On Sun, 30 Jan 2005 10:46:42 +1100, Helen Borrie wrote:

>
>At 03:08 PM 29/01/2005 -0200, you wrote:
>
>
>>It 's time to rethink some things, alas the ability of new
>>authenticated users (with no rights) to create database objects. And
>>the size of our really working password (which is 8 chars)
>>to something wider (such 20 or + chars).
>
>These problems are, of course, addressed in the new security structures for
>Firebird 2.
>

This is music for my ears...

>>But someone who let sysdba pass unchanged on
>>a production site deserve such a attack.
>
>Certainly. But the MySQL worm manifests itself by infecting UDF code. The
>same exploit is available to a badly protected site running a Firebird
>database that uses UDFs or, indeed, international languages.
>
>The problem - for both MySQL and Firebird - affects badly protected
>sites. In both cases, the protection for external libraries is already
>there. But some developers are too stupid or too lazy to implement it---it
>is they who allow the exploits to happen.
>Both MySQL and Firebird suffer from the same disadvantage: we try to make
>it easy for really stupid people. No matter how much security you build
>into the system, you won't stop idiot developers from distributing
>vulnerable applications. Those are the systems that get targeted by the
>virus writers. And, when the exploit happens, the mud sticks to all of us.

Then the s* flies to us also... ;-/