Klaus D. Witzel wrote:

>> Surely I'm not the only one who like to hear more concretely about 
>> those vulnerabilities
> 
> You mean by listing things like "hacker can smuggle in code" you arrive 
> at the whole list of possible vulnerabilities? If so, why are so many 
> new attack forms and their variants still appearing.
> 
> There's only one law related to attacks, and it is an instantiation of 
> Murphy's law.
> 
>> and how you can exploit them through the web.
> 
> That's never going to be stopped, that is for sure. And it makes more 
> fun to get rid of running services as root than being thrown out by a 
> customer.
> 
> I do not want to see a headline like "Smalltalk system responsible for 
> vulnerabilities", and how about you?

Too big care is as bad as too little care here. Your door in your house 
is also locked with a lock which a determined "hacker" can break-in in 
seconds (believe me, I saw that with my own eyes). But you don't care 
much, because probability for this to happen is so low that it is not 
worth additional security measures. Home door is a good metaphor for 
"just appropriate" computer security as well. Don't exaggerate  with 
security, but also don't neglect it, this is my moto and so far it 
worked. For 12 years already.

Smalltalk systems are inherently more secure by design, but ok, everyone 
can always run behind Apache as non-root if he wish.

Janko

-- 
Janko Mivšek
AIDA/Web
Smalltalk Web Application Server
http://www.aidaweb.si