"... Assuming running FreeBSD as a desktop doesn't already make me quite the madman."
lol. As someone who Runs FreeBSD 5-stable (with KDE 3.4) as a desktop , I can relate. Waiting for the entire KDE 3.4 suite from the ports collection to compile was quite the task.
The only thing that kept me sane was finding out that most of my favorite sites worked just fine with Links.
I ocassionaly do a 'cat/var/log/auth.log' on my BSD router, and see lots of ssh login attempts. These are mostly just worms trying common default username/password combos. Occasionaly these attempts do come from U.S. based ISPS, but I don't bother reporting them...I know, I know...'Bad Admin'.
I noticed those Zone-H stats about a month ago and was taken aback by them. It seems to have coincided with Microsoft starting to put a priority on security.
After all of the embarassment if Code Red/Slammer in 2001-2002, Microsoft has actually done a lot better job at securing IIS - and more importantly, people running IIS have learned their lesson and are bothering to apply patches.
Zone-H's stats from 2003-2004 show Linux servers making of 60% of defacements, Microsoft filling out around 25%-30%, with the rest being a smattering of *BSD/HPUX/Solaris/etc. This pretty much coincides with the respective platforms' Marketshare.
As you describe, 99% of website hacks are done at the application/database level now. These pre-packaged php apps like phpnuke/phpBB are on so many sites, that they have reached 'critical mass' in the market, to where targeting them is productive for script kiddies. Besides these hugely popular apps being targeted, there are also seems to be lot of problems with PHP itself. A LAMP based site which I worked for and was involved with over the last several years, with 90% custom code, has had the server defaced twice in the last few years. Both times were due to "0-day" exploits in PHP.:(
"depends. lately it's easier to find qualified linux support person than windows - and you know why ? because they do most of their job remotely. reboots (which might result in some thing required for networking not coming up) are very rare, everything else you do from any other location. as a result supporting linux systems is a lot easier."
The fact is Linux experts still cost more than Windows experts in many areas, because they are in short supply - especially in rural areas like mine.
"again - choose debian. look at their stable version. some... most call it slightly outdated;) (though for servers that might be just what you want). remember also the possibility to upgrade to next release if you are not satisfied with that 5 years old one (or if it reaches eol)."
Sorry - I alreay have a favorite Linux distro. It's called FreeBSD.:)
Seriously though, if I ever decide to use Linux for something, Debian will be on my short-list of distros to consider.
"Yeah right, and the first time there's a power outage and the Windows system corrupts its hard drive who's going to bring it back up? What's that "well it's never happened on my Windows systems" well I've got news for you - it almost never happens on Linux systems either. You're trying to use an extremely rare problem that could happen in either OS to compare the 2."
Your right, but it's generally easier to find people to work on Windows than it is to work on Linux.
"Try a few hours at most. Maybe you need to actually install modern Linux distro and see the update mechanisms available before you attempt to criticise it."'
You misunderstood what I said. I meant for how long will the autoupdate work on the particular distro that youa re isntalling. Almost all distros have very short EOL support cycles for their releases. Can you install version x.x of distro A and have it autoupdate itself for say...four years?
"Depends on your distro, almost all, including commercial ones (eg. Mandrake, Suse) allow free access to updates. RHEL is about the only one that wants to charge a 'subscription' but if you don't like that then just get a RHEL rebuild such as Centos."
That's nice, but again - how long do they support a release for? 1 year, 18 months, 2.5 years? IMO,the rapid release cycle of Linux is not a good thing.
"Agreed, but you don't appear to have much knowledge of Linux and therefore would be in no position to evaluate 'long term cost savings'."
YOu're partially right. I don't use Linux - havn't used it in over three years, but I do know enough about it to know that it isn't a magic bullet, like the parent poster describes. I happen to be an avid user of FreeBSD and OpenBSD. I moved to the BSD's long ago, not because I didn't like Linux - just because I really took a liking to the BSD's. Even though I don't spend day after day installing every new Linux distro on the block, my association with the verious *nix communities keeps my updated on what's going on with Linux.
"So, explain to me how Windows is cost effective, even if you have to hire a 'high-priced consultant'."
Your scenario is one big oversimplification.
The first time there is a power outage and the Linux server won't come back up without a fsck, who's gonna fix it? Joe from accounting? How long will that Linux distro be able to (if it even can) patch itself. 12 months? 18 months? If it can patch itself, how much money do you have to pay for access to the automatic patching? What if a patch doesn't work...or breaks something?
There are all kinds of things besides software that can cost money. Sure the "freeness" of Linux is a good bonus from the get go, but that alone doesn't guarantee any kind of long term cost savings.
I seem to remember the speed differences between the VIA and AMD chipsets to be pretty small. I would take improved stability over a 5% gain in performance any day.
