It's the outgoing that's the problem, not incoming.
If I want to prevent outgoing ftp from my system, I block port 21. I block port 25 from all IP addresses but my email server, and I no longer have to worry about unauthorized email servers, or MicroSoft viruses emailing directly out to the internet. MicroSoft finds it difficult to work with ports, and wants to get rid of them. Remember the story about MicroSoft calling HTTP the cockroach of the internet?!?
HTTP and port 80 are fine, unless you want to use it as an RPC mechanism. And with MicroSoft's track record for security, I really do not want them replacing my security mechanisms.
I was not comparing Apache's complexity to MSIE. I was not comparing Open Source to MSIE. What I did say is that a product's popularity has NO corelation to it's security, and whining that MSIE only has security problems because there are a lot of copies in use is STUPID, and from an engineering perspecitive, DANGEROUS.
But I will try to use smaller words for you next time....
fobbman gushes: The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.
Exactly, security is directly tied to popularity, why just look at Apache... oops.
The diference is that the people who bring you Apache are subject to peer review everyday, and they don't whine that people only exploit their code because it is popular when holes are found, but rather look at their project rationally, and FIX IT. Pretty amazing difference in handling criticism I would say....
Derkec gushed: True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."
No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors:
I wonder if anyone is keeping a running tally since the security initiative started???
Here is another bug with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....
Stonehand writes:
Real DBMS software tends to have very heavy-duty logging and recovery systems
Yes, they do, because they need them. It gives me nighmares to think of each and every user running a 20 to 40 GB SQL database. I had read MS proposals for this several years ago, but figured with the state of MS SQL (at the time it was much worse) and it just seemed so hairbrained and dificult, that I really did not have much to worry about. But now it's back, it's like the MS Bob that just refuses to die.
I can not think of any benefits (other than financial) that this would have over a true FS with journaling and XML based meta-data. I do not want a FS system that can crash on me.
I don't see how this can be called a solution for reliability. Oh, I see, it will make searches more reliable... I am not sure how you can even make that statement? What is a reliable search? It will definately make backups more dificult. And, given the reliability of Exchange and the system registry, I'm not to sure I want all my files in any database, much less Microsoft's... I can only think MicroSoft wanted to boost sales of SQL Server, and this will do that. I wonder if you will then need a seperate SQL CAL to access content for what was once a fileserver?
How about some new slogans for MCSE's:
Beware the flat file!
Flat files are the cockroaches of the OS!
Matey-O:
I haven't seen a problem lately with microsoft signed code.
Lately is a poor excuse to keep a bad idea....
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta.
No, but with Gartner telling them to pitch IIS also, it seems MicroSoft was worried enough to at least make a press release....
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
You REALLY don't understand granular auditing do you? You only turn it on when investigating a problem, or preforming an audit... it seems to work really well in *NIX systems. And since when does 200mb + 800mb equal a Terabyte. What kind of systems do you think people put Linux on????
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
The author was speaking of more than just internet protocols, but you did sum up the article pretty well in your last sentence. MicroSoft has made a public commitment for security. To follow thru will take more of a financial commitment then just offering employee bonuses, and it seems that both you and the author agree that it is highly unlikely that MicroSoft will follow thru on their pledge.
does the industry deserve saving? Maybe it's destruction would not be all bad. I guess we can all be thankful that there was no big scribe's union when the printing press was invented.
electricmonk states: Linux is, after all, an extremely expensive operating system. After all, just look at Hewlett Packard, their Linux distribution sells for $3000 retail. When was the last time you saw a copy of Windows XP (and this is a retail copy, not considering the fact that it comes free with most new machines) for $3000?
http://www.cdw.com/shop/products/default.asp?EDC=1 96920
Microsoft Windows 2000 Advanced Server with 25CAL $3,396.97
Your right, all we really need is published API's, and this would be enough, if only they had also included the publication of their file formats.... (i.e..doc,.xls)
Hey, but don't forget the value added by Microsoft's update service. I mean sure, RedHat provides similiar features, that work better for managing large number of servers, but with Microsoft update, they will even provide you with the latest 3rd party virus as well. I have yet to see this quality of service from any Linux company....;)
jazmataz23 writes:
That's just bogus and you probably know it yourself. You have to activate, sure. In practice, changing one or two items isn't enough to upset the hash that matches the activation code recieved from Microsoft. I'm not saying this isn't a pain in the ass; it's a huge pain in the ass. But it's neither as troublesome nor permanent as you paint it.
