Slashdot Mirror

Microsoft Windows 2000 Server with all vendor patches installed and all vendor workarounds applied, is currently affected by 21 Secunia advisories some of which are rated Highly critical.

With Netcraft toolbar http://toolbar.netcraft.com/

...is reporting stats immature or "fanboy" behavior. There are plenty of sites that report stats ad nauseum for things that other people care little about. Would you call those sorts of sites immature or "fanboy" sites? I personally think the submitter has an axe to grind... Too bad you can't mod the people who get their articles submitted when it's something as stupid as the main story here.

This "30 min" contest was for people with an actual SSH account given to them for a LOCAL exploit, so its not a remote exploit, it also is not the most secure version of the Mac OS, but for SERVERS, nothing is as secure as MacOS.

Despite many high profile web sites and servers using OS9 for many years, not one database entry in the large BugTraq database documents a remote exploit for standard Mac OS in the history of the internet, even whith a common web server running on it.

Even the US Army used macs exclusively (mostly MacOS 9 until recently) after being rooted rouitinly using unix and MS Windows NT. For many many years www.army.mil has been run on macintoshes exclusively.

The same is true of many colleges that were rooted and defaced too often on Linux. They installed WebStar and OS 9 and never had to worry again.

http://uptime.netcraft.com/up/graph/?host=www.army .mil

http://www.google.com/search?q=army+webstar+"os-9"

Check it out yourself. This entire post is full of factual citations and 100% facts.

No mac in the history of the internet hosting a web server has ever been rooted or defaced remotely.

Why?

Because not one version of Mac OS has ever had a single exploitable hole ever discovered. (classic mac os now up to version 9.2.2 on currenlty sold g4 towers). OpenBSD has had no less than 5 holes (not one) in the default install in the last two years. Mac OS has had ZERO in over 8 years, even when paired up with its preferred web server app.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac exploited over the internet remotely. Scan it yourself.

That is why the US Army gave up on MS IIS and got a Mac for a web serve. Currently it is a honeypot for OSX testing, and US Army use regular Mac OS on other internal servers

This post is not talking about FreeBSD derived MacOS X (which already had a more than a 50 exploits and potential exploits in BugTraq database, and in the news yesterday with Symantec claiming in March 2005 of OSX having remote exploits) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for process to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Nothing is higher (except undocumented microkernel stuff where you pass Gary Davidian's birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator. Additionally certain types of compilers can check range on assignments to prevent out of bounds. Furthermore many good programmers ensure that the bounds are not overwritten.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward

Linux!!!!

http://toolbar.netcraft.com/site_report?url=http:/ /www.e.govt.nz

check netcraft.com (Here,. I'll do it for you.)

windowsdevices.com is in the netblock owned by linuxdevices.com.

check netcraft.com (Here,. I'll do it for you.)

windowsdevices.com is in the netblock owned by linuxdevices.com.

They're not running Mac OS X. Check it out for yourself.

Free iPod?

A lot of small to medium-sized web hosting companies are worried about this (see Netcraft's story). But based on the Page Creator beta, they have nothing to worry about. It's inferior to dozens of web-based page builders already in use at hosting companies. Even Blogger is way easier and has better designs.

Yup make more money from Free Web Hosting. According to netcraft "The free hosting ramp-ups by Microsoft and Go Daddy are a response to surging revenue from contextual ads on web sites. In its most recent quarter, Google reported $1.1 billion in advertising revenue from its own sites, and another $799 million from third-party sites using its AdSense program. The rapid growth of domain parking services has also illustrated the earning potential of large portfolios of web pages bearing contextual ads."

I am dam sure; they are going to introduce paid web hosting (Ghosting).

A quick look at netcraft will clearly show that Apache (ie, mainly Unix-likes) are more popular than IIS (ie, Windows) for internet servers by a factor of 3 to 1.

If you check out Netcraft's site and their web-server survey, which puts Apache use at ~68% and Microsoft IIS use at ~20.5%, you see a much different picture. I think this contributes positively to the argument many are stating here that quite a number of people no longer purchase a Unix server solution, but rather build something themselves or purchase a server without an OS...and then they put Linux or Solaris or any of the other free OS's on it. Also I don't know that IDC considers a MacOS X solution as 'Unix'.

Netcraft's Web Server Survey:
http://news.netcraft.com/archives/web_server_surve y.html

This is why everyone should install the Netcraft Anti-Phishing Toolbar...unless they really know what they are doing (read IT professional)...

All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...

Looking at some of the domain registration info, it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...

Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...

Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)

This is why everyone should install the Netcraft Anti-Phishing Toolbar...unless they really know what they are doing (read IT professional)...

