Slashdot Mirror
Netcraft Web Server Stats Challenged
kolchak writes "An article in The Age has an interesting analysis of the Netcraft Web Server Usage Reports. According to Port80 Software, Netcraft's surveys are biased towards domain name parkers and very small web sites, not taking into account how popular a site may be - there's some interesting results in the competing Port80 survey." However, it should be pointed out that Port80 "develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."
Do we even need to think about this? How is this news?
NetCraft is dying!
Perhaps microsoft.com is running apache on linux after all! ;)
This is wrong on soooooo many levels. I could understand trying to twist the truth by redefining what a webserver is... but thier sampling method is straight out wrong.
Want proof? Here it is. Go to the linked article, (or click here) and where they have the box to check your server header (about half way down the page) type in www.microsoft.com - you will see its running IIS/6. A nice happy IIS server.
Now, type in my web server - http://www.isthatdamngood.com - its a nice Linux/Apache server. My server will CRASH thier app! Actually, a lot of linux servers will crash it...
Kinda hard to claim your results are more indicitative of the market when your scanning technology is flat out broken.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
Does "hostname" include websites of individuals who are off of another web site?
Like, if you use a free provider, and it's www.whatever.com/yourname?
If so, the numbers are definitely skewed. Are those even considered independent websites?
Should I trust netcraft, or a small ass company doing IIS softs... hum... tought choice. NOT.
From thier Partners page:
"Port80 Software's Strategic Partners:
Microsoft, Inc."
Strategic in what way? FUD?
Reminds me the recent 'independent' researches, that were financed in coincidence by MicroSoft itself.
Makes you wonder
and this was their response:
We detect that homepage.mac.com is running Apache/1.3.27 (Darwin).
but with this caveat
Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.
Nope, no bias there.
The dogcow says "Moof!"
It's true that Netcraft counts by site, not popularity. They also count operating systems the same way, though they haven't published that for a while.
Two years ago, counting operating systems by site, Netcraft found 50% Windows, and 30% Linux.
But if they had been counting by traffic instead, Windows and Linux would have totalled less than 10%, while Unix and OS390 would have been shown to be serving most of the Internet.
But it doesn't seem to be very important data, regardless of whether it is skewed towards Apache or IIS.
I have been pwned because my
Thus spake the article:
...snip snip...
...snip snip..
Port80 Software, a San Diego-based company that develops software to enhance the security, performance and user experience of Microsoft's Internet Information Services Web server, said it had conducted a survey of Fortune1000 companies recently and found that Microsoft IIS had ongoing dominance in the enterprise with a 53.8 percent market share.
"What do Netcraft's findings prove about Web server market share? It all depends on how you choose to define 'market share'," Lima said. "Netcraft attempts to review every detectable site on the Internet to generate their web server statistics, and this gives their survey a natural bias in favour of web servers that host relatively low-traffic or even parked domains.
Considering that port80 has a serious bias towards IIS, any conclusions they draw should be taken with a mountain-sized grain of salt. I guess it boils down to what you think "mark share" is: what is everyone running, or what servers are the fortune 1000 companies running? The answer seems pretty obvious to me.
I Am My Own Worst Enemy
Netcraft seems pretty open about the effect domain parkers have. They've noted numerous times when things have shifted a couple points due to various companies changing the software they use for hosting. And what does an individual site's popularity have anything to do with how many sites are running a certain software? No one claimed the sites served more traffic, simply that they exist.
Ok, so the Microsoft connection makes it easy to write the whole thing off as astroturfing, but they have a point.
Parked domain names usually aren't separate websites; they're usually hundreds, or thousands of domains pointing to the same server/service that's trying to sell them for profit. In addition, Netcraft counts www.yahooo.com and www.yahoo.com as separate sites-- Even though they both go to Yahoo.
In this manner, Netcraft's method *is* unfair, because there's no weight as to the location to which the domains point.
The theory of relativity doesn't work right in Arkansas.
If you do a header check on a site you get this notice at the bottom:
"No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask."
ServerMask must be the paperbag for ugly IIS servers or corporations who don't want to admit they run IIS
there's a graph showing the orthogonal discrepency data points here and one for tuatology here
It is not only funny that according to their "survey" IIS has more market share than Apache, but *gasp* Netscape has a larger market share than Apache too!
That is as big of a red flag as I have ever seen.
Of course the fact that they indeed produce softs for IIS is in no way shape or form any sort of indication to a possible, slight, minimal... bias.
LOL, a nice laugh... and they may even get slashdotted, which will bring joy to their sorry operation since they will now be able to claim that they are now one of the nets most popular companies/sites. I am sure this is some sort of ploy to get traffic, it will be funny to see if indeed their beloved IIS can stand the slashdot effect. LOL
What is this port80 fucking site? I get "invalid parameter" when I try querying other sites (with or without the http:// prefix and with or without the trailing / suffix), and I can't look at any of the results because they use client-side shit (Javascript), which is USELESS to lynx, w3m, or links users.
Typical fucking Microsoft apologist CRAP.
Sorry, I just had to!
Now, if you'll excuse me, I have backups to corrupt.
http://www.port80software.com/surveys/top1000webse rvers/
Did someone say biased?
A blog like any other.
is it me or did I just see an ad for free MS stuff on the front page of /.
Even if these Port80 guys are on Microsoft's payroll, the point they make is still quite correct - it make no sense to measure market share by simply counting web hosts. If all the high-traffic web sites on the Internet are running IIS while the numerically greater but less popular remainder are running Apache, can you meaningfully say that Apache has a higher 'market share'?
Unfortunately, short of tracking people's surfing habits or getting access to web server logs, there is no easy way of working out the popularity of a site. Netcraft's method of polling every known webserver is really the only practical method available, if it is not truly accurate.
"A developer of tools for Microsoft's web server software..."
Come on. I expect them to pull for their team but let's get real. They are not a neutral party and it is in their interest for people to believe that IIS is more common, whether or not that is actually the case. I don't exactly blame them for trying to spin the "facts" in their favor but following the money does hurt their credibility in this matter.
I wonder if they make some money with their useless software...
Netcraft confirms: Netcraft is dying.
Who discovered that (and why?)
I know slashdot hates a conflicting opinion but... They are claiming that Netcraft does not acurately measure physically machines, instead that it counts domain names. So a machine that may be running Apache or IIS and hosting several sites might be evalulated incorrectly. I don't know how Netcraft checks, but if it is based on domain name then it is a representation of internet sites running a particular webserver/os not machines as a whole. Not that it matters much, but it's nice to know the whole truth.
I notice their top-1000 doesn't include Yahoo! (a well-known Apache shop)
Other PHB sites like the Nielsen-NetRatings list Yahoo as the #1 online destination so I guess they have a pretty narrow view of which companies are the top-1000.
Not that I can be bothered of course. And I'd use free software.. etc etc etc.
Hmmm, didn't slashdot start that way?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
They charge fifty bucks for ServerMask(TM). What does it do? It removes the "server" line in IIS to make it a bit harder to determine that the website is using IIS.
Of course, you can do the same thing in Apache for free.
And nmap will still identify IIS correctly.
I guess it all depends what kind of data you are looking for depending on which platform you want to sell, but both of these methods seem to produce equally worthless information to me. I would like to see a break down of webservers used/million hits or something to that effect. I suppose to be perfectly fair connection data and processing power would have to be normalized before hand as well.
Until then I'll happily ignore these poorly done statistical analysis and chose a platform based on my own criteria.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
One box running multiple sites should not be less valued than multiple boxes running one site each for this simple reason:
Linux can do it better than Windows and therefore more Linux boxes are going to run multiple sites!
The flipside to your point is that they are putting all duplicate domains down to a single machine... how many servers does google run on? according to this slashdot.org would be a single item - its actually 2 IP addresses (1 for the main area, 1 for sections).
Basically they have a point regarding domant and multiple domains, but they miss as there is no weighting by usage and impotance of the servers content. How many people do you think actually go to www.GreedyCorp.com compared to www.HotTeenSluts.com ?
An infinite number of monkeys will eventually come up with the complete works of
Let's assume apache hosts twice the domains on half the servers as IIS (as their survey would suggest).
What does that say about the quality of the respective servers?
With another month of positive gain by apache (+2.8%) and another negative month for IIS (-2.44) I guess someone has to pay someone else to shout otherwise, after all, that's the trend ;)
--
"we live in a post-ideological world..." - Billy Bragg.
Isn't it funny how a methodology that mechanically counts every server heavily favors Apache, while a selective, manual, easily manipulated survey favors Windows?
There is another source, SecuritySpace, that mechanically counts sites, and its numbers tend to agree with Netcraft.
Though they haven't done it for a while, SecuritySpace also used to show server stats for the top 100, 500, and 1000 websites, as determined by popularity/traffic.
