Hi, > Apache has been around longer and resides on systems that > are geek friendly. considering the number of installations, > the time it has been around, and that Apache is on systems > that geeks love; does it not disturb you that there are > still bugs? Especially considering how the open source folks > hold themselves in such high esteem.
Apache, like any other software, will always contains some bugs. But compare them to those concerning IIS ! From years, the most powerful bug founded against Apache is a read-only access as user Nobody or a directory listing. About IIS ? 3 new remote execution as Administrator in 6 weeks. Just install an Apache server and do not patch it for a year. It will still be up and running its original Web site. Now, install an IIS server and do not patch it... First, the OS running it will not stay up for a year, and second, so many majors flaws will be discovered, the probability to finish with a compromised IIS is very high. > "There are three types of lies: lies, damned lies, and statistics" > Mark Twain If you do not trust statistics, trust your self experience : just do the test I suggested to you. Install 2 honeypots Webservers, an Apache and an IIS, and you will discover youself which one will be compromised the first. > > c) it is easier to harden a open system than a proprietary. > why? Because you can access easily to the bug, understand what is wrong and correct it. Also, here is much more people around the world for maintaining Apache than IIS. When someone found a bug in Apache, most time, he will publish the solution with the bug. You can not do so for IIS. > > c-1) And I donot know any other way to harden a IIS than obscure > > patches.. which closes a lot of holes just opening new ones. > so because you can not do it, means it is not possible? Have you > been to the moon? Is that not possible either? Not only him : no one can harden an IIS in another way than patches or not using IIS itself. One solution is a filtering proxy (most I know are built using Apache...) for blocking HTTP requests. In this way, the IIS is still weak and contain a lot of flaws, but you will be protected by the filtering proxy. No product can be used to protect him against his own flaws. This include IIS. It also true for Apache, but Apache do not need protection, it is already strong enough. > Any new product will have bugs. That is a fact of life. Does MS > software have more, maybe. Not MAYbe : surely. And not because I do not like them personnaly. A product always contains a lot of bugs. The number reduces by the time (when you patches them), but increase again when, like Microsoft do frequently, you include a new ""feature"" in your patches. The second problem is Microsoft's philosophy : a new product before 5 years. Do you remember NT whitout service pack ? Or service pack 2 ? Now with SP6a, NT 4 is much stronger and more serious than its first version was. But being now a more usable product, Microsft remove it and replace it with a brand new bug source : XP. And when XP will be usable too, it will be replace by a brand new shit too. Finally, Microsoft prove many time they are not so smart... Just think about LanMan hash or TCP sequence numbers... Both of them was replaced for security reason because they were too weak. LanMan was replace by a 100% uncompatible tool, NT Hash. Being not compatible, both hash was saved in the SAM. But what Microsoft did was terribly... STUPID ! They produced a totally incompatible tool for security reason, but they kept the most major flaws of the previous one ! (unchained block of 7 characters). MD5 and SHA was used from years. Why they did not use one of them ? Same thing about the generator of TCP sequence number : they were time-based, so predictable. They replace that with a so great algorythm : the new one could produce only even number of 4 bits. The entire space contain only 8 possibility ! Even much more easyer to predict than was time-based dependency (which could require from 20 to 50 packets). They replace something too easy to predict by something that is just easier to predict! No other one than Microsoft can do so stupid decision. Apache and Unix don't do so. They re-use and keep the corrected source code. They add features, so add bugs some times, but the basis is the evolution of more than 10 years for many of them. Its why they contain fewer bugs, and the most important, bugs with lower impact. Its also why they have a greater compatility with their previous versions. > The early versions of Apache, Netscape, > AOL, TCP/IP, SSH etc... had their share of problems also. Sadly most > people only see what makes their arguments look good. Since you > sign with a comment about your O/S, it is obvious what side you > are on. Yes, I'm on the Unix side. But before, I was on NT. What do Unix offer that NT don't ? A lot of thing (a powerfull scripting, uptime, faster performance, lower hardware requirements and a lot more). What do NT offer that Unix don't ? Problems ! A lot of problems ! Once you learn Unix, you learn what computer really are. And once you learned that, you understand how poor IIS, NT and others Microsoft tools are. Jacques Bourdeau