All of your users/customers should have this installed...besides rating the risk of the site based on previous reports, it would also have shown how long the site was registered...which even on this phishing site was probably a matter of days...as a matter of fact, I can see this as a good feature to include within Firefox...whenever you view the SSL certificate, show the domain registration info...

Looking at some of the domain registration info, it's obvious that including the DNS Admin, Organization, and Nameserver Organization, you would have easily identified a fake...

Even better yet, why not have a certification process for banks and such that could opt to have their ISP verify their identity...then when you visit their SSL site, your browser could display the verification info beside the "security lock"...

Of course, if you want to change the way the "Security Lock" works in browsers, in the US you could set something up with the FDIC that would use a DNS lookup similar to the way DNS Block Lists operate...only this one would tell you if the site was a valid banking site...I guess the "Lock" could change to a "$" or something if it was verified as a banking site...web sites could simply request the check in some way (HTTP header or something)...the header value could represent the type of site (US Banking Site...check with FDIC...)

Phishing scams have been using SSL in attacks since 2004. Last year Netcraft identified more than 450 phishing attacks that used SSL certificates in one form or another. However, the tactics seen in the Mountain America attack are more sophisticated than previous attempts. In many previous attacks the phishing crews have used an https URL with an SSL cert they know will trigger a browser alert, banking on the likelihood that many users will trust the padlock and ignore the certificate. This one is designed to fool more sophisticated users who actually check the certificate.

You don't know anything.

The 12 minute half life. It's a clear descent from 20 minutes the previous year and 40 the year before it and the minimum noted was four minutes.

Idiots like you Ack-Bartender, are easy to recognize too. John Marriot, if you are the loser responsible for anti-slash.org, I'm happy your plans to become a high school teacher failed. There would be less failure in your life if you quit wasting so much of your time http://cowboyneal.org/">hating slashdot. I second http://cowboyneal.org/">this thought.

As far as desktop penetration, I'd have to concur. But Apache has eaten IIS for breakfast in the server market.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

The US Library of Congress
http://uptime.netcraft.com/up/graph/?host=www.loc. gov

Google
http://uptime.netcraft.com/up/graph/?host=www.gogg le.com

Forbes
http://uptime.netcraft.com/up/graph/?host=www.forb es.com

Wall Street Journal
http://uptime.netcraft.com/up/graph/?host=www.wsj. com

New York Stock Exchange
http://uptime.netcraft.com/up/graph/?host=www.nyse .com

Ford Motor Company
http://uptime.netcraft.com/up/graph/?host=www.ford .com

Better yet, go through the Forbes 500 list and see just how many of those companies use Linux, Solaris, or any other *nix that is open-source or has had open-source underpinnings. Check the web servers, the MXs, etc. I see a couple that use Windows web servers but I'd be willing to bet that they have an open-source item somewhere that's publicly accessible.

Why guess?

Facts are right there.

I doubt there are more than two or three of you assholes. It would be nice to know who you are.

I have some ideas that are easy enough to follow up on.

Hate responding to myself, but I wanted to point to the fact that JPL's main server runs Linux:

http://uptime.netcraft.com/up/graph/?host=www.jpl. nasa.gov

Linux Apache/1.3.29 (Unix) PHP/4.3.4 28-Sep-2005 137.78.99.23 National Aeronautics and Space Administration

The Apache web server (STILL the most popular web server in the world today and consistantly more secure than Microsoft IIS)

"Still"? It's been steadily increasing its lead over IIS for years.

Bytemark - UK based, £15 a month - you get your own User Mode Linux machine, choice of distro, root access, and it's fast and reliable.

Have a look at my uptime - http://toolbar.netcraft.com/site_report?url=http:/ /cnuk.org

They seem to be using the Netscape web server ( http://uptime.netcraft.com/up/graph?site=http%3A%2 F%2Fwww.urge.com ) at their root , with Akamai providing various load balancing (I could be completely wrong here, though), so that would make sense.

oh really?

http://uptime.netcraft.com/up/graph/?host=www.urge .com

Linux Netscape-Enterprise/4.1 5-Jan-2006 84.45.224.8 ADSL endpoints NAT conections only
Linux Netscape-Enterprise/4.1 5-Jan-2006 213.160.98.168 Akamai Technology

Same here. One possible reason may be that they're running Solaris 8.

http://toolbar.netcraft.com/site_report?url=http:/ /urge.com

Just wanted to throw that into the mix. Useless info, with humor

http://toolbar.netcraft.com/site_report?url=http:/ /macworldexpo.com

dude, it's not a troll. It is running WebSTAR on MacOS 9. The last time I checked, the latest hardware to boot OS 9 were G4s which haven't been around new in at least a year and a half.

http://toolbar.netcraft.com/site_report?url=http:/ /www.macintouch.com

You can get much mor interesting stats from Netcraft, check out the title and number 7!