What I used to find interesting was that, for the top sites by popularity, SecuritySpace's numbers showed an even _greater_ dominance by Apache (around 80%).
Therefore, I call bullsh** on Port80's survey.
So why should a criteria of "large companies" be better than "all websites"? Large companies aren't going to select a better web server just because they're large, and the coroprate culture of large companies can be it's own sort. If you're going to limit yourself to certain types of companies, shouldn't the limit themselves to, say, the 1000 largest dot-coms? Look at companies that couldn't exist without their website. I rather doubt there'll be much IIS among them...
Give a man a fire, and he'll be warm for a day, but set him on fire, and he'll be warm for the rest of his life.
...this story is a plant to sell their ServerMask software.
Very accurate.. And I have found that apache causes kernel panics if you try and visit http://site/panicme.now
You know, I wouldn't mind reading this "research" if only the companies involved were forced by some law to declare where their funding's coming from.
"Yep, we've just proven that Linux is the number one desktop in the world today. This statement brought to you by Novell/SuSE" would sit just fine with me; I could file the statement accordingly.
As things currently stand,
- I get to treat all such "research" as crap, regardless of whether it is or not.
- I get to continually challenge corporate decisions that are made on the basis of such research. "XYZ Research Inc says XYZ is the best product, and they also say they're in no way related to XYZ Inc. It must be true because it's in this magazine"
I know exactly where it all started, and I'm gonna whack those guys from the "Ponds Institute" if I ever find out who they are...
I put in my apache/linux server and it said it was running IIS 5.0
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
You have to look at their survey. It's talking about the CORPORATE web servers. I work for a major corporate america company. We have close to 4000 servers handling our "web" environment. That consists of web, app, and database servers. There's more IIS then anything else out there for sure in corporate america. Expecially on the WEB front end. In a corporate environment there are about 20 Windows to 1 Unix boxes. Mostly due to Windows servers being so cheap and can't handle as much load per server. But on the DATABASE backend there is much more UNIX to Windows.
Another thing is Corporate America is barely getting their feet wet with Linux/Apache. The UNIX boxes that are installed are not running Apache, they're running something from a major vendor (ie. Netscape, etc). Up until this year there was NO linux in the corporate company I work for. If a MAJOR vendor will not support a product, corporate america will not install it. They love to point the finger at the vendors. If there's nobody to point a finger at when something goes wrong, it will not get installed.
Until Redhat started selling Linux for $5k corporate america wouldn't even bat an eye at it. Now they're eating it up like hot cakes cause it's EXPENSIVE! Linux is no longer a free thing. Now powerful execs can point fingers and plus be able to throw around the "L" buzz word and feel like they're pushing the envelope.
Like maybe because they know how to set up their machines properly?
If your machine takes 20 minutes to copy a file, there's a serious configuration problem which is deeper than Apache.
I tried several sites myself with my own javascript and guess what?
My results were were different than their's more than half the time! I figured they had multiple servers running, etc., so I rechecked at least 5 times on all sites (all sites checked, that is ~50)...NO CHANGE!
Take disney.com, for example. Their site says IIS 5.0. I got netscape...so did netcraft.
One word... BULL#%&*!
-Pride
Let's slashdot Netcraft to destroy any evidence!
Those script kiddies are dumber than I thought. And you'd pay for the ability to rewrite a header?
That's just sad.
Fuck Beta. Fuck Dice
I tried a couple of servers I am almost certain they don't use MSoft IIS and a lot of them are said to have their "identity protected"...
Don't seem to happen on IIS servers...
Montreal - Best city to live in!
Hotteensluts.com is run on IIS
HotGrits.com however, is on Apache, and is for sale
So, they surveyed the "Top 1000" companies
to see what web server they ran. Let's
have a look at some of these companies.
Take for example the AOSmith company, at
www.aosmith.com. They make electrical
motors, and water heaters. Now, I'm not
certain, but I'd have a *hard* time believing
their web site has substantial traffic.
I'm sure they have customers, and I'm sure
those customers visit their web site. But
I'm fairly confident the numbers are not
great. No doubt IIS can handle the load.
Since AOSmith is not an IT/computer-related
company, it's not surprising their website
is small, handled by IIS, and looks a little
bit it was designed by the boss' nephew.
(And that's OK, they sell water heaters,
not "information" or computers.)
By comparison, let's take yahoo.com, a site
that likely gets ORDERS OF MAGNITUDE
more traffic that a hot waterheater company.
According to the survey software, yahoo.com
isn't telling anyone what they run. That's
because they run a custom httpd daemon in
custom freebsd kernels.
Now, you'd never see that in the survey,
since the did not even include yahoo.com
in their TOP 1000 business survey. Intead,
their criteria for Top1000 appears to be
revenues, regardless of whether or not the
company's business is substantially related
to the web.
I don't dispute that many of the top1000
businesses run IIS. Like many companies
that don't have a large internet business,
they have ass clowns for sysadmins. For
many of the non-IT related businesses,
their idea of an IT department is a few
DeVry graduates who can keep the Windows
network up, and apply the patches once
in a while.
But, if you wanted to do a real survey of
what people run for webservers, it strikes
me that a relevant criteria (if not THE
dominant criteria) is the amount of traffic
the site experiences. This is HARD to
measure of course, since it requires self-
reporting.
It's strange that Port80 didn't complain when Microsoft was making deals with the domain name parkers, in order to increase IIS's numbers.
:-)
What's especially funny is that those domain name parkers switched back to Linux and Apache. Apparently Windows and IIS weren't up to the challenge of hosting empty websites.
....any publicity is good, and good publicity is even better.
MS spends more on lawyers and PR than it does on anything else. The big lie lives.
Port80 Survey header check /surveys/top1000webservers/headercheck.asp, line 121
Microsoft OLE DB Provider for ODBC Drivers error '80040e57'
[Microsoft][ODBC SQL Server Driver][SQL Server]String or binary data would be truncated.
A suggestion for their servermask product: COVER UP ERRORS THAT GIVE AWAY INFORMATION. Seriously, if they think that headers are going to give away a lot of info, then forced errors will, too. But, there is boatload of other techniques (including passive techniques) that get around their security-throught-obscurity program.
HIV Crosses Species Barrier... into Muppets
Microsoft OLE DB Provider for ODBC Drivers error '80040e31'
[Microsoft][ODBC SQL Server Driver]Timeout expired
/includes/Referer.asp, line 7
It doesn't matter if the domain is parked or serving thousands of pages...domains are just as easily parked on IIS as on Apache.
slashdot, news for crazed liberal socialist zealots
I could not help but notice that Google, Yahoo, and Slashdot are omitted from their "top 1000" list. Yet rumors persist that these three web sites get a fair amount of traffic.
They have no point. Netcraft is counting domains served. End of story.
Port80 are flat out lying and you are probably an M$ funded astroturfer also.
If I were running Apache (hey wait a minute, I am!)
Okay, okay. If I were up to a prank, I would set up something like ServerMask which claims my Apache server is IIS, and count how many lamers try to hack in.
Sort of like the standard BitchX practise of pretending you are mIRC.
Karma: It's all a bunch of tree-huggin' hippy crap!
They sure know how to run a high avalability web site!
/includes/Referer.asp, line 7
Microsoft OLE DB Provider for ODBC Drivers error '80040e31'
[Microsoft][ODBC SQL Server Driver]Timeout expired
run FUD run
Microsoft OLE DB Provider for ODBC Drivers error '80040e31'
/includes/Referer.asp, line 7
[Microsoft][ODBC SQL Server Driver]Timeout expired
Trying to access http://port80software.com/:
/includes/Referer.asp, line 7
Microsoft OLE DB Provider for ODBC Drivers error '80040e31'
[Microsoft][ODBC SQL Server Driver]Timeout expired
Hahahah! Yeah, I'll trust ANYTHING those MS lackies have to say.
Slashdot effect seems to be bringing Port80 Software's server to its knees. On a holiday night. At 1:30 AM Eastern US Time. Words cannot express the level of amusement I am feeling.
Stop-Prism.org: Opt Out of Surveillance
a product .... to confuse script kiddies
I am running Apache on Linux, and I still get 1000 hits a day trying to crack MSADC with buffer overflows, and FrontPage exploit attempts. It's not like the script kiddies check the server ID or pay any attention to it even if they do.
They are accurately measuring what they set out to measure. The top 1000 corporate websites. And most top 1000 corporations are Microsserfs these days. No suprise here.
But then Martin Marietta Materials and Warnaco running IIS6 doesn't mean squat. They ain't exactly prime destinations on the Internet so IIS can probably carry the load well enough, and if it is down a few minutes each Sunday morning for the weekly reboot who really notices.
As for the Windows e-commerce sites, they pretty much speak for themselves if you have ever used them. They generally work fairly well but never great. Blame it on IIS or on the sort of second rate techs who either choose inferior tech or hang around somewhere where decisions in their own area of expertise are overrulled by ignorant suits like a bad scene from the Dilbert Zone.
