From owner-freebsd-chat  Tue Mar 21 11:20:46 2000
Delivered-To: freebsd-chat@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 66E0937BD5F; Tue, 21 Mar 2000 11:20:44 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id LAA35468;
	Tue, 21 Mar 2000 11:20:44 -0800 (PST)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Tue, 21 Mar 2000 11:20:44 -0800 (PST)
From: Kris Kennaway <kris@FreeBSD.org>
To: Olaf Hoyer <ohoyer@fbwi.fh-wilhelmshaven.de>
Cc: freebsd-chat@FreeBSD.ORG
Subject: Re: E-Commerce and security
In-Reply-To: <4.1.20000321184816.009fb320@mail.rz.fh-wilhelmshaven.de>
Message-ID: <Pine.BSF.4.21.0003211112320.34275-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 21 Mar 2000, Olaf Hoyer wrote:

> So, basically I am interested in detailed material/sources about the recent
> Yahoo/Amazon etc dos attack, seen from technical side, and general security
> spots and how to adress them. 

See the bugtraq archives or the www.securityfocus.com library for some
analyses of the off-the-shelf DDoS tools out there. There's really nothing
interesting or sophisticated about their effects - the design of the tools
themselves and how they can and cannot be stopped is more interesting.

I guess the most important point to make about security is to make sure
you know what you're doing - don't just leave it at the "well, it's
working" stage, or be satisfied if some junior systems guy takes a pass
over your webserver. *So many* e-commerce sites out there are insecure,
usually because of unaudited systems and poor default settings, or lack of
understanding of the technology and how not to use it, and it's putting
their business, and their customer's money, at risk.

The crypto-gram newsletters (www.counterpane.com) and the RISKS digests
(http://www.CSL.sri.com/risksinfo.html) are good general resources for the
kinds of security pitfalls people make (the former is more focussed on
cryptography, as the name suggests).

Kris

----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message