Slashdot Mirror

NOT ACCORDING TO 90++ links of security issues occurring on it I posted

Entirely subjective.
you see 90 odd links demonstrating insecurities.

Anyone who can afford decent consumer electronics and so owns an Android device sees 90 odd links that don't and won't affect them.

would be exposed as hiding behind security by obscurity for years now (because a 1.19% marketshare @ BEST/MOST on PC desktops where the "easy meat users" are the exploit them, it had none - wasn't worth attacking)

Exploiting a websever is a much higher value target than a normal user, what marker share does linux have in the webserver market:
http://www.thegeeksclub.com/windows-linux-os-secure-easy

Here, Linux is far ahead of Windows Operating System: Web Server market share of Linux is more than 71% and Microsoft Windows share is only around 16%.

Even in the more accurate studies of the "ultra high value" fortune1000 companies Nix holds a very strong market share:
http://www.port80software.com/surveys/top1000webservers/

Therefore your argument that Linux is somehow some "obscure" OS that no one uses doesn't hold water.

The only place it seems to have any relevance is in terms of the applications used by users on these operating systems. But here Android is lightyears ahead of both windows and linux, simply because its application model is secure by design, but nix and windows only offer userspace, and your "90 odd links" show nothing more than some reversion back to the level of security offered by userspace.

In short, you posted 90 odd links showing Android is at least as secure as the most secure windows and linux installations.

Did you fail reading comprehension?

No.

Are you capable of reading and understanding atleast the title of the page that I linked to?

Yes.

It's really hard to discuss things with someone that's either mentally impaired or intentionally acting dumb.

I agree that conversing with you is difficult. Acknowledging your problem is the first step to fixing it. :)

Shit joke, but how did you expect me to react (rhetorical question).

About the Netcraft vs. SecuritySpace stats: Netcraft base their server survey on what server software runs a domain, subdomain or any other thing arbitrarily defined as a 'site': This includes live.com profiles, myspace.com profiles and blogger.com sites. I have searched for the document on netcraft.com that confirms this, but it has disappeared. This is reasonably common knowledge though: see this Slashdot post and this Web Server Survey from last year.

SecuritySpace, on the other hand, counts physical servers. There are problems with this approach, but physical servers were what we were discussing.

Additionally, I wouldn't describe Netcraft's figures as accurate. They have been gamed by Microsoft: Firstly by the deal with GoDaddy, which caused the first jump in favour of IIS and GoDaddy's subsequent purchase of RegisterFly, which caused the second.

Also note the absence of Facebook profiles as sites, it's a closed community so cannot be counted, skewing the results in favour of Microsoft again.

Not 10 years ago people were proclaiming the death knell for Microsoft because it missed the internet... then they bought "Internet Explorer" and... well you know how that turned out.

It turned out not that great for them, the part where they actually make money, the server market has played out miserably for them because of that mistake.

MS is second in webservers. According to Netcraft as of this month, January 2008, MS's market share for webservers is more than 35%. Port80 reports MS IIS Server is on 55% of the Fortune 1000's servers. Doing a search of webservers iis marketshare shows IIS is gaining market share and Apache is losing it.

IIS already has a pretty dramatic marketshare lead when it comes to the Fortune 1000.

http://www.devx.com/asp/Article/29617
http://www.port80software.com/200ok/archive/2005/0 4/29/393.aspx

My opinion I would think folks haven't done enough apps to know what is what and the only people saying much are going to be the Web2.0 folks themselves (unlikely to own up to it quite yet) or the few folks like these sitting at an interesting vantage point to see lots of application and site efforts in conjunction with acceleration, caching, compression, etc. knowledge. Anybody else seen similar postings, thoughts, papers? It does concern me a bit given how I have seen polling abused in JS.

-M.J.F.

I agree, hostnames alone is pretty worthless. Personally I would like to see statistics based on IP address and not host names.

It's pretty easy for any person to colo a LAMP setup and host the webpage of everyone they know who doesn't want to be on geocities anymore... far easier than plunking down the cash for a Windows 2003 install with IIS6.

Of course, there are always studies like that of Port 80 software who found that 53.7% of corporate web servers were running IIS, vs the 22.7% of Apache.

See http://www.port80software.com/surveys/top1000webse rvers/ for more details.

Web Server: http://www.port80software.com/surveys/top1000webse rvers/

Application Server: http://www.port80software.com/surveys/top1000appse rvers/

Web Server: http://www.port80software.com/surveys/top1000webse rvers/

Application Server: http://www.port80software.com/surveys/top1000appse rvers/

3x the # of web sites hosted perhaps, but not in terms of actual web servers.

Remember the Port 80 survey for example?

We must not also forget the # of vulnerabilities for Apache vs IIS6 where in such a battle, IIS6 is winning.