Look at the sites that carry the weight, the ones that laugh at the slashdot effect, they know what works and what doesn't. Hell, if Microsoft didn't feel they had to eat the dogfood, microsoft.com would probably be running apache. Especially if the web services division had to actually take the licensing cost for that buttload of servers out of their departmental budget.
Democrat delenda est
This is a case where a useful critique of Netcraft's methodology could be made, and the survey (and the statements from Port80) instead is flatly ludicrous.
What's frustrating is that this is not a partisan issue. It's a question of what tools people are using to do what jobs in the world of web serving, and, by extension, what that means for the web as a whole.
In addition to all the other complaints about Port80's crappy methodology, it seems relevant to point out that in the world of the web, sites with relatively little traffic can have a powerful impact individually in the "real world", and have a powerful effect in combination with each other (witness the blogging phenomenon). Ignoring low-traffic sites assumes that low traffic is tantmount to irrelevance. But if lots of low traffic sites with some sort of significant impact on whatever level are using Apache, then we might want to ask why that would be. Port80's method stinks.
Online citizen journalism from the inner city: The View From The Ground
The surveys at securityspace.com attempt to weight webserver popularity by site popularity.
If you are conducting a survey to find out what is the "best of the best" in server software, why survey Family Dollar Store? Or Land 'O Lakes? You should be choosing technically savvy, solution neutral companies are likely to choose the best. These are the actual companies that have a big web presence and you would not expect them to choose a platform which would affect their bottom line badly... As opposed to Sears Roebuck, whose online presence can be compared to Amazon's retail presence. Would we ask Amazon how to organize endcaps? Let's pick a few technically adept companies at random here...
Amazon - Apache
AT&T - Netscape
Bell South - Apache
Cisco - Unix
Dell - IIS5
Earthlink - Netscape
E-Bay - IIS4
HP - Apache
Intel - IIS6
Lucent - Netscape
Motorola - Apache
National Semiconductor - Netscape
Nextel - Netscape
Qualcomm - Netscape
PC Connection - IIS5
I can't survey any more companies, because Port80's IIS6 server is slashdotted. However, if is apparent from this data that nearly 1/3rd of all websites that count are hosted on Netscape platforms. Apache and IIS share 1/4th each, and Cisco's odd unix variant wrapps up the rest.
Personally I'm amazed that Netscape is holding on to a lead... I would have expected them to be out of the running long ago. I'll have to check them out.
The ______ Agenda
Everyone is crying foul... "IIS biased". But how does making a larger % of the web look like it's running IIS make them $1 more money? Maybe IIS is 20% of the web, maybe it's 70%, but unless *I* am running IIS, I'm not going to pay them money.
Can someone explain the bias?
Read reviews of shopping cart software
I'll ignore for the moment the question of the quality of their data. I'm sure others will endlessly debate it (and I'll probably join in). Let's look at something else: The quality of their presentation.
First, let's take a look at the most recent Netcraft server survey. Let's see, clean display. The scale grid is subtle and doesn't draw attention to itself, but makes it easy to see exactly where a line falls. There is little wasted pixel data. It's easy to see trends and make comparisons. For the curious the exact numbers for the last two samples is listed (regrettably one two samples are listed). The graph labels the data it shows ("Market Share for Top Servers Across All Domains August 1995 - November 2003") leaving the reader to form his own opinions. On the down side, the scale confusingly marks 7% increments and the yellow line for Netscape/SunOne almost disappears into the background. Still, a well above average for graph. Definately room to improve, but better than most people expect to see.
Now let's example the Port80 server survey. Wow, what a difference. The grid is a much more dominant element. The 3d effect means that bars further in the back appear taller (by up to 15 pixels, or about 7%) and makes it hard to compare a specific data point against the scale. The complexity of the 3d bars complicates things, the "top" of the bar is actually larger than the month to month shift in the numbers. The "area" of the bars implies size (intellectually you know it isn't, but your gut says otherwise), this means that the largely obscured middle bars (Netscape and Apache) seem smaller. Ultimately bars are the wrong choice, we're examining points over time (suggesting a line chart), not clusters of data. The chart is labeled with a conclusion ("Microsoft IIS Maintains Dominance Of the Corporate Web Server Market"), suggesting interpretations to the reader. On the up side, they provide heavily broken up information for the most recent sample point (regrettably it's a graphic). They include a worthless pie chart. If you want to show market share a line chart showing historical data would be much more enlightening.
Conclusion? Port80's graphs suck. Hard. It's a stunning example of how not to create high quality graphs. The creators need to be beaten with copies of Tufte's information display books until they get it. This is the sort of amateur crap I expect on PowerPoint slides from people more interested in being cool than being useful, or perhaps from the graphics department at USA Today. As an engineer I'm disappointed.
Search 2010 Gen Con events
Anyone else notice that the spokesman for Port80 claims that they have been running the survey all year "except for a period between February and June"? That means they've been running for about eleven months, except for the five months when they weren't running...
I don't think they have much in the way of credibility, even without their transparent bias. They seem to have a creative way with arithmetic.
It is a woman's prerogative to change other people's minds.
Microsoft OLE DB Provider for ODBC Drivers error '80040e31'
[Microsoft][ODBC SQL Server Driver]Timeout expired
/includes/Referer.asp, line 7
we live in an era where you can market shades to a blind man, and thats what these folks are doing. leave them alone to make innovative products like ServerMask.
They have a point, even they exaggerate its importance. Netcraft may well be about counting domains, but there may well be more useful ways of tallying web server software. Of course, as with everything it depends on your needs, and netcraft may be just what someone is looking for.
The problem of course is believing anything a company which is obviously in bed with MS says.
You can't make an accurate comparison unless you can remove all the other factors which directly affect how the server will perform.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
"Netcraft's surveys are biased towards domain name parkers and very small web sites, not taking into account how popular a site may be..."
I don't see why popularity matters, if it's simply a census of web platforms. The fact that I have a lot of friends doesn't change the fact that I only represent one individual in the population.
I wonder what they'd do if they found an IIS box serving 100 web sites, sitting next to a box serving 1 website. Would they still say "Oh, it's still considered one web server", or would they say "See how good IIS is ". These guys are so obvious, that it's obvious...
I'm not drunk, I'm just in touch with pi.
Port80Software has been slashdotted. As of 23:41 MTN Standardtime Nov 26th, 2003.. their box is completely down.
...
Wonder what they're running
there is no such thing as an unbuffered pointer, asshat
I worked for him for a few months a couple years ago. From the time I spent with him he seems like a smart guy who knows his stuff. He's well-spoken and has a lot of interesting comments/ideas about the Internet. Who knows how valid his data is, but I think he has an interesting idea - that Netcraft is failed because of its sampling methodology. (That, and his approach might help sell some software of his - I said he was clever, no?)
64% of all statistics are meaningless.
Ohh and in completly unrelated news acording to the yourafuckingsucker.com survey the stats are:
100% YourAFuckingSuckerWebServer
-10% Apache
666% IIS
GPLv2: I want my rights, I want my phone call! DRM: What use is a phone call, if you are unable to speak?
A scan that goes by IP address instead of host name would be as valid as it gets, in my opinion--parked domains would all be on the same IP address, and small sites are likely to be hosted on some other company's server. There isn't any need to drag popularity into it, though, IMO.
Their wonderful IIS sure didn't stand up well to a Slashdotting.
Remind me again why I don't switch from Apache?
Oh my. Why the hell should we trust a group whose servers can't even withstand a slashdotting? I think the fact that they can't even set up a web server that can take a few hundred thousand hits in a few hours pushes their credibility a little further down the scale way below Netcraft.
Qu'on me donne six lignes écrites de la main du plus honnête homme, j'y trouverai de quoi le faire pendre.
I think that's another way of saying "We made sure the stat we chose beat Apache before we published it". I'm sure the Port80 people could have done better and been even more restrictive on their sample set to improve IIS' result!
If you choose a product because of some market stat says its popular, good luck to you. Choose it for your own criteria (e.g. cost, reliability, features etc.) then good on you.
You all act like it's a conspiracy, or something new...
E-business runs on IIS. End of story. You go out and look at a lot of little sites, including people's boring blogs, and sure - lots of apache. But you look at heavily used sites, business sites, and a lot of them run IIS.
"Netcraft is biased"
"develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."
Entities who could be accused of having a conflict of interest, ought not bother at all with statements like these. It will only end up making them loose integrity.
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
What about boxes like the ones where I work that run many (dozens, hundreds even) domains on one physical server? That's where the real difference creeps in; it's how 60-whatever % of sites run on Linux while 60-whatever % of boxes running web servers run Windows. Lots of the Linux boxes run multiple sites (and I don't just mean www.foo.com and images.foo.com; I mean they run www.foo.com and www.bar.com and www.baz.com and www.qxt.com on the single box).
