RE: DB2UDB hack

From: John Earl

I'm not interested in taking your $1000 bet because I guess that you
have stacked the odds in your favor by securing your machine very well
(and to Patrick's point, you probably did that for very little cost and
time). You took proactive steps to secure your machine, and I would
probably be out the $1000 if I took the bet. I am quite sure that I
could find a windows admin who had secured his system such that it would
take an equal pounding and still not be compromised.

Uh. Here's what I did: I installed i5/OS, created an HTTP instance and
opened port 80 on my firewall.

Okay, I'm done.

You can't get into my machine.

Do the same thing with Windows. Install Windows, fire up IIS and open up a
hole in your firewall. See how fast you become a mail daemon or a file
zombie.

Can you lock it down? Sure. But it ain't easy, and it's a moving target.
Whereas, I DO NOT HAVE TO WORRY.

Yes, there are lots of things I have to do especially if I allow remote
access to my machine. The more crap I open up via FTP and ODBC and PASE the
more fragile I make my machine. Heck, just having a Windows machine on the
network is like having HIV. You won't necessarily get AIDS, but you need to
fight it every day for the rest of your life.

It's not a matter of degree, it's a completely different universe.

But that's JMHO.

I love ya, John, you know that. I recommend you to everyone, just as I do
every person who I consider an expert in their field. But to equate i5/OS
HTTP server to IIS is just a teeny bit of a stretch, even if you do sell
security consulting <grin>.

Joe