My wife still uses my old Athon 750 machine with a gigabyte MB/AMD chipset. That machine has been rock solid for five years now. Back when I still used it I did all the standard benchmarks and compared them to other Athlon 750 machines, and mine with it's 'slow' AMD chipset compared just fine.
I don't know what IBM puts in those things (magic laptop pixie dust?), but they allways seem to be faster than other laptops with similar specs. I just set up nine P3-1Ghz thinkpads at work, and they "felt" as fast as a late model laptop with a 2ghz processor.
I'm running Firefox 1.0.2 on FreeBSD and I get asked if I want to download an.html file. I've seen this before on a couple of occasions with Firefox - even on Windows. Their Apache is misconfigured.
"Can you imagine for a minute that somebody like me can have alittle MORE knowledge about how things work there than you? Or are you a universal know-it-all?"
Based upon your the broad assumtions in your initial reply to me, I would say it's you who thinks they are the universal know-it-all.
What was your logic anyway? 'When I worked for WORD (WORD?!) tech support, most people who called were idiots, and therefore this person who says he reported a bug to Micrsoft must be a clueless idiot too.'
You know it actually makes sense to try and limit the amount of bug reports coming in for products that have such large userbases. If Microsoft left a public bug reporting system on their site, they would end up getting thousands upon thousands of redundant reports about bugs they allready know about.
"I was talking about the support for RELEASED software, not beta.
And I never mentioned any specific type of software, yet your post directly assumed that I was a clueless an end user calling the $30 tech support line.
"Just out of curiosity, how much did you pay for your experience?"
Standard business support - a $245 flat fee. One time that 245 bucks got us two Microsft engineers on site. We're currently dealing with them on a very strange Exchange issue. We just has the case escalated beyond their Bangalore monkeys. It appears we've found an obscure bug in Exchange 2000. Ever since they outsourced their Teir-1 support to India (when did they do this?), Microsft's corporate support has really gone downhill - not that it was ever particularly stellar.
"And you should take your head out of your ass, learn to communicate properly and, most of all, learn to behave towards your peers in a respectful and professional manner."
A firewall is hardly neccessary to keep any machine secure (if it's a server it needs to have it's ports open, right?), though it can mitigate attacks on machines that are not patched. With earlier versions of Windows that don't have the firewall built in, you can use IPSEC to limit what traffic flows to and from the machine - a good idea on any DB server. I never said anything about using MS only tools. There are many free third party security tools that you can use to help guard your windows machine. There is snort, tripwire (or an equivalent). Regardless - how many documented cases do you know of a Windows box being hacked via an unpatched/unknown exploit?
"Of course, this should read "haven't had a single incident that we know about"."
Wow. Insulting the intelligence of someone you don't even know under the veil of anonymity. You must be pround of yourself.
"Not really. With Windows, you both have to know what you are doing, and have a budget for third-party tools to help (and with the tools, you don't really even need to know what you're doing). With Linux you just have to know what you're doing."
If you think that third party tools that cost money are required to protect Windows servers, then it's you who don't know what you're doing. Can you even give an example of a third party tool that is required to make a Windows server secure?
I'm not an end user you retard. I am a system admin, and have had the [dis]pleasure of dealing with Microsoft tech support on multiple occasions.
I know the difference between reporting a bug and calling tech support. The time I reported a bug was when I was testing a beta product of theirs. I got a personal response from one of their managers, and one of their hired software testers.
"They even have a fake bug submitting system, which is directed to/dev/null at all times."
I got a personal response from the two Microsft employees the last time I submitted a bug report to Microsoft. Perhaps the "/dev/null" devices on their bug repository servers have some sort of advanced AI routines written into them that pretend to be live bodies? Or maybe I just missed the bogus bug reporting system.
...there is some humor in envisioning the look on Microsoft's lawyers when they are awarded a 34th generation tape of Halloween 94', and a half empty bottle of Patchouli Oil.
I think the major difference between Windows firewall and IPSEC is that that Windows Firewall is statefull. IPSEC alone has no statefull ability, but has more granular controls - like outbound traffic control.
If you combine Windows firewall with IPSEC, you can get pretty granular with traffic control. On our internal Win2k servers that have MSSQL Server installed, I've always used IPSEC to control internal traffic.
Slashdot Mirror
You seem very bitter. Did Microsoft hurt you somehow?
"... Assuming running FreeBSD as a desktop doesn't already make me quite the madman."
lol. As someone who Runs FreeBSD 5-stable (with KDE 3.4) as a desktop , I can relate. Waiting for the entire KDE 3.4 suite from the ports collection to compile was quite the task.
The only thing that kept me sane was finding out that most of my favorite sites worked just fine with Links.