So, take one of my boxes at work: it currently hosts 53 second-level domains and about 200 subdomains from them. The one I'm thinking of has its own class C netblock, but we have similar ones that just have a single IP address for their dozens of sites. Do you want that counted as one server, as 53, or as 200? Netcraft says it's 200. Port80 says it's 1. I'd like to count it as 53. Netcraft's way tells you what people who make web hosting decisions like. Port80's way tells you what people who make hardware and software buying decisions like.
All's true that is mistrusted
Well, what ever THEY are running, it doesn't look like it could handle a slashdoting. Here's the google cache of the article.
Their methodology sucks as well, though. I would venture the guess that a large proportion of those 1000 websites they sampled are just "brochure"-type websites. (Like eg. apache corporation)
So I decided to do __..--Sascha's Server Survey--..__:
I checked out the servers that the top 50 alexa ranked pages run. (Yes, I am too lazy to do the whole hundred)
Results:
apache: 20
iis: 17
nescape/aol: 7
other/unknown: 7
An interresting observation is the difference between the first 25 and the second 25 bunch. The first bunch includes all those microsoft sites that all the lusrs visit: msn.com, microsoft.com, passport.net, doubleclick.com.
First 25:
iis: 11
apache: 8
netscape/aol: 3
other/unknown: 3
Second 25:
apache: 12
iis: 6
netscape/aol: 3
other/unknown: 4
My intuition is that the majority of websites are going to be more like the second segment, because of the lack of monopoly distortion (i.e. default IE website).
Sign up now for only $666, and get the full results of this superb survey.
Netscape runs on more corporate environments than Apache?
Strange, I didn't notice Netscape gaining such a tremendous market share over all the shops out there that sell systems w/ Apache.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
true but teensluts.com,
wetteensluts.com and asianteensluts.comare running apache.
Port80 Software Co.? Should be called Port81 Software, seeing as thanks to various IIS worms many ISPs have blocked port 80 for their clients!
A full grown stallion's cock, when fully erect, will measure some two to three feet long.
does this article mean that all those trolls were... (dramatic pause) wrong?!?!?!?
They certainly havent really thought about what they are trying to do..
show me one company that uses only one web server... i've yet to see a company that fits into the "large" bracket that doesnt run at least 15 different types of web servers...
So they run their front page with iis... who cares, its only html (in most cases)...
Not just this, but when you add layer 7 load balancing into the equation, the same url could be served by many different breed's of web server...
IIS is great (althought most are) for serving static content, but alot of companies sure do like the bigger/badder machines for doing anything more thats web-based...
slashdot.org
.... :)
Date: Thu, 27 Nov 2003 07:14:10 GMT
Server: Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a mod_perl/1.29
SLASH_LOG_DATA: shtml
X-Powered-By: Slash 2.003000
X-Bender: The modern world can bite my splintery, wooden ass!
Vary: Accept-Encoding
Cache-Control: private
Pragma: private
Connection: close
Content-Type: text/html; charset=iso-8859-1
and www.port80software.com
Date: Thu, 27 Nov 2003 07:15:25 GMT
Server: Yes we are using ServerMask
Set-Cookie: It works on cookies too=8NSM130P.5Q..NS12K9856.03, 5, 3778M; path=/
Cache-control: private
Content-Length: 21811
Connection: keep-alive
Connection: Keep-Alive
Content-Type: text/html
what a crock
We detect that www.port80software.com is running Yes we are using ServerMask.
Date: Thu, 27 Nov 2003 07:15:24 GMT
Server: Yes we are using ServerMask
Set-Cookie: It works on cookies too=8, SM130P.5Q..NS12H57M64MP00.N2356; path=/
Cache-control: private
Content-Length: 21881
Connection: keep-alive
Connection: Keep-Alive
Content-Type: text/html
bash$
No one bothers to mention that a lot of default installs for Windows 2003 Server plans include web services even though they may only be using the machine as part of an active directory or PDC.
Flamebait? HOW IN THE LIVING FUCK IS THE COCKSUCKING PARENT POST FUCKING FLAMEBAIT WHILE THE OTHER LIKE-MINDED POSTINGS ARE NOT? Stupid choad guzzling moderators. Typical fucking MS lackies, moderating things they don't agree with down into the netherlands.
I work for a large company (very large) and believe me, IIS doesn't get within two router hops of our production environment. I have also dealt with many large pharma companies and they love Linux for their research clusters. It's cheap, it's fast and it works. Many of my techy friends work at various companies, and from what I've heard, the less technically savvy the company is, the more likely it is that they run IIS. The more crucial internet presense is to their bottom line, the more likely that they run Apache+Linux|BSD. My samples are also pretty limited but at least their based on real knowledge and samples (10+), not conjecture and extrapolation from a single data point. So go spread your bull fewmets elsewhere, like "Microsoft Weekly" or "IIS Developers Quarterly". We ain't interested.
There is no trap so deadly as the trap you set for yourself
-Raymond Chandler, The Long Goodbye
Right you are! Your site does cause his "scanning" software to blow. He he he and what use is a server mask if your server is spewing this:
/support/Tools/Tool_ServerMask.asp, line 119
;)
Microsoft OLE DB Provider for ODBC Drivers error '80040e57'
[Microsoft][ODBC SQL Server Driver][SQL Server]String or binary data would be truncated.
Oh wait... the sneaky guy he this may running a perl script and he is just trying to fool us. Sneaky sneaky guy.
Hot sauce and more
Linux and Mozilla user get a 5% discount (unless of course you are using "client mask"
Today, a new bunch of Microsoft advocates use the opposite argument as was used in September, by NOT counting deployments on hosting providers to spin the numbers in their favor.
Meanwhile the overall drop in Microsoft's share continues.
They list the 995 sites they include (they're using the Fortune 1,000, and (looking at some of the earlier reports), apparently 5 Fortune 1,000 companies don't have sites. (If they're still Slashdotted, you can download the pages from Google's cache. start here.)
A bit of quick Perl hackery pulls back the following values, roughly in line with what they report. The second column is actual sites found.
That said, I doubt the usefulness of the survey. It's a survey of Fortune 1,000 companies. These are often companies whose web presence is minimal. What does a giant holding company need with a web site? Heck, five of the companies didn't have any site at all! Of those sites that exist, many lack any sort of complexity (say, thousands of pages, or lots of dynamic pages). Simply put, many of these sites would run fine an almost anything, they don't represent Hard Work. I'm a lot more interested in what Google and Yahoo choose to run than in what the Radian Group and the Kiewit run.
Now Netcraft does have the problem they cite: Netcraft weights everyone equally. Perhaps that introduces bias. Perhaps we should select a set of sites that is high bandwidth, typically has at least some dynamic systems in place (say, to handle selling accounts), and is a popular target for hackers? How about porn sites? Porn operators have a hard job, thanks to Smutcraft you can see what they run.
Second, it looks like they've chosen one site for each company. For Amerco, for example, they chose UHaul.com running IIS. Reasonable enough (UHaul is part of Amerco), but it's interesting that they skipped amerco.com (running Apache). Not a great example, surely (especially since uhaul.com is certainly doing more real work than the very thin amerco.com), but it shows that there is a selection process of some sort, and any selection process risks introducing bias.
Search 2010 Gen Con events
Have a look at their products... Security through obscurity is one of them (ServerMask), and a "custom error page" deployment tool is another. Then there's a HTTP-gzip compression package. I won't even mention the rest - "highly innovative", isn't it.
These things never count the millions of porn domains out there, and everyone in porn runs on *nix and Apache. The Hun gets well over a million uniques a day and sure as hell doesn't run on M$.
Now do the following commands:
(With Apache 2.x, cd os/unix)
#define PLATFORM "Unix"
(With Apache 2.x, vi ap_release.h)
#define SERVER_BASEVENDOR "Apache Group"
#define SERVER_BASEPRODUCT "Apache"
#define SERVER_BASEREVISION "1.x.xx"
(With Apache 2.x, cd
You're done. Congratulations. You just saved yourself $49 dollars!!!
So basically, they're using a (questionably biased) survey of "servers" running IIS Vs others.
No excuse me, but wouldn't be able to run 100 sites on an apache box without problems beat the pants off having to run 100 seperate IIS boxen?
I mean, if say, 70% of the websites in the world were to be run on 30% of the servers, I'd say those 30% of servers had something over the other 70%...
Step 1, redefine "market share" by chopping off any sectors that don't use your product. Step 3, profit!
Mod parent up!
Why only one month?
What about the S&P 500?
What about the Russell 2000?
What about Nasdaq, the technology "market"?
They can slice and dice all they want. How's it go...statistics...?
