Slashdot Mirror
Slashback: Snapshots, Amends, Bazaarity
Microsoft is just as secure as the competition, says Microsoft. Jon_E writes: "According to this article Microsoft is responding to the Gartner Report which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."
Whether because of better-trained or more vigilant administrators, or some other factors, the Apache servers running many web sites certainly haven't seen the devastating outages in the past month (Code Red, Nimda) as certain large IIS installations have.
If animated, this might make a really good Saturday cartoon. cconnell writes "Last September, slashdot published my critique of Eric Raymond's essay The Cathedral and the Bazaar. There was a lively (and sometimes scorching) discussion that followed. Here is Eric's reply to my critique, which Slashdot readers might enjoy. And here is my reply to Eric."
This was not faked in the same studio as the "lunar landings." mrsmalkav writes "Deep Space 1 has passed by Comet Borrelly within 1400 miles and took some very pretty pictures of the comet's core, all while collecting lots of data about said comet. NASA's press release discusses some of the details and findings of the flyby.
This is actually really impressive given that there was very little hope for this mission. From the Mission Logs on DS1's site, '[T]o be honest, DS1's visit with the comet simply is unlikely to work as well as we hope. Many mission logs have described the difficulty of keeping this aged and wounded bird aloft, and the encounter with Borrelly will present Deep Space 1 with the greatest challenge yet in its historic trek through the solar system.'"
Saint Aardvark writes "Space.com has an article about the images taken by DS-1, and they're stunning." And eldurbarn points to the NASA Images of comet Borrelly online at JPL.
How to satisfy customers with license objections, Part II brtb writes: "Soon after Slashdot posted my DiscZerver-GPL writeup last week, xStore added a link in their Download section for information about the use of GPL software in their products. Below is the e-mail I received in response (address changed to protect the spamless). Congratulations to xStore for supporting Free Software and bringing the DiscZervers into compliance with the GPL.
From: "Support" [support@xstoreonline.com]
To: "brtb" [slashdot@brtb.org]
Subject: "RE: GPL SOURCE CODE"xStore is committed to complying to the full letter and spirit of the GPL. We are currently investigating the allegations of non-GPL compliance and communicating with the GNU.ORG and Free Software Foundation on this issue. We will produce a response to your request that is mutually acceptable to the copyright holders of the programs we have used that fall under the GPL and xStore itself. Due to the recent acquisition of this product, we are still in the process of preparing the required source code for distribution. xStore is commited to bring the DiscZerver product into GPL compliance, if it is indeed found to be not in compliance.
In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem]. In addition, please send us a self addressed stamped envelope suitable for mailing a CD-ROM along with $14.95 to:
xStore, Inc.
Federal Highway Center
1200 North Federal Highway
Suite 200
Boca Raton, FL 33432After we receive your written request along with the above items, we will process it and promptly send you the disc when it becomes available.
This thanks to the mostly behind-the-scenes work of people at the FSF. Congratulations to xStore for respecting the intent of the programmers whose work they're consolidating and packaging.
Just out of curiousity...how does this engine work...what principles of physics does this satellite use and what would it's benefits be?..first time I heard of one is when I found that's what powers TIE fighters
: ) - It's true...TIE = Twin Ion Engine
----------
ah honey, we're all resplendent - Bill Mallonee
There's another article in the NYT about the encryption restrictions being brought up for debate and it includes a nice jab at the Washington Post for misquoting Zimmermann on his PGP interview. Check it out here:
D E.html
http://www.nytimes.com/2001/09/25/technology/25CO
+1 Insightful, -1 Troll. What can I say, I'm an Insightful Troll.
From the IIS article:
I couldn't agree more. Apache just can't compete with the speed of Microsoft's PR department in spinning every horrendous hole as "innovation".
That's "Mr. Soulless Automaton" to you, Bub.
Not the best solution, but as the article says, there aren't a lot of virsuses for the mac for this reason. So one thing that can make your servers more secure is to use a more obscure OS and know it really well.
