No matter how hard I click on the "To close this thread, click here (moderator or admin only).", I just can't seem to do it - just kidding

Off topic but as a sidenote, a properly administered .htaccess/.htpasswd (non-NT of course) setup is virtually impossible to crack. I have not had a single successful crack in over 2 years. And my sites are hit using cracking software 1-3 times per day with some attacks lasting 1-2 hours. Fortunately they occur in the wee hours.

My strategy is to ensure Usernames and Passwords are dissimilar, are 8 characters long and contain both letters and numbers. Works like a charm. I also screen out common strings frequently used by pirates - like letmein. I also track IPs and date/time (since both are required in the case of dynamic IP addresses) of crackers to trace them to their ISP. I've had a number of ISPs aggressively pursue these people - particularily when I present them with a legal email fully detailing the event.

Dan

  
Well, yes and yes.

Yes, we are comparing server based authentication and script based authentication. Or rather, a lack of script based authentication in Links, relying solely on server based authentication for protection. But, I don't think I'm drifting too far from the core argument.

I understand the stance GTI has taken. And, I agree with it from a programmer's point-of-view. If I'm reading the situation correctly, you've shifted the responsibility of password protection, and hence liability, from GTI to the end-user, using the assumed technological superiority of server based authentication as the rationale.

However, if you'll remember, I framed my original question and comments in a "Windows cry baby" context and that's where I was headed with the client-side comment. So....

Yes, I did mean client-side password protection or "client request containing credentials" as Microsoft puts it. I don't think we should get hung-up on precise terminology and definitions, but I'll try to be more accurate so as not to confuse.


I don't pride myself as being a hacker, but let's just say I easily went around both the server based authentication and script based authentication on two sites in less than a half-hour. Neither site or type of authentication was any harder to circumvent than the other. So. let's just leave it at that. The point was supposed to be, one is NOT superior to the other from a security point-of-view. Although, from certain other stand-points, such as product liability, I can understand the preferability of one over the other.


Well, this was a little patronizing on your part, but I suppose I deserve it at this point I know I'm belaboring this discussion. I'll give up soon...

First of all, you can't Telnet into a WinNT/IIS server. At least, not to my knowledge. However, you can FTP into one. Actually, there are three ways to get into a WinNT/IIS server via the net:

1) An FTP client logs on with a valid Windows NT username and password.

2) A WWW (HTTP) request's headers contain a username and password.

3) A WWW browser supports NTLM (Windows NT native) authentication, and an anonymous client request is denied access to a resource.

In the first two instances, you're sending your name/password across the Net in clear text. In the last instance, you're sending your name/password encrypted NTLM protocol which you can only do with I.E.

Yes, I could setup Links administration in a secure link, but then I still have to add the password protection code to YOUR program, which takes us back to the original argument.

What I was trying to point out in the previous message was that nobody is going to use NTLM authentication on a WinNT/IIS web server because it's browser dependent. So that leaves us with HTTP basic authentication which is easy to "sniff". And once someone intercepts this information, they'll be able log onto your WinNT/IIS server at an administrator level.

If there was at least SOME script based authentication in Links, it would make running it on a WinNT/IIS server much easier and safer, albeit less secure than if we took the huge risk of running in a basic authentication mode.

Since we seem to be getting into a circular agrument here, let me ask you this. Can you explain to me how NO password protection in Links is superior to ANY password protection? That is, how can no password protection be better than some?


[This message has been edited by Snap Head (edited September 23, 1999).]

I just can't stand it anymore:

Alex-I'm not really sure why you are so against having a password feature. I use the Discus discussion board on my site. It has a password feature, but also came with explicit instuctions that this is only partial security, advises you to pick an obsure name for the admin directory and place it totally outside the rest of the forum scripts, then makes it quite clear you need to use htaccess if it is available. I do all three. Could it be hacked? How should I know? Probably...but I feel better doing all three! Someone without htaccess (for instance, I did not have this ability with my ISP's UNIX server, but could run all the scripts I wanted) or those on NT would, in fact, benefit from SOME protection provided by the script itself. Just because server side security is best shouldn't have to mean "so too bad for you". Based on what you have been able to do with this script, I'm sure you are more than capable of adding some password scheme to the next version. Would doing it be such a bad thing?