Just like Gartner or Enderle, how many surveys did they do before they got the result they wanted?
Attack Netcraft. A survey that's been the industry standard for years. And come out with a one month survey in response. With results that coincidently are helpful in selling the products/services that the survey company is selling...
The timing is perfect. The suits that are gullible enough to fall for this survey to justify their predetermined choices are also the turkeys in the industry.
Gobble, gobble.
About Us -> Bottom of page shows Microsoft Certified Partner logo.
hmmmmmmmmm!!!!!!!
Yeah, for sure, they account for only
important website, IBM is not even
part of the list.
Maybe they should focus on all websites
for all companies on the NYSE
having more than 200,000 actions
transactions per day.
That might more insightful...
Enough of your silly debating. If any of you still think this is a real survey, and not propaganda, then take a look at the message given if you scan a server header that reports Apache:
"Note:
No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask.
Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"
Case in Point
And here's what it says if you got scan an IIS based site:
"Protect your Web server identity with ServerMask!
Why let anyone find out you're running a Microsoft IIS server? Don't tempt potential hackers!
Try ServerMask FREE for 30 days. Download Now!
Buy ServerMask for only $49.95 today!"
Case in Point
Hmmmmmmm, two different results. Strange....
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
There is not much point in bashing one or the other survey as being biased. Of course they are (whether intentionally or not), since a single survey will only ever show a single perspective.
- Netcraft shows servers by hostnames
- Port80 shows servers for US Fortune 1000 companies
Both are interesting (even though the Port80 graphs suck, and their software is broken).
But both are meaningless by themselves if you want a serious view of server software usage.
Adding Netcraft's SSL survey (which isn't free) would help to get yet another perspective.
Then a breakdown by IP addresses instead of hostnames would be interesting, but Netcraft doesn't seem to publish that.
And what about non-US Fortune-N companies?
And web servers whose main business relies on the web (as this post suggests)?
And stuff you definitely cannot get like the sites with the most traffic? (maybe you could get "sites-with-a-lot-of-traffic-which-do-banner- advertizing-with-major-banner-advertizing- companies").
If you take the survey for what it is, it's interesting. Just don't expect it to tell you more than it can.
Port80 is not about market share, it's about market share in US-based Fortune 1000 companies this summer. A very limited, but nonetheless interesting survey (if you care for surveys, that is).
Who will do a survey of slashdotted sites? Shouldn't be too difficult. Anybody bored in some rainy region of the globe?
If you look at the second graph, iis4.0 is gaining market share. This is obviously false, and also are not in accordance to their own numbers at the bottom.
If the whole survey is as "carefully" done as that, just write it off. It seems to me to be made up.
the pun is mightier than the sword
And that's that netcraft doesn't go out of its way to get statistics! If you want your site to be monitored by them, you GO there and TELL it to read it. Did that change recently? Perhaps there are some people behind the scenes that get paid under the table to inject certain numbers into certain places.. who knows, and who's gonna do something about it?
Port80 Software is dying.
cpghost at Cordula's Web.
However, it should be pointed out that Port80 "develops software products to enhance the security, performance and user experience of Microsoft's Internet Information Services (IIS) Web server."
About as respectable as Michael Jackson Daycare.
Table-ized A.I.
WTF does website popularity have to do with the choice of webserver by whomever is running the site?
Sounds to me like Port80 Software wants to confuse apples and oranges in order to find a convenient way to lie with numbers.
I can understand disagreeing with domain parking skewing the numbers, but what NetCraft does is show the choices of the (call them educated or knowledgable.. or not) professionals.
The average netizen doesn't give a hoot over what software drives a site, they're more interested in the content.
It is official; Netcraft confirms: Netcraft is dying
One more crippling bombshell hit the already beleaguered Netcraft community when IDC confirmed that Netcraft market share has dropped yet again, now down to less than a fraction of 1 percent of all surveys. Coming on the heels of a recent Netcraft survey which plainly states that Netcraft has lost more market share, this news serves to reinforce what we've known all along. Netcraft is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent net survey comprehensive test.
You don't need to be a Kreskin to predict Netcraft's future. The hand writing is on the wall: Netcraft faces a bleak future. In fact there won't be any future at all for Netcraft because Netcraft is dying. Things are looking very bad for Netcraft. As many of us are already aware, Netcraft continues to lose market share. Red ink flows like a river of blood.
Web Server Survey Netcraft is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time Web Server Survey developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: Netcraft is dying.
Let's keep to the facts and look at the numbers.
Netcraft Admin leader Theo states that there are 7000 users of Netcraft SSL Server Survey. How many users of Security Testing are there? Let's see. The number of Netcraft SSL Server Survey versus Security Testing posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 Security Testing. Find that site Netcraft posts on Usenet are about half of the volume of Security Testing posts. Therefore there are about 700 users of Find that site Netcraft. A recent article put What's that site running Netcraft at about 80 percent of the Netcraft market. Therefore there are (7000+1400+700)*4 = 36400 Netcraft users. This is consistent with the number of Netcraft Usenet posts.
Due to the troubles of Security Testing, abysmal sales and so on, Web Server Survey is going out of business and will probably be taken over by Netcraft who sell another troubled net survey. Now Netcraft is also dead, its corpse turned over to yet another charnel house.
All major surveys show that Netcraft has steadily declined in market share. Netcraft is very sick and its long term survival prospects are very dim. If Netcraft is to survive at all it will be among net survey dilettante dabblers. Netcraft continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, Netcraft is dead.
Fact: Netcraft is dying
that Microsoft's web server installs across ALL TOP DOMAINS have dropped to their 1997 levels, while Apache has almost doubled their 1997 levels. No amount of MS PR cash can change that fact.
Hiding your IIS server behind a server mask or mis-identifying it as an Apache server isn't going to stop a virus or trojan... they can't read. They just try the exploit and if it works... it works. Not only has that been happening a lot on IIS servers, and MS software in general, the rates of infections/infectors seem to be growing... which explains why Apache had another large jump since last month, and MS has fallen by almost the same amount.
It's one thing to have your web site broken into, its another thing to pay to have it broken into. That's what you're doing when you buy & install MS web servers and the anti-viral software which supposedly will 'protect' them. It's obvious something is not working....
Running with Linux for over 20 years!
Why are everyone complaining about netcraft surveys based on domain names when every netcraft monthly survey also has statistics for active servers See this months survey for example, especially "total for active servers"
My quality social news site.com.
i tried their header check for www.apache.org [link is here]
Port80 returned this result:
"We detect that www.apache.org is running Apache/2.0.48-dev (Unix)."
But further down the page is this gem:
"No matter what the above results show, this company may be running Microsoft IIS and protecting its Web server identity with ServerMask."
WTF?!
Yet Socrates himself is particularly missed.
A lovely little thinker but a bugger when he's pissed.
Comment removed based on user account deletion
I don't know for sure, and I don't have any data to back up my assertion, but I have a strong feeling that Fortune 1000 sites are not the busiest sites out there.
For instance, a Fortune 1000 server probably only serves a few sites.
Most people running server farms doing mass hosting can serve tens of thousands of sites off a single server running Apache (or Zeus, etc).
I really doubt the relevance of this, especially in light of the fact that a lot of large companies will have a "MS software only" policy these days.
But, this is all conjecture of course.
You see, the thing with statistics, is that they can be misused in any way you choose.
What do NetCraft's stats set out to show? The servers that are used to run various domains. Is this *meant* to be a reflection of what the *business* world is doing? Not really. If that's what they wanted, they would filter out the rest.
If you wanted to infer that the business world is using a particular server based on Netcraft's stats, then the flaw is in the use, not the statistics themselves.
Now, are Port80's stats any better? They feel a reflection of the business world is to ask the 'largest' 1000 companies - ie. the ones that both have the most cash to throw around, and sizable enough orders to push down licensing costs through volume orders - what they use. What with corporate stigma for using products backed by other large corporations, and a desire for platform standardisation as well, it's hardly surprising that IIS comes out on top. Does this reflect what the rest of the business world is - or should be - doing? And do the Port80 stats highlight any trends for migrating from one platform to another?
As I said - any statistic can be misused. That doesn't mean they are flawed. But if anything, Port80 misrepresent their own stats to a greater extent.
smutcraft
The message of this survey is:
Only Fortune 1000 companies have importance.
And it is true. They are guilty for allowing MS behave like it has. Fortune 1000 companies IT departments are guilty for approving this shit going on for years and years.
Hmmm.... I think it crashes because your id string is soooo looong. I have tried three of my Mandrake 2.0.xx apache servers and one Netware apache 1.3.xx server and they report correctly.
I really don't think most apache sites announces as much about their servers as you do
Peder
The moderators really showed their butt by posting such flawed marketing crap.
To make it up, can we please have one 24-hour block without any articles that focus on MS-Windows, MS in general or it's subsidiaries like Slate, MSNBC, MSNPR, etc.?
