John van Vlaanderen

      #########################################
      #    CXN, Inc. Contact:                 #
      #    john AT thinman DOT com, www.thinman.com  #
      #    1 917 309 7379 (cell, voice mail)  #                   
      #########################################
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com

--
Want to unsubscribe from this list?
Send a message to cygwin-unsubscribe AT sourceware DOT cygnus DOT com