Slashdot Mirror
Slashback: Snapshots, Amends, Bazaarity
Microsoft is just as secure as the competition, says Microsoft. Jon_E writes: "According to this article Microsoft is responding to the Gartner Report which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."
Whether because of better-trained or more vigilant administrators, or some other factors, the Apache servers running many web sites certainly haven't seen the devastating outages in the past month (Code Red, Nimda) as certain large IIS installations have.
If animated, this might make a really good Saturday cartoon. cconnell writes "Last September, slashdot published my critique of Eric Raymond's essay The Cathedral and the Bazaar. There was a lively (and sometimes scorching) discussion that followed. Here is Eric's reply to my critique, which Slashdot readers might enjoy. And here is my reply to Eric."
This was not faked in the same studio as the "lunar landings." mrsmalkav writes "Deep Space 1 has passed by Comet Borrelly within 1400 miles and took some very pretty pictures of the comet's core, all while collecting lots of data about said comet. NASA's press release discusses some of the details and findings of the flyby.
This is actually really impressive given that there was very little hope for this mission. From the Mission Logs on DS1's site, '[T]o be honest, DS1's visit with the comet simply is unlikely to work as well as we hope. Many mission logs have described the difficulty of keeping this aged and wounded bird aloft, and the encounter with Borrelly will present Deep Space 1 with the greatest challenge yet in its historic trek through the solar system.'"
Saint Aardvark writes "Space.com has an article about the images taken by DS-1, and they're stunning." And eldurbarn points to the NASA Images of comet Borrelly online at JPL.
How to satisfy customers with license objections, Part II brtb writes: "Soon after Slashdot posted my DiscZerver-GPL writeup last week, xStore added a link in their Download section for information about the use of GPL software in their products. Below is the e-mail I received in response (address changed to protect the spamless). Congratulations to xStore for supporting Free Software and bringing the DiscZervers into compliance with the GPL.
From: "Support" [support@xstoreonline.com]
To: "brtb" [slashdot@brtb.org]
Subject: "RE: GPL SOURCE CODE"xStore is committed to complying to the full letter and spirit of the GPL. We are currently investigating the allegations of non-GPL compliance and communicating with the GNU.ORG and Free Software Foundation on this issue. We will produce a response to your request that is mutually acceptable to the copyright holders of the programs we have used that fall under the GPL and xStore itself. Due to the recent acquisition of this product, we are still in the process of preparing the required source code for distribution. xStore is commited to bring the DiscZerver product into GPL compliance, if it is indeed found to be not in compliance.
In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem]. In addition, please send us a self addressed stamped envelope suitable for mailing a CD-ROM along with $14.95 to:
xStore, Inc.
Federal Highway Center
1200 North Federal Highway
Suite 200
Boca Raton, FL 33432After we receive your written request along with the above items, we will process it and promptly send you the disc when it becomes available.
This thanks to the mostly behind-the-scenes work of people at the FSF. Congratulations to xStore for respecting the intent of the programmers whose work they're consolidating and packaging.
Not the best solution, but as the article says, there aren't a lot of virsuses for the mac for this reason. So one thing that can make your servers more secure is to use a more obscure OS and know it really well.
One other note: I thought a majority of web servers run a varient of linux. So because they have the market share, wouldn't hackers attack them more? I just think it's harder to attack something that is open source because so many bugs can can be found by the community and fixed by the community, while bugs for IIS can rarely be fixed by the community.
Plus a lot of people just hate microsoft in general.
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
They're targeted because they're the most vulnerable target. That's all.
Unlimited growth == Cancer.
Sorry, couldn't resist. But seriously:
The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.
You have to love how they pull the "everyone is jealous so they pick on us" stuff everytime they screw up. Suprise, shitstreak, Microsoft does not make the world's most popular Web server. That's Apache. "Hackers", as you call these jerks, do not target Microsoft because they're the most popular. They target Microsoft because Microsoft has made itself an easy target by making it really easy to hack their products. If popularity made you a target, we'd see scores of Apache worms.
Here are NASA engineers, squeezing every last drop of science and knowledge out of projects which had justified themselves and their cost before the end of the Cold War- the possibilities presented by a modern project would now be so exponentially greater, due to increased technology, that it's ludicrous Congress doesn't invest in such more heavily. Perhaps one could add this to the list of things /. could become a million-strong lobby for.
Apache is most popular server, by numbers - but many tiny sites are hosted with Apache. Sites that get half a hit per year, and even then it's accidental. Not just tiny sites, of course, just enough to substantially skew the numbers when you consider that not all sites are worth bothering to try and hack.
IIS is most popular, by far, with commercial sites. According to NetCraft anyway.
So kiddies, whatcha gonna hack? Commercial site or photos of mangy dogs.
It's a reasonable argument, but not an acceptable excuse by itself.
MS had its roots in BASIC on small hobby computers. Much of what they have done since is summed up by their home-grown product: GeeWhizz Basic.
The network that they have now is based on IBM OS/2 Lan Server, which they got in code sharing arangements with IBM. I mean, the OS/2 1.3 help file still serves me well under NT4.
Their main contribution has to lay all sorts of flash in fanciful languages, purpose designed to ensure upgrades. Excel, for example, has had three entirely different languages in five years. Most people could not be bothered to learn the new language. A lot less macro writing happens now then in the days of Lotus 123 for DOS. Mind you, it does not stop the script kiddies, who are learning the latest exploits.