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Guys, there is even no google on that list! So one of the most important web-sites on internet is not even included in this survey. This report is a crap!
So typical of "open sores" zealots...
"EXPERTS CONFIRM: CONFIGURING OPEN SOURCE SOFTWARE IS 300% MORE DIFFICULT THAN ORIGINALLY CLAIMED"
So far as I can see their results are presented in a rather cowboy fashion. IANAS(tatitician) but simply on face value, comparing the quality of netcraft with port80's fisher price webstats, i am surprised they even got a look in in the first place.(regardless of bias)
Netcraft have an archive of data and graphs. It has taken them years to achieve the trust and respect they command in order to be an authority on the subject. You cant just pop up out of nowhere and expect people to take your results seriously unless you have a history of producing viable results that people cand depend on.
This is quite obviously a ploy to drive traffic to their site and increase sales of their naff IIS plugins, which are probably about as usable as their webstat results.
Electronic Music Made Using Linux http://soundcloud.com/polyp
Obviously ashamed to say which server they are running !
http://uptime.netcraft.com/up/graph/?host=www.p
nick
Electronic Music Made Using Linux http://soundcloud.com/polyp
The results do seem to be particulary biased towards IIS, as a web developer who has worked with a lot of hosting companys etc., I know from experience that IIS does definatly not run on the kind of percentage of websites they claim.
If they are going to take into account website usage then although this would increase IIS's results for moderatly large websites, this would surely be made insignificant when you add all the mega websites like the BBC, AOL, CNN, GOOGLE, YAHOO etc... where virtually none of these sort of sites run IIS yet account for the large majority of www traffic.
I tried to point this out to them via there contact page however this produced a "page not found" error, obviuosly another demonstration of the quality of their work.
In skimming threads, it looks like people have missed the real problem: that the have pre-selected there sample.
There sample is the servers of the "fortune 1000 companies". Now, I don't know how the Fortune 1000 chooses it's companies, but I'll bet they don't choose those companies that have succeeded due to good IT choices. Microsoft will be on the list.. but how much money does Google make? Is it on the list?
Moreover, and this is the really important point, they are completely ignoring every other kind of site. Government, educational, research, NGO, military, etc, etc. It ignores all the sites that don't make any money but are vitally important.
OK, they're just doing the study to prove that _companies_ use MSII. But even that's bad: it only proves that BIG companies use microsloth. This may be an intelligent decision for big companies, but not for small ones.
So, in general, the only thing that Port80 really says in it's study is that big, rich companies use Microsoft. This implies no causality: few of these companies make money from the web.
The Netcraft survey shows that PEOPLE use Apache.. and I think that's much more interesting.
---Nathaniel
After spending MUCH time criticizing Netcraft, they finally come to *their* technique. Maybe they hope people will get convinced that Netcraft sucks and then gloss over their own approach.
:-)
Their approach is valid, but they make one assumption that is not. They talk as if the Fortune 1000 corporations web sites (their own pool) were the sites most heavily visited on the Internet.
Huh??? Amazon is a heavily visited site. The New York Times is a heavily visted site. Slashdot is a heavily visited site. Google is a heavily visited web site. Big corporations may make a lot of money, but that doesn't mean the average user has much reason to visit their sites.
So this assumption of theirs, which they make explicitly, is invalid.
Then again, Microsoft is one of the Fortune 1000 corporations, isn't it?
(8-DCS)
They don't even have Google... there goes their popularity accounting. Google is so popular that it is its own verb.
It just happens to run Linux... heavily.
This survey is crap!
So what this survey tells us is that large corporations tend to buy Microsoft. Is this news?
Under IIS it really is a one-line config change:
In:
%SystemRoot%\system32\inetsrv\urlscan\urlscan.ini
Change:
AlternateServerName=Whatever You Want It To Be/3.0
But it would be easier to simply remove the header altogether, as it really isn't necessary.
Change:
RemoveServerHeader=1
Don't get me wrong - this whole thing is just a marketing gimmick for port80 software to sell their completely unnecessary product.
I can't really figure out the topic for this thread - but it seems to be a ms vs apache thing again, when it really ought to be about marketing vs marketing. Both sides of this are trying to sell something, and that's what their statistics report towards - otherwise, what's the point?
If you're into this sort of thing (and have a little time to spare), here is some more data for you survey-chart-whatever nerds.
What are "the nation's 500 fastest-growing private companies, from Inc magazine" running?
Inc.com publishes the company list including website for free, so with the help of Perl, I got the HTTP headers for these 500 companies. 44 sites appeared to be down, and didn't respond. For the 456 others, get the data in various formats and enjoy.
Of course, if you do make fancy graphs with it, please give us the link.
(and you should probably give credit to Inc.com for making the original company listing available for free)
That's why the apache usage percentage is so low with them - The app crashes, and they assume IIS ;)
Any technology distinguishable from magic, is insufficiently advanced.
Yeah, right. For fun, I put my own domain into their little URL box.
:)
They correctly identify it as running Apache.
Then, 5 times the size, there's an ad that says "Despite what we've written above so small that you might miss it, this site might really be running (big font)M$ IIS(/big font) and our server masking tool (click here to buy)".
Let me guess how they arrived at their results: Probe 10k random servers, add the total sales volume of our server software as IIS percentage.
Assorted stuff I do sometimes: Lemuria.org
I happen to work for a fortune 50 company, and it is the new CIO's direction that we move to get off of IIS as quickly as possible to unix based platforms (apache & iPlanet). While there are exceptions (certain canned packages that only run under windows), basicaly the attitude is that we are sick of montly "critical" security holes and want to move to a more stable platform.
Our win2k IIS servers are set for bi-weekly reboots, since the longer we leave them the more problems we have. Sounds "enterprise ready" to me, doesn't it to you?
I remember a few years ago, calling MS on a problem with one of our win2k servers. One of their "recommendations" was that we should be defragging our disks weekly. We almost sh*t our pants.. WTF, you want us to defrag 200GB of disk on a weekly basis?? This is a *server* OS? I mean, I've run Unix boxes for years and never seen more than like 3-5% fragmentation on a disk.
That is a very good point. They don't even list Google. While google may not be one of the 1000 largest companies, it probably handles more web traffic than all those 1000 companies put together.
should be taken with a mountain-sized grain of salt
People who enjoy the taste of salt add it in proportion to the amount of food they intend to eat. "Take with a grain of salt" means "Eat so little that just one grain is adequate seasoning", or just "eat very little". The suggestion to only consume a small amount is meant to imply a low level of trust. It is the opposite of expressions like "Swallow if whole" and "Swallow it hook, line, and sinker".
Expanding the salt grain to mountainous proportions therefore means that you will accept the survey results with total creduluity.
Connecting to www.port80software.com[66.45.42.237]:80... connected.
... good.
HTTP request sent, awaiting response... 200 OK
Syntax error in Set-Cookie: It works on cookies too=82SM1M00.6Q..NS12L.M87MO051P,.297; path=/ at position 3.
Guess that it doesn't work too well
$ ncftp www.port80software.com
NcFTP 3.1.4 (Jul 02, 2002) by Mike Gleason (ncftp@ncftp.com).
Resolving www.port80software.com...
Connecting to 66.45.42.237...
Hello Port80Software.
WFTPD 3.1 service (by Texas Imperial Software) ready for new user
Gee, why aren't they running MS FTPd if they're such fanboys?
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Host (66.45.42.237) appears to be up
Initiating SYN Stealth Scan against (66.45.42.237)
Adding open port 80/tcp
Adding open port 21/tcp
Adding open port 443/tcp
I want to delete my account but Slashdot doesn't allow it.
So with "the nation's 500 fastest-growing private companies, from Inc magazine" data (see parent), the dominance of MS, to my great chagrin, is even worse:Who can find some interesting top-something companies list on which MS would get the low rating it deserves?
Currious to see if this was another MS FUD campaign, I did a whois lookup for port80software.com. While I can't legally include the complete results here, I did find that they seem sheepish to give out any information, such as their names, or parent corporation, etc. All I found was that they are from San Diego. The authorative e-mail is even a phoney.
My guess? A MS partner (if not MS themselves) looking to make their own biased stats.
What's more, if you look at their "about" page, it looks like their main offering is commercial software to add functionality to IIS that comes standard with Apache. And if you feel limited by Apache config directives like "ServerSignature" and "ServerTokens", you can always modify Apache's source code to send what ever signature you want! (And where is IIS's source code?)
And just how much good does it do to disguise your server signature? The majority of the not founds logged on my Apache server are hacks at IIS. Obviously, the script-kiddies don't care about the server-signature too much.
So, my conclusion is that this is just another MS arm spreading FUD and duping their customers out of a few bucks while they're at it.
