Not really interested in starting the "Apache vs. IIS" war but making the
secured IIS vs. unsecured Apache comparison (no OS remember?) is not "a
weird argument to make", especially concerning this thread. I find it quite
relevant in that the only true difference between a secure program and an
insecure one is proper configuration /*my opinion*/. Even with proper
configuration, no program is void of bugs/vulnerabilities, some just have
not been discovered yet. Now what I do find to be a weird argument is the
amount of configuration an OS (damn forgot about the no OS thing) allows one
to do. Not trying to start the "Open Source vs. Closed Source" war either,
but just because you can hack the kernel in Linux doesn't make it anymore
secure. That's left in the hands of the sys admin and yes you can do plenty
to MS NT based OSs to make them just as secure as any Linux box. And you
can do plenty to make them insecure as well.
Now if this list is about "insecure programs, nothing more, nothing less"
then why are items like telnet listed? Whose telnet, Sun's,Linux's,MS's?
Telnet is a lot more then a program and so is nfs, rlogin, rsh, etc. I
think that this list does have some merit but it should definitely not be
taken at face value.
But anyways I can feel Chris Berry thinking this is not what he is
interested in so then I will go ahead and post my own question to the list:
What are your ten top criteria's for evaluating a tool (program, service,
protocol, etc) in terms of security?
Is the amount of coverage on SF your only one? What about product support?
Vendor history? Open source vs. closed source? Corporate policy? Cost?
Vendor reputation? ??? Do you even have a formal set of criteria's that a
tool must meet in terms of security or do the bean counters make the
decisions for you?
//I have my anti-flame suit on too so fire away
Vic Parat, Sr. Security Architect
Network Systems Security, LLC
www.nssecurity.com
----- Original Message -----
From: "Tim Greer" <[EMAIL PROTECTED]>
To: "Vic Parat (NSS)" <[EMAIL PROTECTED]>; "Chris Berry"
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Wednesday, July 02, 2003 10:31 AM
Subject: Re: Ten least secure programs
>
>
> ----- Original Message -----
> From: "Vic Parat (NSS)" <[EMAIL PROTECTED]>
> To: "Chris Berry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
> <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Tuesday, July 01, 2003 12:28 AM
> Subject: Re: Ten least secure programs
>
>
> > I would definitely question some of your choices (is Apache more secure
> than
> > IIS?)
>
> Yes, very much. :-)
>
> > but I think top honors for "the ten least secure computer items" is an
> > under qualified system administrator.
>
> I agree 100%. This is also why all the programs mentioned as insecure
too,
> those pesky humans!
>
> Anyway, while I agree with you, the fact remains that the programs
> themselves differ from problems, one more so than the others. Surely a
> secured Windows server is more secure than a non-secured Linux server, but
> that's sort of a strange argument to make.
>
> This thread is about insecure programs, nothing more, nothing less.
> Sometimes they are more insecure than others due to a common configuration
> error or default setting and that comes down to a lame sys admin. Really
> though, how many people are really even qualified sys admins?
>
> Anyway, the point being, some programs are far more exploitable, in their
> default or highly configured state, than others... when comparing them as
> default to each other, as well as configured well, to each other. Then,
> comparing them. Also, mind the fact that depending on what you're talking
> about, some of them don't allow you to have the control to configure them
> and are thus insecure.
>
> For example, Windows only allows to much. There's a lot you can do, but
> mostly a lot you can not. Whereas a Linux of FreeBSD system, you have
much
> more you can do, right down into hacking the kernel however you want, and
> even if far more involved of a process and much more skills needed, it's
up
> to the person and their skills to configure, hack and use their skills to
> make the server/system far more secure than say a Windows system doesn't
> allow.
>
> Personally, I find that a default Windows set up is about as insecure as a
> default Linux set up. Both need to have a lot done, but you can do a lot
> more with a Linux system. Do most people have the time, let alone the
> comprehension? Surely not, so we go back to your comment about
unqualified
> sys admins. I couldn't agree more. However, two qualified sys admins
> skilled in their respective areas, the Linux sys admin can do more, unless
> that Windows sys admin is privileged enough to be offered the Windows
source
> code to review and modify to locate and close any potential holes.
> --
> Regards,
> Tim Greer [EMAIL PROTECTED]
> Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