Most MS products ship badly configured. Like, who would put a spell checker on a function key (F7), if spell checking is done live anyway. I mean, you either do it live because you have the juice, or you do it from the tools menu because you don't have the resources to run it all the time. Putting it on a function key is silly. Except to bring it up on sales promotions. "Yes, we have spell checker [press F7]".
So their network stuff is full of flashing chrome designed to sell the thing to executives, and the scripts that run this chrome is by this set up, already in a form ready for remote exploits. Yes, you can configure it, if you want to stuff around in the registry and hidden settings. But most people dont have the knowledge or time to do something that should be a default or available choice.
MS is a small system maker that is attempting to do big time: all they do is big time damage.
OS/2 - because choice is a terrible thing to waste.
I thought a majority of web servers run a varient of linux
Here's the key to it. The majority of servers run some variant of Linux. Most buffer overflow bugs require a specific offset and known layouts in memory. If you look at the specific versions out there IIS is probably the most common single version of any product out there (can you get this info from Netcraft?)
On the other hand, it could just be stupid admins - check out http://www.netcraft.com/Survey/vuln.gif. I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...
Fear: When you see B8 00 4C CD 21 and know what it means
In quite a number of the responses I've seen there has been discussion about whether IIS is simply more targetted, or really insecure.
Some have discounted the more targetted point of view because Apache is reportedly far more popular. Ok, granted. But now for my sad analogy... Single family homes are far more popular in the United States than skyscrapers, but when terrorists want to make a point, what types of buildings do they attack?
People who write viruses may not be "terrorists" as they aren't trying to kill people. Sometimes they don't even have a point to make, but they most certainly want to cause financial damage, so who better to target?
I'm sure one person who gets the CD will immediately make it available on a website someplace. Then everyone else can get it for free.
;-)
After all, that's what "freely redistributable" is all about. Only one poor chum has to eat the media costs.
bla
Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out ? almost weekly.
This is the biggest problem with maintaining Microsoft networks. Exploits in IIS or Windows are far too frequent, and almost all patches require reboots. You can imagine the response I get when I call management every other week and say "I need emergency downtime to patch 65 of our servers...".
Microsoft loves to talk about how their software has a lower TCO than other operating systems. Perhaps they don't count the cost of man-hours spent applying patches, or the downtime involved?
You know what, everyone talks about IIS installing by default on Win2k Pro... I've installed many boxes with various versions of Pro, and never have I installed IIS on them, never seen the option for IIS, and I know for a fact that Pro does not come with a web server, indeed, it does not come with _any_ servers. It's just a /. myth, there is no IIS in Windows 2000 Professional. It's a _workstation_ you numbnuts, only Linux workstations come with servers.
One mail server - Unix scales.
One web server - Unix scales.
One print server - Unix scales.
One file server - Unix scales.
One Oracle database server - Unix scales.
One middleware hub - Unix scales.
Three DNS servers - On different networks.
And one system to manage them all.
I have no second level admins. For a similar number of users - about 800.
It's just me and "It all just works". You feel free to go on running yourself ragged with crap systems. Eventually you'll get fired or burnt out and someone who knows what they're doing will fix it.
Deleted
The windows platform is very popular. Most common desktop by far; sheer numbers makes it a target. Add in that the average user has little IT experience and (either because of design or end user maintenance... or both) that a lot of these machines will be full of holes... great target.
Lets say its not IIS that's under scrutiny but Apache. Very popular. Lots of holes. And a large percentage of the user base tends not to patch holes as they're announced. Great target.
Just because Apache tends to be ran on non-Windows hosts does not mean we can't put them togeather. sadmind did just that. It spread on Solaris systems to attack and deface IIS servers. No reason we can't launch a new Nimda-a-like that propogates amoung windows machines and attackes Apache (on whaterver OS its sitting on) hosts.
But, of course, that's not what is going on. IIS is being attacked because of the virtues of IIS, not because its usually sitting on Windows hosts.
So, I guess use of Apache must not be too widespread, eh? Now I'm not going to try to make the uneducated claim that Apache is really more secure than IIS, but for some reason there are far fewer security breaches on Apache. Maybe it's because virus writers are more supportive of Apache. Who knows? Unless something has changed in the last year, Apache still has the largest install base out there, and based on Microsoft's reasoning it should have the largest number of exploits.
I read the entire Gartner release, and I thought it was very insightful. They didn't say, "Take down your IIS servers." Instead, they carefully qualified it, suggesting that "...enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache." Note the key word investigate. Also note that they only suggest this for people hit by both viruses.
Microsoft's rebuttal also fails to properly address a serious issue: "cost of ownership." They make the wonderous claim about how fast they release patches to fix these security holes. What they missed entirely was the fact that a company can't be paying for the resources and downtime to apply a patch WEEKLY, not to mention the need for somebody to constantly watch for a security update so that it can be installed before somebody exploits it.
What Microsoft *should* have done (IMHO) is kept their mouths shut and swing some resources into either rewriting IIS or truly removing security holes, and then have a surprise release to counter Gartner's arguments.
GreyPoopon
--
Why is it I can write insightful comments but can't come up with a clever signature?