One other note: I thought a majority of web servers run a varient of linux. So because they have the market share, wouldn't hackers attack them more? I just think it's harder to attack something that is open source because so many bugs can can be found by the community and fixed by the community, while bugs for IIS can rarely be fixed by the community.
Plus a lot of people just hate microsoft in general.
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
Before you flame: yes, I know that was meant as a joke, and yes, this post is more than slightly off topic (but Slashback threads often are), but this is probably going to be discussed here sooner or later anyhow so I might as well take some preventative measures.
The lunar landings were not fake. The "evidence" is poor at best, and just blatantly stupid otherwise. I won't reiterate all arguments against this silly conspiracy theorys validity, as you can read all about it, for example, here or here.
There are lots of nice conspiracy theories that really have some nice arguments that actually speak for them, but this is not one of those. This one should really die. Seriously, I'd go for Illuminati or Elvis any day of the week if this was my only alternative.
"If you think education is expensive, try ignorance" - Derek Bok
They're targeted because they're the most vulnerable target. That's all.
Unlimited growth == Cancer.
This is simple physics, boys and girls.
First things first, you need a spacecraft as light as possible. Anything not needed goes away. Basically, you're left with the instrumentation, the navigation, the cameras, solar panels, batteries, and a couple of sizeable tanks of xenon.
Yes. Xenon. The heaviest non-radioactive noble gas.
Now, xenon is normally inert like other noble gases. I mean, there are no natural compounds containing any noble gas because they have no natural need to enhance their electron shell configuration.
However, xenon is pretty large (as atoms go) and, given enough juice (courtesy our light and ability to live, the sun, hence the solar panels), you can ionize xenon. You can strip off an electron or two and it's useful (For example, the compound XeF6, xenon hexafloride. What it's good for? Dunno. Still doesn't change the fact it exists.) More importantly, it's charged and can be directed.
Then, it's a simple matter of a small aperture (which can be directed), a positively-charged grid, and the xenon leaves in the direction opposite the spacecraft goes.
Don't expect this to power any spacefighters, however. At full power, the force this produces will barely move a piece of paper in front of it. The beauty of ion engine, though, is that because in space, inertia isn't hampered except by collision or a gravity field, this little bit gets larger as time increases. It's not much force, but given time it gets zooming.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Sorry, couldn't resist. But seriously:
The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.
You have to love how they pull the "everyone is jealous so they pick on us" stuff everytime they screw up. Suprise, shitstreak, Microsoft does not make the world's most popular Web server. That's Apache. "Hackers", as you call these jerks, do not target Microsoft because they're the most popular. They target Microsoft because Microsoft has made itself an easy target by making it really easy to hack their products. If popularity made you a target, we'd see scores of Apache worms.
Since an Ion engine ionizes its supply of onboard gas (so it gets an electrical charge), then electrically accrelerates it out the back, that's why TIE fighters make that wooshing noise. All the gas they expel makes for enough of an atmosphere for sound to carry to the nearby cameras :)
A.
According to The Register, their reaction also includes the following:
Timeo idiotikOS et dona ferentes
subject says it all.
http://www.msnbc.com/news/206711.asp
Then I must conclude that there are twice as many worms developed for Apache, than IIS. I feel sorry for all you poor Apache users. Your worm problems haven't received nearly as much publicity and sympathy. It must be a conspiracy.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Microsoft products are rarely considered to be secure. Outlook is a laughing stock, and IIS is a running joke in the industry I'm in (managed services). So much so that we've been wondering whether or not to charge customers who insist on using IIS an extra fee for all the time we spend monitoring and patching their boxes. History has shown that if we get a new customer who demands to use IIS, then we can be reasonably assured that we'll have multiple headaches dealing with it so we might as well charge them. We (thankfully) never even considered supporting Exchange. We're going to ban IE from all NOC machines as well. Weaning people off Outlook may be harder, though. (Mirapoints help us mitigate that threat.)