This may be true for very small companies and individuals, but the big companies still drop the big dollars for professional software. Look at the Web server usage of Fortune 1000 companies. Over 80% use either IIS, Netscape's Web server, or some other Web server (WebLogic, Websphere, SunOne, etc.). Less than 20% use Apache. As a general rule of thumb, for-profit companies use for-profit software.

Now, if you are in the shareware market or the market geared toward homeusers, yes - this free source mantra has pretty much screwed you out of many potential sales.

I've used this NetMask utility to mask my IIS server before now(I tried the trial, and its run out), and in the past Netcraft has properly identified the server as running Apache on Redhat 9. This ain't true, as it's running Win2K with IIS5. So I'm wondering, how many of the new servers are what they say they are? And just HOW skewed are the Netcraft results?

What about a cracker who performs detailed reconnaissance... only to fail in the attack when subterfuge holds?

Misdirection is an advantage if it foils a major exploit from the outset.

ServerMask is one choice in a comprehensive IIS security strategy, and Web server anonymization is practical, after you have all the bases covered -- for Apache, Netscape, Zeus... systems in general.

Why surrender any advantage in a battle?

Chris @ Port80

Thanks for the image mistake catch. Will be fixed ASAP.

OK, enough fun for today, folks. It really is turkey time.

Best,
Chris @ Port80

We are an MS partner but not owned by MS.

Port80's survey is our own work, not an M$ "secret project".

Hey, I like the X-Files as well, but let's not get carried away here.

Happy Turkey Day,
Chris @ Port80

Chris from Port80 here.

I was misquoted or rather never asked directly about the subject in the theage.com.au article, so here's what I have to say about IIS security:

http://www.owasp.org/columns/jlima/joelima1

There is work to be done, but IIS is moving in the right direction.

Enjoy the tryptophan effects,
Chris @ Port80

ServerMask in its current form removes the most obvious signs that you are running IIS. This is no substitute for a good firewall, IDS, IPS and a really locked down box. But, as all programmers would I am sure agree, and as good ol Kevin Mitnick has pointed out, "any information a cracker can obtain about your system is too much information."

Here is an article that will walk you through what ServerMask does and does not do:

http://www.port80software.com/support/articles/mas kyourwebserver

Companies are going to anonymize their systems in future. ServerMask 2.1 is a step towards IIS anonymization, but by no means the last word. Check out ServerMask 3.0 in development for next year...

Off to talk turkey,
Chris @ Port80

ServerMask in its current form removes the most obvious signs that you are running IIS. This is no substitute for a good firewall, IDS, IPS and a really locked down box. But, as all programmers would I am sure agree, and as good ol Kevin Mitnick has pointed out, "any information a cracker can obtain about your system is too much information."

Here is an article that will walk you through what ServerMask does and does not do:

http://www.port80software.com/support/articles/mas kyourwebserver

Companies are going to anonymize their systems in future. ServerMask 2.1 is a step towards IIS anonymization, but by no means the last word. Check out ServerMask 3.0 in development for next year...

Off to talk turkey,
Chris @ Port80

Forgot this one:

Everything is debatable. Here is Port80's more detailed article on Netcraft and both of our Web server surveys:

Which Web Server Is Winning?

Gooble gooble (or is it Google, google these daze?),

Chris @ Port80 [mailto]

From our point of view, the list and the focus is vital to any good Web server survey. Netcraft's list is wide, and their highlighted conclusions are not qualified by their own methdology. Netcraft highlights the Apache/IIS divide and usually their uncorrected figures because that will help them sell more Web site data -- to corporate customers.

Port80 is in the business of making tools for IIS. True. And Port80's survey does highlight an area that MS is winning in: corporate Web servers of the Fortune 1000. I would hazard to guess that MS and IIS are also winning in another area of interest: the corporate extranet and intranet market. But there are many surveys out there:

http://www.securityspace.com/s_survey/data/200310/ index.html

http://www.alexa.com/site/ds/top_500

Each one makes different assumptions and has a different slant. The perfect Web server survey has yet to be attained, and the important point I think is that we are here, having this debate. Port80 plans to expland its surveys to different lists: more international lists, lists of qualified high traffic sites, and more. We will keep putting up the data and insighting debate.

As for Port80 Software and the Microsoft connection, remember that we are old open source advocates from way back. Port80's best ideas for improving the IIS Web server evolve from what has been accomplished with Apache and the mods culture of continuous tinkering, improvement and exploration.

Happy Turkey Day,

Chris @ Port80

You're right, Fry.

Try going to Iraq in an orange jumpsuit, and you will quickly discover the benefits of camo.