What happens when Microsoft wants you to upgrade, and they decide to no longer support this OS? Do you think they will be kind enough to allow me to call them for an Auth code after replacing a failed drive? Sounds like your really just renting the OS to me....
But this is not a tangible product they wish to add a "tax" to, nor even portion of a program, they wish to allow controls and restrictions over software/companies/individuals ability to communicate. (i.e. - they would not be licensing Apache, but instead your ability to put HTML compliant content in it.)
actually, unlike NT, with Linux you can test multiple version of the same package on the same server. So, for example, I once had three diferent versions of Apache running on the same box, listening to different ports. One was the production server, and two new versions for testing. When I finished testing, I put the new version in use, removed the second test, and left the old production version on the box for a couple months, just in case. Not one restart for this whole process. Now with IIS you would need what, 3 boxes and 3 licenenses???
What's that quote about not trusting someone to do something after they used le toilette?
GPFCharlie said.... So, figure for a business of 50 employees, you're talking about $3,800 total for the software.
OK, but you still left out the backup software and defragmentor. Add ~$1,300 so now you are back up to $5,100 total. Now, since you are running Exchange, you probably will want to back that up too...
CA ArcServe 2000 Exchange agent ~$560
So now we are back up to $5,660 - but this is actually quite a savings considering what I was quoting before (if you look again) was ONLY the OS and the tools needed for system admin (backup and defrag.) Now, what happens if I expand and I wish to have 55 clients - can I resell this software? Can I upgrade any of it? Or is it like an OEM copy of Windows? I really do not know, but I would venture to guess it's lock-in. The only other problem I see, is after installing and maintaining a variety of Windows systems (from 3.51 to 2000), I never recommend to a client that they put more than one server product on a single windows machine. SQL and Exchange on one box sounds like trouble waiting for a Service Pack to happen - or maybe even a change in the direction of the wind... and well, if any company was to actually use a firewall on the same box as their DB and web and email server - regardless of the OS - well I just will say they get their comeuppance.
- Windows is not free, but a Windows 2000 Professional license costs about $200.
-Windows 2000 Pro is for workstations - you can not run server software on it. Here are real prices from CDW:
Windows 2000 Server - 5user ~$860
Windows 2000 Server - 10user ~$1,290
Windows 2000 Advanced server - 25 user ~$3,400
Additional Client access - per 10 users ~$1,100
Next... you need backup software.
CA Arcserve 2000 Backup - $507
Now... The backup addition for MS SQL
CA Arcserve SQL Agent - $580
Now... don't forget the defragmentor - you want to compare Windows with Linux after all...
Diskeeper v6 - $290
So, figuring for a company of 50, you would need
2000 advanced server + 3 X Additional client access licenses + backup software + SQL Agent + Diskeeper v6
for... $8077 That is a bit more than $200 you glossed over.
\
Now that company could invest that, plus the consultant fees to install, and figure it will last ~2 to 4 years before they will be forced to upgrade by Microsoft, plus the cost of support over a phone, the bosses time talking to some idiot on tech support that treats him like an idiot, the cost of downtime, and if we want to do a true comparison, how does this guy ever upgrade? How do you test a new system. You have to buy a complete second server, with all the licensing. With Linux, you can install multiple copies, and just give them different ports for testing. I have had 4 copies of Apache running on a single Linux server. One was my production system, the 3 others were new versions with different options. I never had to restart the server to set it up, and when I found and tested the version I liked best, I deleted two copies, put the version I liked into production, and changed the port number of the previous working copy and kept it around for a few months until I felt even more confident about my choice. How do you do that with Windows and IIS? You buy 4 servers!!!