The "competition"? That would be Apache, Opera, Eudora (or Pine for some of us), qmail, etc. The "competition" is not half as secure. It is far more secure, everything else being equal (i.e., everything is installed properly, configured correctly, etc). That's my opinion, to be sure, but a colo full of servers running about everything you can think of formed it for me and I stand by it.
You are the target, and you will be breached...
That statement is specious at best. The only way to be completely secure is to have a standalone box. Which isn't an option, and therefore silly to say.
MS software will never be completely secure. Yes, things like wu-ftp and such can be insecure as well. Anything can be. But at least most free/OS packages try to be secure. MS software isn't even trying to be secure. Hell, they apparently aren't even trying to be half-assed.
When will they get that through their thick skulls???
I'm wondering when people will stop drinking the MS koolaid and realize that there are many better, cheaper, more stable and more secure options available to them.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Could we, in fact, turn a Disney DVD into a terrorist tool? Has it already been done? Should we be encouraging Congress to ban the CSS encryption scheme because it could have been used in such a way? Interesting questions, no?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I thought a majority of web servers run a varient of linux
Here's the key to it. The majority of servers run some variant of Linux. Most buffer overflow bugs require a specific offset and known layouts in memory. If you look at the specific versions out there IIS is probably the most common single version of any product out there (can you get this info from Netcraft?)
On the other hand, it could just be stupid admins - check out http://www.netcraft.com/Survey/vuln.gif. I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...
Fear: When you see B8 00 4C CD 21 and know what it means
Here is a sneak peek at the documentation for the new IIS rewrite. Of course there are a lot of bugs in this version of the document and it'll have to be edited quite heavily before the final release...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
--
We apologise for the inconvenience.
Hmm... where do I remember him from?
Always nice to have a few staunch supporters ready to jump to your defense
I/O Error G-17: Aborting Installation
Actually, the they switched everything over to .99 and .95 with the invention of the cash register, the idea being to force the cashier to open up the cash box to retrieve change, which makes it much harder for them to pocket the cash for themselves without anyone noticing.
"Mind, as manifested by the capacity to make choices, is to some extent present in every electron." -Freeman Dyson
Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out ? almost weekly.
This is the biggest problem with maintaining Microsoft networks. Exploits in IIS or Windows are far too frequent, and almost all patches require reboots. You can imagine the response I get when I call management every other week and say "I need emergency downtime to patch 65 of our servers...".
Microsoft loves to talk about how their software has a lower TCO than other operating systems. Perhaps they don't count the cost of man-hours spent applying patches, or the downtime involved?
I have been thinking about this as well as one of the places I do contract work for is getting pounded daily with Nimda and Code Red I/II attacks as well. Since the box is running Linux, the attacks don't matter but I have been wondering if there is some way that a sysadmin could take advantage of these requests to stop the attacking system.
Various people have mentioned writing a white hat virus that would shut down the attacker and all that - but in reality that just puts you in the same boat as someone attacking their system - and its therefore illegal.But if someone's computer makes an http request for a file from my server, am I responsible if what they get is not what they might expect to get?
What if I was to create a file consisting of nothing but the letter X that was, say, 1Gb in size, and leave it on my linux webserver with a name like "root.exe"? It wouldn't take all that many requests for the attacking system to run out of HD space. Granted service on my server might suck for a bit, but eventually if enough linux admins did this the target systems would simply shutdown for lack of swap space or HD space or whathaveyou.
Or perhaps I tell Apache to treat .exe files as PHP files and process them accordingly. Then I create a PHP script that sends prints nothing but Xs or random numbers in a long string back to the requesting server (with the execution time limit for PHP turned off). It would be like 5 lines of code total.
After all, its my server, so presumeably I put the file there for my own purposes, indicated in robots.txt that I dont want it indexed etc. If some other system makes a request for that file which I have in no way indicated is present on my system, isn't there fault/problem if the file is too big, or causes problems at their end?
I am sure the clever folks at /. could think of other things that could be done in this manner.
Just food for thought, and I would love to see some suggestions...
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid