Here's the bottom line. microsoft product rules. but microsoft sucks. not
the other way around
>From: "Rey Bango" <[EMAIL PROTECTED]>
>Reply-To: [EMAIL PROTECTED]
>To: CF-Talk <[EMAIL PROTECTED]>
>Subject: Re: Check out what Gartner is recommending. Drop IIS!
>Date: Tue, 25 Sep 2001 17:46:53 -0400
>
> > You sound like you know more about this then I, but do you really
>believe
> > that IIS is as secure as apache etc?
>
>Hmmm. That's really hard to say. You'd have to be able to really look under
>the hood to make a firm judgement. I think that if you stay on top of IIS
>and manage it the way it should be, it can be very secure. These worms have
>simply exploited holes that were previously reported. Had these holes been
>patched, then the worm's capability to propogate would've been greatly
>diminished.
>
>I need to restate this because I think its very important. The biggest
>issue
>with IIS is administration. You have too many people deploying IIS that are
>underqualified or overworked. If you don't know squat about IIS or
>webservers, you're asking for trouble. If you're overworked because your
>boss is too cheap to get ya some help, you're bound to overlook something
>or
>just not be able to get to it in time.
>
>If you have the time, though, to actually stay on top of the patches, you
>can make any product secure.
>
>Rey...
>
>
> >
> > Benjamin
> >
> > PS For me this isn't an issue of cash/cost of ownership etc, just
>security
> > (Which is grave indeed - obviously).
>
>
>
>
>----- Original Message -----
>From: "Benjamin Falloon" <[EMAIL PROTECTED]>
>To: "CF-Talk" <[EMAIL PROTECTED]>
>Sent: Tuesday, September 25, 2001 4:59 PM
>Subject: Re: Check out what Gartner is recommending. Drop IIS!
>
>
> > Lots of good points Rey,
> >
> > I agree with you. I think my comments were perhaps aimed a little more
>at
>MS
> > then at the article itself, but it's interesting to take note of other
> > articles that report the 'report' as it were.
> >
> > Take this for example:
> > http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH
> >
> > This report lacks the 'urgency' of the original cnet post so I think
>that
> > perhaps part of the issue is the news reporting. Having read the above
>link
> > prior to your original post the first word I noticed was 'immediately'
>(in
> > bold and at the beginning of the article). This lowers the credibility
>of
> > the report itself IMO.
> >
> > You sound like you know more about this then I, but do you really
>believe
> > that IIS is as secure as apache etc?
> >
> > Benjamin
> >
> > PS For me this isn't an issue of cash/cost of ownership etc, just
>security
> > (Which is grave indeed - obviously).
> >
> >
> > ----- Original Message -----
> > From: "Rey Bango" <[EMAIL PROTECTED]>
> > To: "CF-Talk" <[EMAIL PROTECTED]>
> > Sent: Wednesday, September 26, 2001 6:22 AM
> > Subject: Re: Check out what Gartner is recommending. Drop IIS!
> >
> >
> > > Thanks for the feedback bud but I still disagree. IIS and Microsoft
>are
> > just
> > > the flavor of choice now for the cracker community. If you go to
> > > SecurityFocus.com, you'll see that both Linux and Apache have a long
> > history
> > > of security issues. Look up Sun and you'll find the same thing. If we
>were
> > > to call IIS "shaky" simply because of the current security issues,
>then
> > I'm
> > > not exactly sure what to call the other operating systems that at one
>time
> > > had many security breaches and to this day, still have to constantly
>patch
> > > their implementations.
> > >
> > > I truly hope MS is sincere in their statement of rewriting IIS but
> > > inevitably, there are still going to be hacks. The strongest OS that
>I've
> > > seen publicly available is OpenBSD and that's because they audit
>*every*
> > > line of code in their BSD offering and many of the accompanying
>packages.
> > > Those that can't be audited are put into a "ports" tree and an
>advisory
>is
> > > specified accordingly. Anyone that would come out and say that SunOS,
> > Linux
> > > or FreeBSD (very good webserving alternatives) are without security
>issues
> > > would be a liar.