That is why I can not figure out how this got modded up to 5. And why the smart business owner will not invest money in renting software that will not be around for very long, but instead will invest in the salary of a good employee or invest in a business relationship with a consulting company that will help his company for years to come.
And you should add that Microsoft does indeed distribute GPL'd software within the NT and Windows 2000 resource kits (I use them). Will these set of tool (i.e. ls, chmod, grep, vi in the POSIX Utilities) continue to be part of Microsoft's corporate strategy for new versions of it's OS?
Slashdot Mirror
How long till this is put in a javascript / html email exploit???
Why do we need anything but text in email? I could even live with a subset of html that would display graphics, but full html???
scary....
It's the outgoing that's the problem, not incoming.
If I want to prevent outgoing ftp from my system, I block port 21. I block port 25 from all IP addresses but my email server, and I no longer have to worry about unauthorized email servers, or MicroSoft viruses emailing directly out to the internet. MicroSoft finds it difficult to work with ports, and wants to get rid of them. Remember the story about MicroSoft calling HTTP the cockroach of the internet?!?
HTTP and port 80 are fine, unless you want to use it as an RPC mechanism. And with MicroSoft's track record for security, I really do not want them replacing my security mechanisms.
Read my post again.
I was not comparing Apache's complexity to MSIE. I was not comparing Open Source to MSIE. What I did say is that a product's popularity has NO corelation to it's security, and whining that MSIE only has security problems because there are a lot of copies in use is STUPID, and from an engineering perspecitive, DANGEROUS.
But I will try to use smaller words for you next time....
fobbman gushes:
The reason why exploits are written for IE/Outlook is not necessarily because Microsoft packs their product full of holes, but because more people use the products, more people will be affected by the exploit, and the chance of the "security expert" seeing their name mentioned in the media goes up.
Exactly, security is directly tied to popularity, why just look at Apache... oops.
The diference is that the people who bring you Apache are subject to peer review everyday, and they don't whine that people only exploit their code because it is popular when holes are found, but rather look at their project rationally, and FIX IT. Pretty amazing difference in handling criticism I would say....
Derkec gushed:
True, but in a very real way, Microsoft has a point. The Open Source community has never really taken time to say, "ok let's stop development and everyone will go check code extremely carefully."
No, False. You (and MicroSoft) are completly ignoring Open Source projects that only audit code... i.e. the Kernel Janitors:
I wonder if anyone is keeping a running tally since the security initiative started???
Here is another bug with the MicroSoft SQL server. They've got overflows in their stored procedures. No fix, but you can delete the files if you can live without them....
Stonehand writes: Real DBMS software tends to have very heavy-duty logging and recovery systems
Yes, they do, because they need them. It gives me nighmares to think of each and every user running a 20 to 40 GB SQL database. I had read MS proposals for this several years ago, but figured with the state of MS SQL (at the time it was much worse) and it just seemed so hairbrained and dificult, that I really did not have much to worry about. But now it's back, it's like the MS Bob that just refuses to die.
I can not think of any benefits (other than financial) that this would have over a true FS with journaling and XML based meta-data. I do not want a FS system that can crash on me.
I don't see how this can be called a solution for reliability. Oh, I see, it will make searches more reliable... I am not sure how you can even make that statement? What is a reliable search? It will definately make backups more dificult. And, given the reliability of Exchange and the system registry, I'm not to sure I want all my files in any database, much less Microsoft's... I can only think MicroSoft wanted to boost sales of SQL Server, and this will do that. I wonder if you will then need a seperate SQL CAL to access content for what was once a fileserver?
How about some new slogans for MCSE's:
Beware the flat file!
Flat files are the cockroaches of the OS!
Matey-O:
I haven't seen a problem lately with microsoft signed code.
Lately is a poor excuse to keep a bad idea....