All the same, ServerMask is not the ultimate solution for server anonymization on IIS. The application needs some work to mask TCP/IP settings and also arbitrary HTTP responses. This article covers the important elements of a server anonymization strategy -- some addressed in ServerMask for IIS, some by tips for Apache/mods tuning, but all important if you want to mask your Web server:

http://www.port80software.com/support/articles/mas kyourwebserver

Happy Turkey Day,

Chris @ Port80

You're right, Fry.

Try going to Iraq in an orange jumpsuit, and you will quickly discover the benefits of camo.

All the same, ServerMask is not the ultimate solution for server anonymization on IIS. The application needs some work to mask TCP/IP settings and also arbitrary HTTP responses. This article covers the important elements of a server anonymization strategy -- some addressed in ServerMask for IIS, some by tips for Apache/mods tuning, but all important if you want to mask your Web server:

http://www.port80software.com/support/articles/mas kyourwebserver

Happy Turkey Day,

Chris @ Port80

Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.

That's not too damn good...

Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:

http://www.port80software.com/products/httpzip/com presscheck?url=www.apache.org

The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.

Here's the methodology we followed (http://www.port80software.com/surveys/top1000webs ervers/methodology), and the results from our November survey can be accessed online in our archive reports:

http://www.port80software.com/surveys/top1000webse rvers/#checkacompanyout

Happy Turkey Day,

Chris @ Port80

Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.

That's not too damn good...

Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:

http://www.port80software.com/products/httpzip/com presscheck?url=www.apache.org

The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.

Here's the methodology we followed (http://www.port80software.com/surveys/top1000webs ervers/methodology), and the results from our November survey can be accessed online in our archive reports:

http://www.port80software.com/surveys/top1000webse rvers/#checkacompanyout

Happy Turkey Day,

Chris @ Port80

Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.

That's not too damn good...

Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:

http://www.port80software.com/products/httpzip/com presscheck?url=www.apache.org

The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.

Here's the methodology we followed (http://www.port80software.com/surveys/top1000webs ervers/methodology), and the results from our November survey can be accessed online in our archive reports:

http://www.port80software.com/surveys/top1000webse rvers/#checkacompanyout

Happy Turkey Day,

Chris @ Port80

Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.

That's not too damn good...

Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:

http://www.port80software.com/products/httpzip/com presscheck?url=www.apache.org

The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.

Here's the methodology we followed (http://www.port80software.com/surveys/top1000webs ervers/methodology), and the results from our November survey can be accessed online in our archive reports:

http://www.port80software.com/surveys/top1000webse rvers/#checkacompanyout

Happy Turkey Day,

Chris @ Port80

Thanks for catching a bug in Port80's real-time header check tool. We will look into the tool's SQL error on the URL www.isthatdamngood.com.

That's not too damn good...

Our online tools are not perfect, but they do work for most Apache sites. For instance, here is another version of the tool and a report for apache.org:

http://www.port80software.com/products/httpzip/com presscheck?url=www.apache.org

The actual Web server survey (www.port80software.com/surveys/top1000webservers) is conducted by another offline tool developed in Python by Port80's folks. Our published results have been verified independently on this thread today for the Fortune 1000 sites -- in terms of the current and ongoing Web server market share among the main corporate sites of Fortune 1000 companies.

Here's the methodology we followed (http://www.port80software.com/surveys/top1000webs ervers/methodology), and the results from our November survey can be accessed online in our archive reports:

http://www.port80software.com/surveys/top1000webse rvers/#checkacompanyout

Happy Turkey Day,

Chris @ Port80

... or maybe it's just me. I'm looking at their big, honkin' graphic that shows "Percentage of market" and the November winner seems to be clearly IIS 6.0 on W2K+3 (relative to all other IIS servers). But the gigantic pie chart, which also shows a breakdown of what IIS is the particular favorite seems to be IIS 5.0 with ~44% of the market. I understand that these are different measures, but shouldn't the relative weightings of IIS-IIS be about the same here?

The fact that a bulk hoster chose to revert to Apache to run 1.4 million domains may have more to do with its lower up-front cost than with its performance, security, or features.

i tried their header check for www.apache.org [link is here]

Port80 returned this result:
"We detect that www.apache.org is running Apache/2.0.48-dev (Unix)."

But further down the page is this gem:
"No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask."

WTF?!

Enough of your silly debating. If any of you still think this is a real survey, and not propaganda, then take a look at the message given if you scan a server header that reports Apache:

"Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"

Case in Point

And here's what it says if you got scan an IIS based site:

"Protect your Web server identity with ServerMask!
Why let anyone find out you're running a Microsoft IIS server? Don't tempt potential hackers!

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"

Case in Point

Hmmmmmmm, two different results. Strange....