> > >
> > > I certainly acknowledge that IIS & WinNT/2K have some security issue
>but
>I
> > > have seen and experienced the same thing on other OSes.
> > >
> > > As for Gartner, like I mentioned originally, they sway with the wind.
>I
> > find
> > > them to be very good sometimes and VERY crappy on other occasions.
>I've
> > seen
> > > they're reports for the last eight years, through the client/server
>days
> > and
> > > now with ecommerce and, frankly, have seen a steady decline in their
> > > analysis of anything. Its almost as if they just hire any schmoe to do
>a
> > > review of some business practice, regardless of that person's skills
>or
> > past
> > > experiences. I remember when they smacked Sybase around because they
> > didn't
> > > have row-level locking when in reality, 90% of DBMS users, at that
>point,
> > > had no need for that feature because they weren't in a high-OLTP
> > > environment. Its was stupid and this latest report is right in line w/
>the
> > > deteriorating level of their reports. It makes very poor fiscal sense
>for
> > a
> > > large corporation to drop critical web servers and start a huge
>migration
> > to
> > > a new platform of which they probably have no knowledge. You want to
>see
>a
> > > real security mess? Get a bunch of MS-focused companies to switch to
>Linux
> > > and watch the crackers have fun. Then lets see what Gartner would have
>to
> > > say.
> > >
> > > A better argument would've been to recommend that companies start
>taking
> > > security seriously and invest in training their existing staff as well
>as
> > > supplementing those overburdened admins.
> > >
> > > Rey...
> > >
> > > ----- Original Message -----
> > > From: "Benjamin Falloon" <[EMAIL PROTECTED]>
> > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > Sent: Tuesday, September 25, 2001 3:42 PM
> > > Subject: Re: Check out what Gartner is recommending. Drop IIS!
> > >
> > >
> > > > Maybe a little OT, but my 2c.
> > > >
> > > > I wouldn't call that stupid at all.
> > > > Consider all of the attacks aimed squarely at IIS in the past few
> > months.
> > > > It's only going to increase. I've had personal experience with being
> > > hacked.
> > > > I run 2 internal IIS development boxes for CF and an internal hack
> > > replaced
> > > > *ALL* index.htm, default.htm files in all folders in the web serving
> > > > directory. Lucky more files where cfm.
> > > >
> > > > I'm not a 'server' admin (by title) but I can thank MS for this. If
>they
> > > > released a tighter web server with less vunerabilities maybe there
>would
> > > be
> > > > fewer viruses/hacks that could penetrate. People shouldn't need to
>have
> > to
> > > > patch every week.
> > > >
> > > > Doesn't that fact indicate that just *maybe* the software itself is
> > pretty
> > > > shaky?
> > > >
> > > > Consider this quote from the article,
> > > >
> > > > "Gartner remains concerned that viruses and worms will continue to
> > attack
> > > > IIS until Microsoft has released a completely rewritten, thoroughly
>and
> > > > publicly tested, new release of IIS,"
> > > >
> > > > Rewritten. That would be a good idea. Try to imagine a pair of pants
> > with
> > > as
> > > > many 'security' patches as is and will continue to be required for
>IIS.
> > > I'd
> > > > say the pants would be more patches than pants.
> > > >
> > > > Just a thought,
> > > >
> > > > Benjamin
> > > >
> > > > PS maybe apache would be a good alternative.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Rey Bango" <[EMAIL PROTECTED]>
> > > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 26, 2001 3:03 AM
> > > > Subject: OT: Check out what Gartner is recommending. Drop IIS!
> > > >
> > > >
> > > > > Now, I've always found Gartner to sway in a particular direction
>based
> > > in
> > > > > the wind changes and the phases of the moon but this
>recommendation
>is
> > > > just
> > > > > plain stupid. Check it out:
> > > > >
> > > > > http://news.cnet.com/news/0-1003-200-7294516.html
> > > > >
> > > > > Rey Bango
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get the mailserver that powers this list at http://www.coolfusion.com
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
