Hi Janko,

on Sun, 23 Nov 2008 14:13:16 +0100, you wrote:

> Philippe Marschall wrote:
>
>>>>>>> AIDA/Web apps/websites are running as pure Smalltalk web presence,  
>>>>>>> from
>>>>>>> dynamic to static content, movies included. No Apache needed,  
>>>>>>> Swazoo as
>>>>>>> integral part of Aida is there to serve directly to the web.
>>>>>> How do you bind port 80?
>>>>> Running as a root. Danger for hackers to break into? Well, in  
>>>>> Smalltalk
>>>>> hardly :)
>>>> Sorry but that's just not serious.
>>> Definition of what is serious is very broad. Following blindly some  
>>> "best
>>> practices" is not serious for me as well. Having a right feeling for a
>>> balance between many aspects of security, that's what I regard as a  
>>> mature
>>> seriousness.
>
>> I have seen aritrary remote code execution vulnerabilities in Squeak
>> in there is no telling of how many there are left.
>
> Surely I'm not the only one who like to hear more concretely about those  
> vulnerabilities

You mean by listing things like "hacker can smuggle in code" you arrive at  
the whole list of possible vulnerabilities? If so, why are so many new  
attack forms and their variants still appearing.

There's only one law related to attacks, and it is an instantiation of  
Murphy's law.

> and how you can exploit them through the web.

That's never going to be stopped, that is for sure. And it makes more fun  
to get rid of running services as root than being thrown out by a customer.

I do not want to see a headline like "Smalltalk system responsible for  
vulnerabilities", and how about you?

/Klaus

> Janko
>


-- 
"If at first, the idea is not absurd, then there is no hope for it".  
Albert Einstein