The NonM$ loving folks will LOVE that soundbite, unfortunately, it's got all the likelihood of happening as having everybody shift from IIS to Apache. In any production environment, security is balanced havily with cost of implementation. NO company with any amount of entrenched custom code is going to pitch it because a security guy say they oughta.
No, but with Gartner telling them to pitch IIS also, it seems MicroSoft was worried enough to at least make a press release....
Granular auditing exists now! The problem with enhanced auditing is the storage requirements for that auditing. I get 'the application log is full' messages NOW, what happens when every bit written generates five bits of log? Are YOU going to have a Terabyte server to store 200 mb of data and 800 mb of granular logs?
You REALLY don't understand granular auditing do you? You only turn it on when investigating a problem, or preforming an audit... it seems to work really well in *NIX systems. And since when does 200mb + 800mb equal a Terabyte. What kind of systems do you think people put Linux on????
Microsoft's been in bed for YEARS with the W3C. The protocols are generated there, and Microsoft is often the first to market to implement them. Asking them to hold off a year before using a new protocol is business suicide and not something they'll be willing to do.
The author was speaking of more than just internet protocols, but you did sum up the article pretty well in your last sentence. MicroSoft has made a public commitment for security. To follow thru will take more of a financial commitment then just offering employee bonuses, and it seems that both you and the author agree that it is highly unlikely that MicroSoft will follow thru on their pledge.
I think Microsoft has the exact same intent, and they are quite serious about implementing it.
does the industry deserve saving? Maybe it's destruction would not be all bad. I guess we can all be thankful that there was no big scribe's union when the printing press was invented.
This is a troll, but oh well:
1 96920
electricmonk states:
Linux is, after all, an extremely expensive operating system. After all, just look at Hewlett Packard, their Linux distribution sells for $3000 retail. When was the last time you saw a copy of Windows XP (and this is a retail copy, not considering the fact that it comes free with most new machines) for $3000?
http://www.cdw.com/shop/products/default.asp?EDC=
Microsoft Windows 2000 Advanced Server with 25CAL
$3,396.97
What is the unlimited CAL cost?
Tell them not to allow emails with attachments that end with .scr or .pif or .exe or .bat or .vbs or .vb? or .js
That might be a good start.
Your right, all we really need is published API's, and this would be enough, if only they had also included the publication of their file formats.... (i.e. .doc, .xls)
Hey, but don't forget the value added by Microsoft's update service. I mean sure, RedHat provides similiar features, that work better for managing large number of servers, but with Microsoft update, they will even provide you with the latest 3rd party virus as well. I have yet to see this quality of service from any Linux company.... ;)
jazmataz23 writes:
That's just bogus and you probably know it yourself. You have to activate, sure. In practice, changing one or two items isn't enough to upset the hash that matches the activation code recieved from Microsoft. I'm not saying this isn't a pain in the ass; it's a huge pain in the ass. But it's neither as troublesome nor permanent as you paint it.
What happens when Microsoft wants you to upgrade, and they decide to no longer support this OS? Do you think they will be kind enough to allow me to call them for an Auth code after replacing a failed drive? Sounds like your really just renting the OS to me....
But this is not a tangible product they wish to add a "tax" to, nor even portion of a program, they wish to allow controls and restrictions over software/companies/individuals ability to communicate. (i.e. - they would not be licensing Apache, but instead your ability to put HTML compliant content in it.)
Which one of your solutions did we implement against the Japanese during WWII???
Do you pay people to moderate your posts, or is this just the average intelligence here.
actually, unlike NT, with Linux you can test multiple version of the same package on the same server. So, for example, I once had three diferent versions of Apache running on the same box, listening to different ports. One was the production server, and two new versions for testing. When I finished testing, I put the new version in use, removed the second test, and left the old production version on the box for a couple months, just in case. Not one restart for this whole process. Now with IIS you would need what, 3 boxes and 3 licenenses???
What's that quote about not trusting someone to do something after they used le toilette?
You know, I guess your right, a support contract from a company like IBM just is not as good as a 900 number from MS.
