Slashback: Snapshots, Amends, Bazaarity

Slashback brings you some follow-ups tonight about Gartner's recommendation to dump IIS, Charles Connell vs. Eric S. Raymond on Open Source project management, xStore and the GPL, and (yes) the results of Deep Space 1's latest Final Mission.

Microsoft is just as secure as the competition, says Microsoft. Jon_E writes: "According to this article Microsoft is responding to the Gartner Report which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."

Whether because of better-trained or more vigilant administrators, or some other factors, the Apache servers running many web sites certainly haven't seen the devastating outages in the past month (Code Red, Nimda) as certain large IIS installations have.

If animated, this might make a really good Saturday cartoon. cconnell writes "Last September, slashdot published my critique of Eric Raymond's essay The Cathedral and the Bazaar. There was a lively (and sometimes scorching) discussion that followed. Here is Eric's reply to my critique, which Slashdot readers might enjoy. And here is my reply to Eric."

This was not faked in the same studio as the "lunar landings." mrsmalkav writes "Deep Space 1 has passed by Comet Borrelly within 1400 miles and took some very pretty pictures of the comet's core, all while collecting lots of data about said comet. NASA's press release discusses some of the details and findings of the flyby.

This is actually really impressive given that there was very little hope for this mission. From the Mission Logs on DS1's site, '[T]o be honest, DS1's visit with the comet simply is unlikely to work as well as we hope. Many mission logs have described the difficulty of keeping this aged and wounded bird aloft, and the encounter with Borrelly will present Deep Space 1 with the greatest challenge yet in its historic trek through the solar system.'"

Saint Aardvark writes "Space.com has an article about the images taken by DS-1, and they're stunning." And eldurbarn points to the NASA Images of comet Borrelly online at JPL.

How to satisfy customers with license objections, Part II brtb writes: "Soon after Slashdot posted my DiscZerver-GPL writeup last week, xStore added a link in their Download section for information about the use of GPL software in their products. Below is the e-mail I received in response (address changed to protect the spamless). Congratulations to xStore for supporting Free Software and bringing the DiscZervers into compliance with the GPL.

From: "Support" [support@xstoreonline.com]
To: "brtb" [slashdot@brtb.org]
Subject: "RE: GPL SOURCE CODE"

xStore is committed to complying to the full letter and spirit of the GPL. We are currently investigating the allegations of non-GPL compliance and communicating with the GNU.ORG and Free Software Foundation on this issue. We will produce a response to your request that is mutually acceptable to the copyright holders of the programs we have used that fall under the GPL and xStore itself. Due to the recent acquisition of this product, we are still in the process of preparing the required source code for distribution. xStore is commited to bring the DiscZerver product into GPL compliance, if it is indeed found to be not in compliance.

In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem]. In addition, please send us a self addressed stamped envelope suitable for mailing a CD-ROM along with $14.95 to:

xStore, Inc.
Federal Highway Center
1200 North Federal Highway
Suite 200
Boca Raton, FL 33432

After we receive your written request along with the above items, we will process it and promptly send you the disc when it becomes available.

This thanks to the mostly behind-the-scenes work of people at the FSF. Congratulations to xStore for respecting the intent of the programmers whose work they're consolidating and packaging.

Security through Obscurity

[Ghoser777]

Not the best solution, but as the article says, there aren't a lot of virsuses for the mac for this reason. So one thing that can make your servers more secure is to use a more obscure OS and know it really well.

One other note: I thought a majority of web servers run a varient of linux. So because they have the market share, wouldn't hackers attack them more? I just think it's harder to attack something that is open source because so many bugs can can be found by the community and fixed by the community, while bugs for IIS can rarely be fixed by the community.

Plus a lot of people just hate microsoft in general.

F-bacher

Re:Security through Obscurity

[jiheison]

Plus a lot of people just hate microsoft in general.

I think that you have hit the nail on the head here. Microsoft is simply a high profile target, but it is also despised for it's arrogant, "our software is superior and everyone else sucks" attitide. Basically, their arrogance inspires people to try to take them down.

Unfortunately, I see more and more people in this forum with a similar attitude about the superiority of Linux and Open Source in general. I see a day very soon when people will get tired of kicking the M$ security dead horse. The real challenge will be in targeting Open Source alternatives. What hacker wouldn't want to be the first to bring Apache?

Then again, maybe Apache really is invulnerable to significant exploits.

IIS Popularity? Exsqueeze me?

[phliar]

It's not like IIS has the same usage numbers among web servers as MS-Windows has on the desktop...

They're targeted because they're the most vulnerable target. That's all.

Cluley clueless

[sllort]

Sorry, couldn't resist. But seriously:

The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.

You have to love how they pull the "everyone is jealous so they pick on us" stuff everytime they screw up. Suprise, shitstreak, Microsoft does not make the world's most popular Web server. That's Apache. "Hackers", as you call these jerks, do not target Microsoft because they're the most popular. They target Microsoft because Microsoft has made itself an easy target by making it really easy to hack their products. If popularity made you a target, we'd see scores of Apache worms.

Relative abundance of server variants...

[throx]

I thought a majority of web servers run a varient of linux

Here's the key to it. The majority of servers run some variant of Linux. Most buffer overflow bugs require a specific offset and known layouts in memory. If you look at the specific versions out there IIS is probably the most common single version of any product out there (can you get this info from Netcraft?)

On the other hand, it could just be stupid admins - check out http://www.netcraft.com/Survey/vuln.gif. I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...

Read the Gartner article again...

[un4given]

Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out ? almost weekly.

This is the biggest problem with maintaining Microsoft networks. Exploits in IIS or Windows are far too frequent, and almost all patches require reboots. You can imagine the response I get when I call management every other week and say "I need emergency downtime to patch 65 of our servers...".

Microsoft loves to talk about how their software has a lower TCO than other operating systems. Perhaps they don't count the cost of man-hours spent applying patches, or the downtime involved?