Snap Head: Pounding on this subject relentlessly is NOT going to do anything for you. This feature is simply not available in Links. Period. With all due respect, if that ain't good enough for you, pick one of the competitor's scripts that has what you want or find a third party script you can incorporate yourself. That's the way of the world. You had it right in your first post--What about you windows cry babies? You picked the server you wanted to use...if its protection scheme sucks this bad and you need security, why the *&#$ are you using NT? Blaming Alex because you chose a server that doesn't meet your needs is totally pointless. And BTW: I don't know what you did to XanthisHP's files and I know he took it well and all, but if you think that kind of crap scores you any points you are dead wrong.

OK...I feel better now.

Brad:


I agree with your first point, however, I wasn't trying to get anything done FOR MYSELF by starting this discussion. So, I have no expectations in this regard.

Secondly, Alex does listen to Links users and make changes accordingly. I know, for instance, that Alex put the rating system in Links version 2, even though he doesn't particularly like the idea. But it was a big thing that lots of users wanted, and I personally love the rating feature. Maybe he'll rethink password protecting Links if enough people ask for it, eh what?


I stated this above, but maybe you missed it.


It appears that the most popular OS/Web Server combination is Apache HTTP server running on Linux. And, I might add that real web sites use FreeBSD. But, to answer your question, I'm using WinNT/IIS for Lenon.com because I wanted to get some experience in its use.

While there will always be some helpful person that will tell you that Unix is clearly better for your situation because of reason Q, there will also be some other person who will tell you that WinNT/IIS is clearly better for your situation, because of reason X. It is particularly amusing when these reasons are the same reason.

One notable example of this is the GUI debate. Unix is better because you don't waste time with a GUI, and NT is better because it has this nice GUI. Both sides of this particular argument are meaningless without considering what is behind these comments - an existing skill-base that you have to consider in your decision. So, I decided to use WinNT/IIS to try to cut through all the hype - you know?


Well, I deserve that comment and I totally agree with you. I know I was shamed by that, but his comment that "Ignorant people will post over and over for password protection..." and his smug resolve about being protected on his site solicited an irrational response on my part. I've apologized to him and he's accepted it, so let's let sleeping dog's lay, okay?

There, "I feel better now" too

Dan:


All I can say, Dan, is I strongly suggest you visit Attrition's web site and spend a few minutes looking around:

www.attrition.org/mirror/attrition/

You'll find Lenon.com listed on this page as having been the victim of a mass "web page defacement" on 4/6/99 by some clown named "tekneek":

http://www.attrition.org/.../com/www.tentex.com/

When you're done, come on back and we'll continue the conversation

If you think this merry band of hooligans can't hack into your .htaccess/.htpasswd protected site, you'll find the information on their "Tempe-of-hate server" very enlightening and rewarding! I guarantee these guys can burst this myth

------------------
Lenon.com Homepage
www.lenon.com
------------------
Lenon.com Links Page
See our "Snap Interfaced"
Gossamer Threads Links v.2.0
www.lenon.com/links/pages
------------------


[This message has been edited by Snap Head (edited July 16, 1999).]

Be great if it could also protect folks under the transparent cgiwrap which leaves directories exposed. Don't find that Alex's fault, he didn't tell me to go to that hosting company.

Anyone know of a passwrod protect to protect under cgiwrap?


thanks Gerardo

Well, what do you think about this thread, my friend? Has everything been said that can be said?

------------------
Lenon.com Homepage
www.lenon.com
------------------
Lenon.com Links Page
See our "Snap Interfaced"
Gossamer Threads Links v.2.0
www.lenon.com/links/pages
------------------

Let's put this puppy back into rotation. Maybe attitudes have changed in the past six months...

------------------
Lenon.com Homepage
www.lenon.com
------------------
Lenon.com Links Page
See our "Snap Interfaced"
Gossamer Threads Links v.2.0
www.lenon.com/links/pages
------------------

Hello Snap Head,

I don't see the point of this Topic anymore since Gossamer Threads has stopped developing the flat file system of LINKS. They are concentrating on the SQL version.

Regards,

------------------
Eliot Lee....
Former Handle: Eliot
Anthro TECH, L.L.C
anthrotech.com
* Check Resource Center
* Search Forums
* Thinking out of the box (codes) is not only fun, but effective.