"The large print giveth, and the small print taketh away" -- "Step Right Up", Tom Waits
We detect that goatse.cx is running Microsoft-IIS/5.0.
Date: Thu, 27 Nov 2003 13:55:10 GMT
Server: Microsoft-IIS/5.0
Last-Modified: Fri, 31 Oct 2003 07:10:49 GMT
ETag: "28c0df-455-3fa20af9"
Accept-Ranges: bytes
Content-Length: 1109
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Seems like this is a repeating pattern. Site is running Server A, but redirects to Server B. I wonder how common this is, especially with servers running different platforms.
Of course, it makes for a convenient way to keep pulling on the thread, and then quit when you find what you want to find -- in this case, a server running IIS.
Your Servant, B. Baggins
Why doesn't someone do a survey on what Fortune 100 / 500 company websites are running? That should settle the question. The curious thing is that Port80 did *not* give this breakout... if a majority of the Fortune 500 were running MS-IIS based servers, they would have probably trumpeted that no end...
More smoke & mirrors?
Does anyone else find it ironic that IIS should need something to broadcast and say "I am really an Apache server, please don't hack me."?
If you happen to be administrator of some organisation, modify squid to log 'Server' field from responses and collect statistics from real world surfing ?
Now, how many Unix folks handle how many server, and how much traffic do those Unix servers handle?
The simple fact that every damn Wednesday your Windows personnel have to jump through hoops to respond to the latest proof of Microsoft's crappy products increasing the cost of owning turdly software why don't you sit down and figure out how many man hours are completely wasted in this weekly exercise of yours. Because the hours spent patching toy computers are hours and dollars spent that therefore couldn't be spent on something to improve the corporate bottom line - like producing or selling a product.
Please, let those astroturfing Microsoft shills who wouldn't know a man page from a bash prompt tell me again about total cost of ownership.
That the person depicted in the Smutcraft logo is sporting a stiffy?
Yep, a boner, woody, pocket sausage, watever you wanna call it.
Or am I going blind?
They weren't totally at fault.
The URL I entered redirected to an IIS server. I forgot I had it setup that way. Regardless though, now it's counting two servers as IIS instead of one so they're still wrong.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
... or maybe it's just me. I'm looking at their big, honkin' graphic that shows "Percentage of market" and the November winner seems to be clearly IIS 6.0 on W2K+3 (relative to all other IIS servers). But the gigantic pie chart, which also shows a breakdown of what IIS is the particular favorite seems to be IIS 5.0 with ~44% of the market. I understand that these are different measures, but shouldn't the relative weightings of IIS-IIS be about the same here?
-Joe
At first blush, the Port80 methodology of sampling Fortune 1000 companies seems to make sense: Let's look just at the big boys so the little, insignificant sites don't skew the results.
But who really gets excluded? According to the U.S. Small Business Administration FAQ , the U.S. has 22.9 million small businesses. That comprises 99.7% of all employers, 50% of private sector employees and 44.5% of private sector payroll.
Using these SBA numbers, we can determine that there are around 70,000 large businesses in the U.S. So Port80 is sampling maybe 1.5% of large businesses (and the top 1.5% at that).
I would suggest that the Port80 sampling method is seriously flawed. Furthermore, I'd suggest that it's likely the Microsoft products were entrenched at these largest of the large companies before Linus released his first kernel or Apache even started developing their web server. In that light, it's rather impressive that Apache has taken 15% of that market.
Netscape is used by many major media companies because it can be deployed on a secure (Unix) platform and because they like its multithreaded, non-forking model. Apache 2 supports that model, but it's a recent product and switching costs deter major installations from using it. (In other words, if it ain't broke, don't fix it.)
Our company (Morris Communications) hosts more than 30 newspaper sites and thousands of customer sites. We use Netscape for our newspapers and generally use Apache 1.x for small sites. We use Apache 2.x behind the scenes for application servers.
Here is a quick survey of major news sites:
Netscape is used by CNN, NYTimes, LATimes, WashingtonPost, ChicagoTribune, and the Telegraph (UK).
Apache is used by IHT, Guardian (UK), CBSNews, all the KnightRidder newspapers, NWSource (Seattle), SFGate, StarTribune, Chron (Houston), Detnews and Freep (Detroit), and Internet Broadcasting (local TV stations).
IIS is used by MSNBC, USAToday and WorldNow (local TV stations).
In my experience, going back and trying again sufficiently many times sometimes helps.
How many times is "sufficient" seems to be entirely random (typically less than 10). I'm not sure what it's sensitive to; maybe it's the ad selected for the page or something, I haven't paid much attention.
So lets see, they want to sell us a product which supposedly increases the security of IIS boxes, without even actually increasing the security in the process, but rather mangling the headers to look like Apache, in the hope someone will skip over it.
Since when do the web server scanning viruses actually check the headers to see what type of server it is?
I would think that someone who was scanning for vulnerable web servers would notice "This is a server" or "Yes we are using ServerMask" quickly and realize that someone is playing a game of hide the IIS server. Thats one hell of a big fucking redflag.
None of their products actually offer any *real* security from what I see. They just hide the errors and obvious from normal people. It won't stop someone from nmaping the IIS box and see that its running Windows NT/2k/2k3. It won't stop those lovely Windows based viruses that scan for exploitable webservers.
Lets not forget what happens when SQL/ODBC errors pop up and completely give away that your an IIS slave. Its so freakin easy to cause a server's script to throw back errors for analysis.
If anything, they are saying that, "Yeah, IIS sucks, look how we can make IIS pretend to be like the much more secure and powerful Apache web server."
Why not just run Apache in the first place? You don't have to pay money to a third party just to change basic configurations, and you get the most secure web server in existance.
It seems painfully obvious.
Brielle
They also have IBM http server in the wrong category since it is a rebranded, slightly modified Apache Server.
for i=0.0.0.0 to 255.255.255.255
check $i;
That is all you have to do!
Evolution of Language Through The Ages: 6000 BC : ungh, grrf, booga 2000 AD : grep, awk, sed
Several months back, I started noticing attempted DNS zone transfers originating from Netcraft. Some of their attempts to inventory the Internet are IMO, invasive and unethical. It's one thing to scan public IP addresses. It's another to pretend to be a secondary DNS and ask someone's system to send you a complete list of all their hosts and related information.
I am not surprised that a company dealing in such shitty software would bark at the truth, and ignore the facts; this is exactly how micro$oft performs it's PR magic.
I just knew all those default.ida hits were meant for my apache server. I still can't find out why that file is missing and what it was supposed to contain, it must be a bis secret at apache.org
/sarcasm off
Can any of you MS gurus help out by telling me what I have been missing by not having default.ida?
I wonder if I put "protected by port80" in the conf if it will scare off the next worm, or will it actually check for vulnerablities and not care what lies the header tells it?
Where is all of the third party security add-ons for Apache? I sense discrimination! I demand useless products to give me a false sense of security like my MSCE brethern.
It's true: if you don't count all the sites running non-Microsoft software, more sites run Microsoft software.
So what?
Sorry not to be replying to any particular post, but the sheer volume makes that a little difficult to manage.
It was good to see that, after a relatively brief spate of misdirected criticisms of our survey as being tainted by pro-Microsoft 'bias,' many contributors here saw that the data itself is pretty uncontroversial (and in fact easily reproducible), and instead began to address themselves to the questions that the survey was intended to raise -- namely, questions about what is an appropriate sampling methodology when attempting to measure HTTP server 'market share.'
Those are the sorts of conversations we were hoping to start, and it's good to see them under way here with such vigor.
Just to be clear: We have no real objection to the Netcraft results per se -- only to their being marketed as an unambiguously accurate picture of something called 'Web server market share.' We simply think that sampling this market is a more complicated affair than the endless recitation of the most commonly-sited Netcraft numbers would suggest.
A number of the contributors here who grant the legitimacy of our criticisms of Netcraft's methodology have raised the point that a sample based on Fortune 1000 sites isn't necessarily a good proxy for Web server market share either. (Since some of these sites are nothing more than glorified brochureware, and so on.) I think that's entirely correct.
In a sense, our survey simply sets one type of partial snapshot, with its own kind of built-in sampling bias, alongside another. But then our aim wasn't to be definitive. It was simply to remove the halo of definitiveness from the Netcraft survey -- and to get people thinking about what it would take to be definitive in this context.
And as I say, some of that thinking is on display here. Folks like ChaosDiscord are almost certainly right to suggest that it would be more accurate (or interesting) to sample the server choices of high-traffic sites. We hope to cover some of this territory in future surveys.
Thanks to all those who looked past the fact that we happen to make commercial software for IIS, and actually engaged with our survey's findings and implications. And happy Thanksgiving to one and all.
