Army Dumps NT as Web Server, Moves to Mac

kootch writes "This sounded too funny to believe, but I think it's true. The US Army, after being the victim of a script baby and having their web pages vandalized, has moved their site from an NT box to a Mac box running WebStar as their server software. Don't believe me? Go here!"

Security Through Impossibility

[Effugas]

(Disclaimer: Apple folks, I have a moral obligation to tweak macs. I grew up with an Apple IIgs.)

Ah, yes. There's nothing like a brick wall to prevent someone from breaking the lock.

MacOS actually gets some bonuses from its, uh, quaintly anachronistic operating system tendancies. (This is not a flame. I think it's cute to tell an application how much memory it gets. See disclaimer. Tweak. Tweak.) For example, the fact that the entire OS is really built to communicate over Appletalk instead of TCP/IP means there's absolutely *nothing* open by default for abuse on the general Internet.

Those who remember these kind of things will note that *the* definitive, original WinNuke was a bug in the TCP handling of an "Out Of Band" packet sent to port 139 on a Windows box. Open door. Boom.

As much as I love Linux, there are more open ports in your standard issue distribution than you're likely to find in an average brothel. Unix in general is hooked into TCP/IP addiction on a practically native level.

The speed on the mac might not be great. The stability probably won't be perfect, but who knows. With much less embedded functionality, there's Just Less To Break.

"We here at the US Army know that the most secure computer is the one that isn't plugged in. We use the next best thing."

Yours Truly,

Dan "Must Never Post When He's This Tired" Kaminsky
DoxPara "Will Have No Memory Of This Post" Research
http://haveasenseofhumor.www.doxpara.com


Once you pull the pin, Mr. Grenade is no longer your friend.

Mac is a great secure Web server

[Pretender+R*S]

Most computers are more than powerfull enough to flood a T1. I am sure the of has plenty of horespower.

As for security. Most of the apple web servers use Apples fairly old ACL per directory for file shareing. The Permission are secure and have stood up to time. As far as connecting to the files system from remote if you use another Mac it does indeed encrypt the passwd.

The Mac has very limited functionality for networking built in on MacOS, this makes it more secure. Apple fixed the TCP/IP large packet bug back in 1995. The current IP stack is fairly fast and based on the System V steam type TCP/IP stack.

Most of the Apple web site security issues have been from Filemaker integration. Filemaker is a GUI DB for MacOS (it has issues).

One of the other advantages to not having any cosole based applications, no concept of standard in and standard out, is if you do run an application on the Mac it doesn't do anything usefull. Also MacOS doesn't have any sensible kind of IPC or RPC support so even if you can compromise a single application it is extremly difficult to get to the operating system or another application.

If you did use Perl, your perl scripts need to be safe. But again on a Mac, there is no plain text file that you could grab security information.

Open BSD could be made equally secure, but it would take lots of customization and intelligence about it, the Mac is VERY high security for default configuration. Though flexibility is an issue with Macs.

Re:A Mac better choice than Linux/Unix/*BSD?

Macs make secure web servers because they don't have anything to exploit. How the hell are you going to exploit something that has NOTHING listening to the network except an HTTPD listening to port 80, delivering a static page. About the only thing you could try is a DoS attack. *NIX boxen usually have 50 daemons running, and often crazy protocols like NIS that make them wide open to attack. WebStar is a solid HTTPD, too. Despite the comments here about Mac OS stability, the fact of the matter is that most of the problems with it are due to lack of memory protection. If you are running a solid application that doesn't have memory leaks and wild hair pointers, it can be very stable. I ran a Mac OS server with AppleShare on a UPS that had an uptime of 3 YEARS. That is stabilty as good as you can get on any system. In reality no server is any better than the stability of the network applications it runs and the OS, and the fact of the matter is if you are careful you can find good Mac OS versions and good applications. Mac hardware was generally better engineered than the PC equivalent (lack of cost pressure I guess) so you had that going for you too. One writer here mentioned Mac OS on a 7100. THAT IS A VERY BAD COMBINATION. The 7100 is a kludge, being the first PPC Mac pasted onto an old Nubus architecture. The Mac OS of the same period had a very crufty emulator as well, and the pair really were unstable. But not all Macs are that way....