LS

Enough of your silly debating. If any of you still think this is a real survey, and not propaganda, then take a look at the message given if you scan a server header that reports Apache:

"Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"

Case in Point

And here's what it says if you got scan an IIS based site:

"Protect your Web server identity with ServerMask!
Why let anyone find out you're running a Microsoft IIS server? Don't tempt potential hackers!

Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"

Case in Point

Hmmmmmmm, two different results. Strange....

LS

and what would that one line be?I want my $50 worth on my apache server

• Unpack the Apache distro file (apache_1.x.xx.tar.gz) and run the configure script.
  
  Now do the following commands:
  
  
• cd src/os/unix
  (With Apache 2.x, cd os/unix)
  
• vi os.h
  
• Search for:
  #define PLATFORM "Unix"
  
• Replace "Unix" with whatever you want your OS identification to be. (Some of the more creative ones I've done are 'NachOS,' 'PathOS,' 'StratOS,' 'ZerOS,' and 'WinDos'...anything.)
  
• Save the file.
  
• cd ../../include
  
• vi httpd.h
  (With Apache 2.x, vi ap_release.h)
  
• Search for:
  #define SERVER_BASEVENDOR "Apache Group"
  #define SERVER_BASEPRODUCT "Apache"
  #define SERVER_BASEREVISION "1.x.xx"
  
• Replace "Apache" and "1.x.xx" with whatever you want your Server and version number to be. (I recommend "Port80Software-Is-A-Fucking-Ripoff" and "Holy-Jumping-Jesus-This-Was-Easy", respectively.)
  
• Save the file.
  
• cd ../..
  (With Apache 2.x, cd ..)
  
• make
  

I'll ignore for the moment the question of the quality of their data. I'm sure others will endlessly debate it (and I'll probably join in). Let's look at something else: The quality of their presentation.

First, let's take a look at the most recent Netcraft server survey. Let's see, clean display. The scale grid is subtle and doesn't draw attention to itself, but makes it easy to see exactly where a line falls. There is little wasted pixel data. It's easy to see trends and make comparisons. For the curious the exact numbers for the last two samples is listed (regrettably one two samples are listed). The graph labels the data it shows ("Market Share for Top Servers Across All Domains August 1995 - November 2003") leaving the reader to form his own opinions. On the down side, the scale confusingly marks 7% increments and the yellow line for Netscape/SunOne almost disappears into the background. Still, a well above average for graph. Definately room to improve, but better than most people expect to see.

Now let's example the Port80 server survey. Wow, what a difference. The grid is a much more dominant element. The 3d effect means that bars further in the back appear taller (by up to 15 pixels, or about 7%) and makes it hard to compare a specific data point against the scale. The complexity of the 3d bars complicates things, the "top" of the bar is actually larger than the month to month shift in the numbers. The "area" of the bars implies size (intellectually you know it isn't, but your gut says otherwise), this means that the largely obscured middle bars (Netscape and Apache) seem smaller. Ultimately bars are the wrong choice, we're examining points over time (suggesting a line chart), not clusters of data. The chart is labeled with a conclusion ("Microsoft IIS Maintains Dominance Of the Corporate Web Server Market"), suggesting interpretations to the reader. On the up side, they provide heavily broken up information for the most recent sample point (regrettably it's a graphic). They include a worthless pie chart. If you want to show market share a line chart showing historical data would be much more enlightening.

Conclusion? Port80's graphs suck. Hard. It's a stunning example of how not to create high quality graphs. The creators need to be beaten with copies of Tufte's information display books until they get it. This is the sort of amateur crap I expect on PowerPoint slides from people more interested in being cool than being useful, or perhaps from the graphics department at USA Today. As an engineer I'm disappointed.

They charge fifty bucks for ServerMask(TM). What does it do? It removes the "server" line in IIS to make it a bit harder to determine that the website is using IIS.

Of course, you can do the same thing in Apache for free.

And nmap will still identify IIS correctly.

From thier Partners page:

"Port80 Software's Strategic Partners:
Microsoft, Inc."

Strategic in what way? FUD?

This is wrong on soooooo many levels. I could understand trying to twist the truth by redefining what a webserver is... but thier sampling method is straight out wrong.

Want proof? Here it is. Go to the linked article, (or click here) and where they have the box to check your server header (about half way down the page) type in www.microsoft.com - you will see its running IIS/6. A nice happy IIS server.

Now, type in my web server - http://www.isthatdamngood.com - its a nice Linux/Apache server. My server will CRASH thier app! Actually, a lot of linux servers will crash it...

Kinda hard to claim your results are more indicitative of the market when your scanning technology is flat out broken.

Corporate USA still love IIS ! Top 1000 Corporations' Web Server Why this survey never was posted on Slashdot ?

And even more where there's money... Top 1000 Corporations' Web Server Top 1000 Corporations' Web Server: 53% for IIS and Apache is third!