Joe
Port80 Software
I hate it when somebody claims "this survey is flawed because blah-blah", then makes a counter survey with the same flaws (signs exchanged) and with some odd constraints sprinkled on top.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Next time Slashdot would do well to trashcan this type of article instead of posting it. I'm all for "balanced" reporting from "both sides".. but statistics from a company that ONLY develops software for MS IIS? LOL, seems like they scammed some free advertising on Slashdot.` Perhaps they needed the advertising since the platform they develop for is less than 1/3 of all web servers.
=-=-=-=-=-=-=-= - The Celtic - =-=-=-=-=-=-=-=
> But there are many surveys out there:/ index.html
.de figures, where it has almost 90%.
> http://www.securityspace.com/s_survey/data/200310
This link is really interesting because it has surveys by tld.
As was mentioned earlier, no survey is perfect but they all have their value if you can compare them and understand what exactly they count.
A first look at securityspace shows huge differences:
- Apache lovers will love the
- Italy surprised me with 46% MS
- China is a strong MS supporter it seems: 63% (33% for Apache). Does it mean that price does play a role in the choice after all? In China, I suppose nobody actually pays MS. Or does MS have much better support for Chinese localization?
- The US military also seem to like MS (65%)
etc.
I'll try to find how they get their samples.
While I have nothing against your Fortune 1000 survey, and am grateful you posted a link to other very interesting surveys, I sincerely feel your "masking" "product" is a rip-off.
It serves absolutely no purpose other than getting clueless sysadmins to pay you money.
My logs are filled with attempts to exploit MS-specific vulnerabilities, even though the server (correctly) advertizes itself as Apache.
And they wear this cammo because they're trying to look like an armored transport? No. Its because they will eventually climb out from behind that armor and expect to operate in the field. At that point, they're very vulnerable. Even when wearing body armor. So the only thing left to do is try to obscure their location. This is certainly a valid tactic in the physical world. However, it doesn't pan out well when we compare it to information security.
Physical analogies fall flat compared to information security. This is because in the physical world, we can't do much to alter the laws of physics. Granted - we spend a lot of time better understanding those laws and designing systems and strategies that were unknown before. But we are ultimately still limited in what we can do with ourselves. And our attackers are also limited.
Back on our example battlefield, our soldier is vulnerable to enemy gunfire. We can't redesign the soldier to alter this vulnerability - so we try to manage it. We either cover him in armor (paying other penalties) or we make him harder to detect (enabling him to eliminate threats faster also helps).
At the same time, our soldier is faced with a somewhat limited threat. There is only so much that can be put on a battlefield without our soldier's knowledge of it. And once it is there, it is simply a matter of finding it and eliminating the threat.
Meanwhile, on our analogical battlefield, we should have been spending the time to recreate our soldier so he wasn't vulnerable to random gunfire. Sure - we can camouflage him. We can obscure who he is or what he is or where he is. Meanwhile, our attackers can pop up from anywhere in the world at any time. They can be any number. They will sometimes fire without direction, often sweeping the entire battlefield - and they can afford to do it since ammunition is inexpensive and plentiful. In short, at any given time any given location is very likely to be under fire. If our vulnerable soldier happens to be in that location, he's toast. It doesn't matter how well hidden he was.
The limitations of the physical world do not apply to the electronic landscape. Therefore, what would be prohibitive or impossible in the physical world are both possible and likely when dealing with information systems.
This is where we get the old tenet critical of "security through obscurity." Its not that obscurity is useless - just nearly so. If whatever you're looking at from a security context relies heavily on obscurity, then it is almost certainly flawed.
Don't get me wrong - I'm not saying that taking the time to obfuscate headers or whatnot is harmful (insofar as it doesn't lead to a false sense of security). However, it IS a rather useless activity. Which is fine if you've got time to burn.
In my experience, there are few infosec or IT folk who have the luxury of an abundance of time. Or money.
At least Netcraft's proctice is simple and relatively blind to human bias. Port80 doesn't even try to hide their bias--this is a marketing strategy not a research project.
What exactly makes a survey of Fortune1000 companies better than a wide survey of hostnames at indicating what is more popular or capable? "Jack in the box" (an American fast food restaurant chain) is on the list. Why the hell would I care what THEY use if I were selecting a platform for hosting a website? How many people in the world lay awake at night excitedly waiting for the next opportunity to go to a buger-joint's home page?
OTOH, Slashdot is NOT on the Fortune1000 and thus is not in Port80's survey. However it is one of the biggest, most popular sites in the world from a viewership/capacity standpoint. Links on this site bring on the wrath of a Slashdotting that cause many lesser sites to fold like rice paper. Now, if I want software that is scalable THAT is a site I'd examine for how to handle things right, not the e-brocure site of some obscure regional US health management company or cheesy fast food company.
I wont even START talking about the technical flaws of this silly Fortune1000 survey of web sites (use of proxies and so on creating false responses). In short, while it provides an interesting factoid in its results, Port80's survey is 100% useless in determining the true merits, suitability or even popularity of a web hosting platform.
To do the job RIGHT, a research project must compile a list of the top sites by VIEWERSHIP or TRAFFIC, then PERSONALLY CONTACT the webmasters to get positive confirmation of their server platforms (none of this nonsense of sending a bot out to scan the net). Not only that, it should look at the hardware costs, administration requirements and uptime stats of each of those sites. AND it should be sone by independent analysts, not by some software company that depends directly on the fortunes of one of the platforms being researched, or even by open-source idealogues.
Would sure be nice to have a credible survey on the subject. I personally suspect that Apache would still be on top and fare quite well in such a survey, however it would still be nice to have some confirmation.
Why let anyone find out you're running a Microsoft IIS server?
The embarrassment will be acute!
The point being made has absolutely nothing to do with an undefendable position. You see, you need to seperate the idea of Method, Implementation and Interpretation; remember all those annoying reports that suggest Windows is more secure/stable/flexible than Linux, and remember how we were all enraged...until we found out that even though Method, Implementation or Interpretation was upto the surveyors standards, at least one of the others was decided by the paying company?
It's like that here. Port80's method, the Method, which is what was being discussed by servoled, probably has number of good points. The questionability comes from, both, their Implementation, with the crashing software and so forth, and the Interpretaion, which is commercially influenced by their product ServerMask.
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum
Hence, it would seem apparent, after only a very small time here on slashdot, that if someone can take the time to spellcheck their post then they are ALSO more likely to VALIDATE their owm information.
<PHB mode="true">
I have just recently been informed to ignore people like you, but I can't remember from where....
</PHB>
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum
AbiWord takes less time to load than OOo. What a kill joy.
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum
You'd think their Apache numbers would be much higher, then....
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum
I may be wrong in this but why should you have to hide the identity of your web server from "hackers" if your software is secure? Wouldn't the fact that this program even exists be a testament to IIS's inherent security problems?
When I run their test on my site, their test tells me:
"We detect that www.tekgnome.com is running Apache."
That's funny, because I'm using the Jetty servlet engine for my site and don't even have apache installed. If they can't even get that one little detail right, how good can the rest of their results be?
-- Give me ambiguity or give me something else!
Why the websites of the largest companies rather than the highest traffic websites (which would probably give Apache more share)?
Why US only? - Netcraft is global.
To me it looks like a surevey method designed to get
What about a cracker who performs detailed reconnaissance... only to fail in the attack when subterfuge holds?
Misdirection is an advantage if it foils a major exploit from the outset.
ServerMask is one choice in a comprehensive IIS security strategy, and Web server anonymization is practical, after you have all the bases covered -- for Apache, Netscape, Zeus... systems in general.
Why surrender any advantage in a battle?
Chris @ Port80
Last time this issue came up, I ran a check based on Alexa's top site listings, and Netcraft's assessment of what these sites were running.
Results. Of the top 100 English language sites, there were: 44 GNU/Linux, 25 Microsoft Windows (NT, 2K, XP, 2K3), 13 Sun Solaris 8, 7 Sun Solaris, 4 unknown OS, 4 FreeBSD, 1 Sun Solaris 9, 1 Apple MacOSX, and 1 HP-UX operating systems.
Webservers were: 43 Apache, 26 Microsoft-IIS, 13 Netscape-Enterprise, 3 GWS, 3 AOLserver, 2 Zeus, 1 unknown, 1 thttpd, 1 Stronghold, 1 Squeegit, 1 Roxen, 1 Resin, 1 Rediff, 1 Bellsouth PWP server, 1 AV, and 1 Apache Tomcat.
If you like tabular layouts and want to see methods and scripts (Slashdot's crapfilter prevents this), look here.
Point: for high-volume sites, Linux or FreeBSD and Apache are preferred 2:1 over Microsoft solutions.
What part of "gestalt" don't you understand?
That was a quote from the parent, hence the bolding and so forth.
It's Funny. Laugh.
"Yeah...it was the numbers that were irrational, not the murderous cult of vegetarians...." -- Hippasus of Metapontum