Haydn.

Educated guess anyway.

Netcraft says they don't touch that M$ stuff, and it looks fine from here. Talk to your network administrator or ISP about what you see.

So why don't web servers count when 'entire operating systems' do? Web servers are always connected to some sort of network, if not the Internet. They wouldn't be much use otherwise. They often have all sorts of modules/plugins loaded, some third-party. They often have to run all sorts of interpreted languages (Perl, Python, PHP, ASP, etc) with scripts written by all sorts of people. They can also run other executables on the host system. They often have to access a database, either on the same machine or over the network. They often send email and even receive it (e.g confirmation emails).

Most importantly, they're often very public machines (not including intranets). And they can be holding (or have access to) very valuable data e.g banking details, email addresses, passwords. Web servers may be out-numbered by desktop machines, but they're still very attractive targets.

So, would you like to have another try at explaining why Apache HTTP server has been the most used web server for almost ten years now, but is not the most attacked?

Now with the NSA's IIS .NET bungle - perhaps they got persistent cookies when they went to rather insecure Passport authentication scheme

Reality has no precedent around this place, or in much of the OSS community.

That's right. No reality.

Like Apache is not a reality, with its 75% market share.

Like PHP's popularity as the #1 web scripting language?

Come on, man!

ISPs want money, and they're not going to crush their customers for using "insecure platforms" unless they really are insecure.

It's a question of marginal revenue.

Plus, it's not like any mission-critical hardware in any ISP worth it's bandwidth runs Windows-- they'll mostly be powered by some *nix-like OS.

www.verizon.net is running IIS 5.0 on Windows 2000, and so are a lot of other web servers on the same domain.

ISPs want money, and they're not going to crush their customers for using "insecure platforms" unless they really are insecure.

It's a question of marginal revenue.

Plus, it's not like any mission-critical hardware in any ISP worth it's bandwidth runs Windows-- they'll mostly be powered by some *nix-like OS.

www.verizon.net is running IIS 5.0 on Windows 2000, and so are a lot of other web servers on the same domain.

The group's founders include IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney and Warner Bros."

What is funny is what netcraft shows as the server OS; bet MS isn't happy; perhaps clueless. I guess those license fees are just a little to high:

http://uptime.netcraft.com/up/graph?site=www.aacsl a.com

"How is this article generating all this Ruby-anti-Ruby nonsense when it's a question of Rail implementation? More importantly, why isn't there a PHPoR?"

Not that this matters, but according to http://www.netcraft.com/ http://www.rubyforge.org/ is running *GASP* "66.92.150.242 Linux Apache/1.3.33 Unix mod_gzip/1.3.26.1a PHP/4.4.1 13-Dec-2005"?!

Like I said, not that it matters that the site pushing Ruby on Rails is running on PHP. I downloaded RoR anyways. We'll see if it runs on FreeBSD 5.4.

The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.

The eBay issue was simply a case of a tech support staffer who failed to recognize a scam domain, rather than any technical wizardry or social engineering expertise on the part of the scammers. It's a good argument for adopting defense at the browser level (i.e. toolbars and in-browser blocking) rather than counting on banks, registrars or hosting companies to shut sites down.

• That the registrar is running on Unix for security and stability.
  BSD or Linux is the most common, but even commercial Unix will do.
  If they are running this kind of service on a toy platform, that is usually a sign of more problems to come.
  You can use netcraft to probe to see what platform they are running on.
• They have toll free phone support that does not leave you on hold for 30 minutes to reach a human. Doing without this to save a couple dollars/year will always end up costing you many times what you saved from my experience.
• The price is competitive but not dirt cheap. Registrars have to pay $6.00/yr to Verisign/Network Solutions for every domain they register. If they are letting you register them for less than they can profit on then you ARE going to pay for it somewhere, such as having to pay extra for domain management capabilities or just plain lack of management capabilities, email/url forwarding, requiring you to buy other services, terrible or no support, etc.

ASP.NET has overtaken JSP and Java Servlets taken together.

Sun had the biggest opportunity on the planet to redefine the future of computing and they completely blew it. They dropped the ball on applets, they dropped the ball on desktop apps, and they are dropping the ball on server-side programming with their bloated APIs and poor language evolution. Amazingly, Sun's engineers manage to do an even worse job than Microsoft's. Best stay away from both of them.

Give me a break. Microsoft uses Akamai to do DNS load balancing.

100% of Microsoft.com runs on Windows.

Actually, they already do quite a bit. http://searchdns.netcraft.com/?host=.microsoft.com &position=limited&lookup=Search. Yes, this does means that it's been confirmed by Netcraft.