You get paid to make IT purchase decisions???
GPFCharlie said....
So, figure for a business of 50 employees, you're talking about $3,800 total for the software.
OK, but you still left out the backup software and defragmentor. Add ~$1,300 so now you are back up to $5,100 total.
Now, since you are running Exchange, you probably will want to back that up too...
CA ArcServe 2000 Exchange agent ~$560
So now we are back up to $5,660 - but this is actually quite a savings considering what I was quoting before (if you look again) was ONLY the OS and the tools needed for system admin (backup and defrag.) Now, what happens if I expand and I wish to have 55 clients - can I resell this software? Can I upgrade any of it? Or is it like an OEM copy of Windows? I really do not know, but I would venture to guess it's lock-in. The only other problem I see, is after installing and maintaining a variety of Windows systems (from 3.51 to 2000), I never recommend to a client that they put more than one server product on a single windows machine. SQL and Exchange on one box sounds like trouble waiting for a Service Pack to happen - or maybe even a change in the direction of the wind... and well, if any company was to actually use a firewall on the same box as their DB and web and email server - regardless of the OS - well I just will say they get their comeuppance.
That's pretty poor math:
- Windows is not free, but a Windows 2000 Professional license costs about $200.
-Windows 2000 Pro is for workstations - you can not run server software on it. Here are real prices from CDW:
Windows 2000 Server - 5user ~$860
Windows 2000 Server - 10user ~$1,290
Windows 2000 Advanced server - 25 user ~$3,400
Additional Client access - per 10 users ~$1,100
Next... you need backup software.
CA Arcserve 2000 Backup - $507
Now... The backup addition for MS SQL
CA Arcserve SQL Agent - $580
Now... don't forget the defragmentor - you want to compare Windows with Linux after all...
Diskeeper v6 - $290
So, figuring for a company of 50, you would need 2000 advanced server + 3 X Additional client access licenses + backup software + SQL Agent + Diskeeper v6
for... $8077 That is a bit more than $200 you glossed over.
\ Now that company could invest that, plus the consultant fees to install, and figure it will last ~2 to 4 years before they will be forced to upgrade by Microsoft, plus the cost of support over a phone, the bosses time talking to some idiot on tech support that treats him like an idiot, the cost of downtime, and if we want to do a true comparison, how does this guy ever upgrade? How do you test a new system. You have to buy a complete second server, with all the licensing. With Linux, you can install multiple copies, and just give them different ports for testing. I have had 4 copies of Apache running on a single Linux server. One was my production system, the 3 others were new versions with different options. I never had to restart the server to set it up, and when I found and tested the version I liked best, I deleted two copies, put the version I liked into production, and changed the port number of the previous working copy and kept it around for a few months until I felt even more confident about my choice. How do you do that with Windows and IIS? You buy 4 servers!!!
That is why I can not figure out how this got modded up to 5. And why the smart business owner will not invest money in renting software that will not be around for very long, but instead will invest in the salary of a good employee or invest in a business relationship with a consulting company that will help his company for years to come.
rediculous, freedom-limiting license
:)
Actually, I believe you should say " ridiculous, freedom-guaranteeing license "
Yes, I think that is much more accurate.
Sure, except many are the GNU version - as a quick example from the Windows NT4 resource kit help file posix.wri quoting:
COPYING Copyright © 1988 Free Software Foundation, Inc. Permission is granted to make and distribute verbatim copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the entire resulting derived work is distributed under the terms of a permission notice identical to this one. Permission is granted to copy and distribute translations of this manual into another language, under the above conditions for modified versions, except that this permission notice may be included in translations approved by the Free Software Foundation instead of in the original English. AUTHORS See the GNU CC Manual for the contributors to GNU CC.
And you should add that Microsoft does indeed distribute GPL'd software within the NT and Windows 2000 resource kits (I use them). Will these set of tool (i.e. ls, chmod, grep, vi in the POSIX Utilities) continue to be part of Microsoft's corporate strategy for new versions of it's OS?