Vulnerability Development mailing list archives
Re: Notes Domino Server Platform for e-commerce?
From: derek () INFINET COM (Derek Reynolds)
Date: Wed, 9 Feb 2000 22:50:44 -0500
Hello Blue, Again, it all comes down to the person securing the Domino server. -- Best regards, Derek mailto:derek () infinet com Wednesday, February 09, 2000, 10:34:35 PM, you wrote: BB> Derek Reynolds wrote:
Hello Marc, Notes has been out much longer then Apache. It's got at least 10 years on it. There have been 0 password issues to date. I can list at least 20 issues with Apache in the last year but can't think of 2 for Domino. As my statement stands. I would deam Domino/Notes as secure.
BB> To paraphrase Darth Vader: BB> I find your faith ... disturbing. BB> To answer a few specifics: Notes/Domino has had a web component for like BB> 2 or 3 years, not 10. Don't know exactly how long Apache has been around, BB> but I believe it's a little longer. I agree that code review is one of BB> the bigger factors for how secure something should be considered. We don't BB> know how much Notes has had, it's not published. BB> In any case, i don't think the original poster indicated whether or not BB> he wanted to use the web publishing piece. BB> Another indicator for how secure something might be is past bugs: BB> 7735C09B3FF.AAA5E91 () smtp03 wxs nl">http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-01-8&msg=7735C09B3FF.AAA5E91 () smtp03 wxs nl</A> BB> Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-08-22&msg=Pine.LNX.4.10.9908240957250.8661-100000 () omg clipper net</A> BB> Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide net">http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-08-1&msg=Pine.SUN.4.01.9808051035120.8118-100000 () dfw nationwide net</A> BB> 6d49cfc3 () ewareness be">http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-12-22&msg=000a01bf4c57$fec98a70$6d49cfc3 () ewareness be</A> BB> Well, you get the idea.. securityfocus.com lists about 500 matches in BB> Bugtraq for Lotus Notes, though it looks like 3 copies of each message BB> show up in the search, so divide by 3 I guess. BB> The vulnerability database there shows 4 items. I think it only goes back BB> so far. Note that they're somewhat serious bugs, and recent. BB> These things would *seem* to indicate that IBM/Lotus is still stuck in BB> the wait-for-bugs-then-fix-them mode, and isn't doing a lot of proactive BB> auditing. BB> In addition, Notes (the whole collection of things called Notes) is BB> pretty large and complex, and includes it's own databases and access-lists. BB> This does not 100% guarantee bugs, but IMNSHO, it makes them pretty likely. BB> In addition, there's lots of room for misconfiguration. BB> For example, at a previous employer, they Notes admins had published BB> the .id files for users. By their thinking, since no one had the BB> passwords, they were no good. I pointed out that they only had BB> 6 character (upper and lower alpha) passwords, or about 35 bits BB> worth of difficulty. One you have an .id file that you have the password BB> for, it can't be revoked. You have to kill that account entirely. They BB> quit publishing the .id files. BB> Ever wonder how Notes got 64-bit encryption allowed out of the US way BB> back when? They took 24 of the bits, and encrypted them with an BB> NSA public key. That meant the NSA could recover 24 bits any time BB> they liked, and would only have to brute 40. So, the NSA arranged BB> for Notes export permission. I have no idea what other kind of caving BB> in the Notes developers did for the NSA. BB> In short, I think calling Notes "secure" as a blanket statement is BB> at best generous. BB> BB
Current thread:
- Re: fooling hubs [ARP Spoofing], (continued)
- Re: fooling hubs [ARP Spoofing] Trevor Schroeder (Feb 04)
- Re: fooling hubs [ARP Spoofing] Jeff Bachtel (Feb 05)
- Re: fooling hubs [ARP Spoofing] H D Moore (Feb 07)
- Notes Domino Server Platform for e-commerce? Baasner, Frank (Feb 07)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 08)
- Re: Notes Domino Server Platform for e-commerce? Marc Esipovich (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Derek Reynolds (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Mark L. Jackson (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Allan Jacobsen (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Wozz (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan R Permeh (Feb 09)
- Re: Notes Domino Server Platform for e-commerce? Crispin Cowan (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Ryan PErmeh (Feb 10)
- Re: Notes Domino Server Platform for e-commerce? Blue Boar (Feb 10)
- its: recursion Pauli Ojanpera (Feb 09)
- Re: its: recursion Sean Burford (Feb 09)
- Hellvisory #0001! Lucifer Mirza (Feb 09)