[squeak-dev] Re: smalltalk and Web stuff
Klaus D. Witzel
klaus.witzel at cobss.com
Sun Nov 23 13:52:59 UTC 2008
Hi Janko,
on Sun, 23 Nov 2008 14:13:16 +0100, you wrote:
> Philippe Marschall wrote:
>
>>>>>>> AIDA/Web apps/websites are running as pure Smalltalk web presence,
>>>>>>> from
>>>>>>> dynamic to static content, movies included. No Apache needed,
>>>>>>> Swazoo as
>>>>>>> integral part of Aida is there to serve directly to the web.
>>>>>> How do you bind port 80?
>>>>> Running as a root. Danger for hackers to break into? Well, in
>>>>> Smalltalk
>>>>> hardly :)
>>>> Sorry but that's just not serious.
>>> Definition of what is serious is very broad. Following blindly some
>>> "best
>>> practices" is not serious for me as well. Having a right feeling for a
>>> balance between many aspects of security, that's what I regard as a
>>> mature
>>> seriousness.
>
>> I have seen aritrary remote code execution vulnerabilities in Squeak
>> in there is no telling of how many there are left.
>
> Surely I'm not the only one who like to hear more concretely about those
> vulnerabilities
You mean by listing things like "hacker can smuggle in code" you arrive at
the whole list of possible vulnerabilities? If so, why are so many new
attack forms and their variants still appearing.
There's only one law related to attacks, and it is an instantiation of
Murphy's law.
> and how you can exploit them through the web.
That's never going to be stopped, that is for sure. And it makes more fun
to get rid of running services as root than being thrown out by a customer.
I do not want to see a headline like "Smalltalk system responsible for
vulnerabilities", and how about you?
/Klaus
> Janko
>
--
"If at first, the idea is not absurd, then there is no hope for it".
Albert Einstein
More information about the Squeak-dev
mailing list
|