I ocassionaly do a 'cat /var/log/auth.log' on my BSD router, and see lots of ssh login attempts. These are mostly just worms trying common default username/password combos. Occasionaly these attempts do come from U.S. based ISPS, but I don't bother reporting them...I know, I know...'Bad Admin'.
I noticed those Zone-H stats about a month ago and was taken aback by them. It seems to have coincided with Microsoft starting to put a priority on security.
:(
After all of the embarassment if Code Red/Slammer in 2001-2002, Microsoft has actually done a lot better job at securing IIS - and more importantly, people running IIS have learned their lesson and are bothering to apply patches.
Zone-H's stats from 2003-2004 show Linux servers making of 60% of defacements, Microsoft filling out around 25%-30%, with the rest being a smattering of *BSD/HPUX/Solaris/etc. This pretty much coincides with the respective platforms' Marketshare.
As you describe, 99% of website hacks are done at the application/database level now. These pre-packaged php apps like phpnuke/phpBB are on so many sites, that they have reached 'critical mass' in the market, to where targeting them is productive for script kiddies. Besides these hugely popular apps being targeted, there are also seems to be lot of problems with PHP itself. A LAMP based site which I worked for and was involved with over the last several years, with 90% custom code, has had the server defaced twice in the last few years. Both times were due to "0-day" exploits in PHP.
"depends. lately it's easier to find qualified linux support person than windows - and you know why ? because they do most of their job remotely. reboots (which might result in some thing required for networking not coming up) are very rare, everything else you do from any other location. as a result supporting linux systems is a lot easier."
;) (though for servers that might be just what you want). remember also the possibility to upgrade to next release if you are not satisfied with that 5 years old one (or if it reaches eol)."
:)
The fact is Linux experts still cost more than Windows experts in many areas, because they are in short supply - especially in rural areas like mine.
"again - choose debian. look at their stable version. some... most call it slightly outdated
Sorry - I alreay have a favorite Linux distro. It's called FreeBSD.
Seriously though, if I ever decide to use Linux for something, Debian will be on my short-list of distros to consider.
"Yeah right, and the first time there's a power outage and the Windows system corrupts its hard drive who's going to bring it back up? What's that "well it's never happened on my Windows systems" well I've got news for you - it almost never happens on Linux systems either. You're trying to use an extremely rare problem that could happen in either OS to compare the 2."
Your right, but it's generally easier to find people to work on Windows than it is to work on Linux.
"Try a few hours at most. Maybe you need to actually install modern Linux distro and see the update mechanisms available before you attempt to criticise it."'
You misunderstood what I said. I meant for how long will the autoupdate work on the particular distro that youa re isntalling. Almost all distros have very short EOL support cycles for their releases. Can you install version x.x of distro A and have it autoupdate itself for say...four years?
"Depends on your distro, almost all, including commercial ones (eg. Mandrake, Suse) allow free access to updates. RHEL is about the only one that wants to charge a 'subscription' but if you don't like that then just get a RHEL rebuild such as Centos."
That's nice, but again - how long do they support a release for? 1 year, 18 months, 2.5 years? IMO,the rapid release cycle of Linux is not a good thing.
"Agreed, but you don't appear to have much knowledge of Linux and therefore would be in no position to evaluate 'long term cost savings'."
YOu're partially right. I don't use Linux - havn't used it in over three years, but I do know enough about it to know that it isn't a magic bullet, like the parent poster describes. I happen to be an avid user of FreeBSD and OpenBSD. I moved to the BSD's long ago, not because I didn't like Linux - just because I really took a liking to the BSD's. Even though I don't spend day after day installing every new Linux distro on the block, my association with the verious *nix communities keeps my updated on what's going on with Linux.
So you're saying you need someone on site to patch a windows box?
"So, explain to me how Windows is cost effective, even if you have to hire a 'high-priced consultant'."
Your scenario is one big oversimplification.
The first time there is a power outage and the Linux server won't come back up without a fsck, who's gonna fix it? Joe from accounting? How long will that Linux distro be able to (if it even can) patch itself. 12 months? 18 months? If it can patch itself, how much money do you have to pay for access to the automatic patching? What if a patch doesn't work...or breaks something?
There are all kinds of things besides software that can cost money. Sure the "freeness" of Linux is a good bonus from the get go, but that alone doesn't guarantee any kind of long term cost savings.
I seem to remember the speed differences between the VIA and AMD chipsets to be pretty small. I would take improved stability over a 5% gain in performance any day.
My wife still uses my old Athon 750 machine with a gigabyte MB/AMD chipset. That machine has been rock solid for five years now. Back when I still used it I did all the standard benchmarks and compared them to other Athlon 750 machines, and mine with it's 'slow' AMD chipset compared just fine.
Back when AMD still made chipsets for their own chips, the motherboards that used them were incredibly stable. I wish they hadn't stopped making them.
