On Tue, 9 Oct 2001, Lorin wrote: > Ok, while i'm not a particularly big fan of M$ or IIS, or any of their > products, i'm gonna take the chance to poke at your arguments for a sec. > > > Remote root exploits in apache since it's creation: 1 (1.2.x, remember?) > > Remote root exploits in IIS in the last year: 3? 4? > > Comparing IIS to apache isn't really fair, at least compare it to > something that does dynamic generation. How many Unix servers have been > hacked through poorly written perl scripts? Or even not hacked, just > brought down through their intended use? Once you've got mod_perl running > in your app, there's all kinds of mess you can code yourself into.
Now we've switched topics again. I can't say for sure, as i'm sure no one on the planet can, but i'd bet, that there about as many poorly written, easily crackable ASP scripts out there (if not more) than there are of modperl/php/fill-in the blank. > > that if it's open source system, YOU CAN DO SOMETHING ABOUT IT. If you are > > How many people actually fix their own security holes? Most admins wait > for a patch from the affected software. Bind, Sendmail, etc. Those are > even the decent admins. I mean the likelyhood that the inexpensive M$ > admin that couldn't patch IIS is going to fail to patch the bind exploit > is pretty high. This is true, but they is another key point here. The people that work on, let's say the apache project, work on it, because like to do it. It's honorable. The people that work on IIS get PAID to come in 9-5, this doesn't mean to imply that they hate their jobs or anything, but it doesn't have nearly the compasion, of say, Apache. It also lacks, power and expertise. But now we are into another closed-source versus open source software argument. > > system there is a lot more to it then just the admin. The key point being > > using M$, the best you can do is pray for a quick patch that won't break > > He claimed the patches were available before the virus hit. Sorry, which one of the n virsus that came out in the last year was patched before it hit? Oh, that's right, the last one, well that's a nice gesture, too bad it didn't help. > > Remember service pack 2, NT 4.0? It was the hotfix for the horrible errors > > they made in service pack 1, but they broke even more than the fixed. > > Oh, you mean like the RedHat 5.0 release? Okay, true. That was 5.1, actually, and it only broke the image library system (libpng and libjpeg), if you were using it at a server, you wouldn't have even noticed. > In all seriousness, i can't advocate using M$ products, but i think the > blame can be spread around a little. You should save a little for the > people that chose to use their products, and the ones that couldn't figure > out how to set them up. > > -Lkb > > > > > What's the quote from "Ghost World"? "It was so bad, that it was funny > > again, and then it wasn't." > > > > Cheers, > > sach > > > > > > On Tue, 9 Oct 2001, Lorin wrote: > > > > > http://www.theregister.co.uk/content/4/22132.html > > > > > > Critical to gartner groups advisory to switch away from M$ products. I'm > > > not sure i agree with most of his points about how it doesn't matter that > > > much which system you use, but the argument towards the end was > > > interesting: > > > > > > 'One thing is for sure: If you've got an admin that can't secure a > > > Microsoft Web server, then your chances of having them secure a Solaris > > > installation will be slim.' > > > > > > -Lkb > > > > > > > > > > > > > -- /* Sach Jobb [EMAIL PROTECTED] %s/windows/linux/g */ "As far as i'm concerned the two biggest hassles in the world revolve around DNS and girlfriends." -- (name undisclosed to protect the innocent)