I don't know what IBM puts in those things (magic laptop pixie dust?), but they allways seem to be faster than other laptops with similar specs. I just set up nine P3-1Ghz thinkpads at work, and they "felt" as fast as a late model laptop with a 2ghz processor.
Thinkpads are nice.
"knoqueror sucks"
Yep. That's why I use Mozilla.
Konqueror will load it
I'm running Firefox 1.0.2 on FreeBSD and I get asked if I want to download an .html file. I've seen this before on a couple of occasions with Firefox - even on Windows. Their Apache is misconfigured.
"And you, sir, just have very bad manners. "
True. Calling you an ass was rude.
"Can you imagine for a minute that somebody like me can have alittle MORE knowledge about how things work there than you? Or are you a universal know-it-all?"
Based upon your the broad assumtions in your initial reply to me, I would say it's you who thinks they are the universal know-it-all.
What was your logic anyway? 'When I worked for WORD (WORD?!) tech support, most people who called were idiots, and therefore this person who says he reported a bug to Micrsoft must be a clueless idiot too.'
You know it actually makes sense to try and limit the amount of bug reports coming in for products that have such large userbases. If Microsoft left a public bug reporting system on their site, they would end up getting thousands upon thousands of redundant reports about bugs they allready know about.
"I was talking about the support for RELEASED software, not beta.
And I never mentioned any specific type of software, yet your post directly assumed that I was a clueless an end user calling the $30 tech support line.
"Just out of curiosity, how much did you pay for your experience?"
Standard business support - a $245 flat fee. One time that 245 bucks got us two Microsft engineers on site. We're currently dealing with them on a very strange Exchange issue. We just has the case escalated beyond their Bangalore monkeys. It appears we've found an obscure bug in Exchange 2000. Ever since they outsourced their Teir-1 support to India (when did they do this?), Microsft's corporate support has really gone downhill - not that it was ever particularly stellar.
"And you should take your head out of your ass, learn to communicate properly and, most of all, learn to behave towards your peers in a respectful and professional manner."
heh
"How many low end prebuilt machines come with an ATI Radeon 9200 by default?"
Well, considering the Ati Radeon 9200 for the PC is a $50 card (read:OLD NEWS), probably many.
btw - The "Mac edition" of the Radeon 9200 (which is PCI) goes for around $100. WTF is up with that?
Obligatory link
A firewall is hardly neccessary to keep any machine secure (if it's a server it needs to have it's ports open, right?), though it can mitigate attacks on machines that are not patched. With earlier versions of Windows that don't have the firewall built in, you can use IPSEC to limit what traffic flows to and from the machine - a good idea on any DB server. I never said anything about using MS only tools. There are many free third party security tools that you can use to help guard your windows machine. There is snort, tripwire (or an equivalent). Regardless - how many documented cases do you know of a Windows box being hacked via an unpatched/unknown exploit?
"Of course, this should read "haven't had a single incident that we know about"."
Wow. Insulting the intelligence of someone you don't even know under the veil of anonymity. You must be pround of yourself.
"Not really. With Windows, you both have to know what you are doing, and have a budget for third-party tools to help (and with the tools, you don't really even need to know what you're doing). With Linux you just have to know what you're doing."
If you think that third party tools that cost money are required to protect Windows servers, then it's you who don't know what you're doing. Can you even give an example of a third party tool that is required to make a Windows server secure?
My GOD, you are an ass.
I'm not an end user you retard. I am a system admin, and have had the [dis]pleasure of dealing with Microsoft tech support on multiple occasions.
I know the difference between reporting a bug and calling tech support. The time I reported a bug was when I was testing a beta product of theirs. I got a personal response from one of their managers, and one of their hired software testers.
You shouldn't assume so much.
"They even have a fake bug submitting system, which is directed to /dev/null at all times."
I got a personal response from the two Microsft employees the last time I submitted a bug report to Microsoft. Perhaps the "/dev/null" devices on their bug repository servers have some sort of advanced AI routines written into them that pretend to be live bodies? Or maybe I just missed the bogus bug reporting system.
...there is some humor in envisioning the look on Microsoft's lawyers when they are awarded a 34th generation tape of Halloween 94', and a half empty bottle of Patchouli Oil.
Yes. As a previous poster stated, ZDNet (and countless other news sites) reported this four days ago.
I'm hope the april fools crap is over. None of them were good anyway.
NO. Really. It isn't.
I think the major difference between Windows firewall and IPSEC is that that Windows Firewall is statefull. IPSEC alone has no statefull ability, but has more granular controls - like outbound traffic control.
If you combine Windows firewall with IPSEC, you can get pretty granular with traffic control. On our internal Win2k servers that have MSSQL Server installed, I've always used IPSEC to control internal traffic.