ftp in general is something you should keep turned off unless you actually need it, moreso even than is true for services in general, not because it's more vulnerable than other services so much as because it gains you unwanted extra attention from the script kiddies. That goes triple for anonymous ftp.
We do have one system that has to have ftp. I chose proftpd for it, and yes, I updated it after the recent announcement. And it doesn't permit anonymous login, because we don't need that.
Except, computer programs are smarter than grammophones, and can be designed with logic that recognises such invalid or troublesome input and responds in some fashion (e.g., spits an error message at you). That way, the troublesome input doesn't destroy the record player. (It still can't be played, of course...)
Why does this thread remind me of the current poll on Perlmonks?
If a text-based browsers is an acceptable option, no browser has a better built-in text editor than Emacs/w3. It's fully extensible, fully scriptable, and closer to fully featured than any other editor available today. The more advanced features do have a learning curve, but what fully-featured thing doesn't?
> Don't open email in a reader that will automagicly execute whatever > it opens (ie: unpatched outlook)
They say Outlook is patched for this. Yeah, whatever; a specific case has been patched. It's been patched many times before, and it will be patched again, and still it will automatically execute certain types of attachments and *hope* the authors have now finally thought of all the bad things such content could do and specifically prevented each of them. Only, they obviously haven't yet because the rate at which new ones are discovered has not diminished in the slightest.
Bah. Save yourself a lot of trouble: don't use Outlook at all.
All of the above. Turn off the services you don't use, put all your systems behind a firewall based on a different OS (e.g., Windows behind Linux, Linux behind BSD, or whatever), do NAT on the firewall and only forward through existing and related traffic plus any specific ports you actually need, and keep up-to-date on security patches. Doing all of the above will cost you less time per year than *one* serious infection.
Yes, I always pull the ethernet cables before downloading things... (Ahem. I know what you meant, though.)
RPC is a service you don't need. Turn it off. Not that turning on the firewall is a bad thing, but turn RPC off. Also, unbind File and Print Sharing from the TCP/IP on your internet connection. Also, turn off Windows Messenger Service and any other services you don't need. This is the same advice *nix people give eachother: turn off any services you don't intend to actually use. Then, when you read the slashdot story next week about the new worm, you can glance it over, determine that the worm comes in through IIS, remember that you turned IIS off, and relax.
Oh, and: don't use Outlook. Ever. Get Pegasus Mail, or something.
> Gee, since I've never been infected by a virus or worm, and I've > been using Windows since forever (both client and server side), > I don't feel I have that much to worry about.
Well, 99% of all Windows worms aren't Windows worms per se, but worms that impact software that only runs on Windows (usually Outlook, IIS, or MS SQL Server, but sometimes it's something else). There are the occasional worms that really do attack Windows itself, like the one a couple weeks back (that attacked around the same time as SoBig; I forget what it was called), but many of these can't infect you if you are up-to-date on your security updates, and most of the rest will be stopped by any half-decent firewall. So yeah, with safe computing practices you can run a secure network with Windows systems. That said, at work I just finished putting all the Windows systems behind an IP Masq gateway, because it seemed easier than keeping track of all the security measures I would have to take otherwise. (The NAT of course does not protect against client vulnerabilities, but I don't permit Outlook on my network, which helps a LOT; there are easily ten times as many Outlook malwares as there are security exploits for Windows itself. This latest is just the most recent.)
Indeed. IMO, read/write support for NTFS is one of the top three most overdue features the Linux kernel needs. A versioned filesystem (a la what VMS has, but built from the ground up for Linux) is another. I'm sure there's a third feature as long overdue as these two, but I don't know what it is.
> Itanium is NOT a late-comer to the 64-bit desktop 64-bit market.
You did say desktop, right? Then, you're right, as near as I can determine: Itanium isn't a latecomer; it's a no-show. Unfortunately, thus far so is x86-64; everything I've seen so far is rackmount stuff. I'm hoping this will change soon; when I buy my next desktop, I'm going to want one that can handle more than 4GB of RAM, but I won't be ready to give up extant applications.
You don't upgrade to get a faster CPU. Not these days. You upgrade for other reasons -- your old motherboard is maxed out for RAM, and you need more. Your old motherboard is USB1.1 and you want 2.0. You could get an expansion card, but you've only got one slot left and you really wanted to add IEEEwhateverthenumberisforthattrademarkedbus. The new board supports SATA RAID, which will give you a performance boost for disk-intensive applications. And so on and so forth.
Do you go for a faster CPU while you're upgrading? Well, sure. Nobody wants to buy a new computer with the same MHz number as the old one, for psychological reasons if nothing else. But unless you raytrace animations for a living or something, it's probably not the thing driving you to upgrade.
> Maybe I'm paranoid, but I can't stop thinking that's MS fault!
It's been a couple of years, and their EULA has probably changed two dozen times ad interim, but when I actually read Microsoft's privacy policy, it essentially said, in heavy verbiage, "we will sell your address to whomever will pay for it". By heavy verbiage, I mean something of the form, "may share said contact information with select business partners in order to provide value-added services" or some such rot. If your eyes glaze over at the first hint of weaselese, you wouldn't catch it, but it seemed pretty clear to me that they were saying they would sell my address. Maybe I'm just paranoid, though. After all, Microsoft is a very reputable company, as everyone here knows, and so maybe I'm just not giving them enough benefit of the doubt in my poor understanding of EULA verbiage.
This is it! If you patch this one, sendmail will be secure! Really! Of course, they said that the last twenty times, but this time for real, because sendmail is focused on security, just like Microsoft!
Ahem. I won't let sendmail anywhere near any network I administrate, ever. Argue the relative merits of the other options -- qmail, postfix, exim, or Net::Server::Mail, but pick one of them, because letting sendmail listen for incoming connections from the internet, given its (in)security record, is about as smart as using Outlook to get your mail. It hasn't been six months since the last sendmail remote root exploit, and it won't be six months until the next one. Some things never change.
> Buffer overflows have been known for decades, why are these > buffer overflows still so prevalent?
In a large program like MySQL, religiously checking each and every buffer, each and every time anything is stored in it, without missing any, is *hard*, because there are *lots* of buffers and they get things stored in them by *lots* of different parts of the code.
The real solution is to use a langauge with builtin memory management. Until recently this was impractical for performance reasons, but with VHLL technology improving and hardware improving, it won't be too long now before it's practical to write almost everything (save the boot loader and scheduler and a few other lowlevel tidbits) in VHLLs. It will then take more than twenty years to cycle out all the existing legacy software and replace it with newer stuff, but hey.
> It just sucked before to have a masters degree along with several > years of experience and have an official title of "Software > Practitioner." Bleh!
'Practitioner' is too bland, but there are plenty of interesting words in the English language, words with positive connotations, besides 'Engineer'. Try some of these on for size: Software Systems Coordinator, Software Architect, Software Management Expert, Software Consultant, Software Wizard, Software Technician, Software Remediation Advisor, Software Selection Counselor, Software Coordination Leader, Software Developer, Software Design Coordinator, Software Implementor, Software Department Head, Software Overlord, Regional Software Arch Policymaker, Software Incident Investigation Captain, Software Design Committee Chairman, Software Implementation Partner, Software Quality Control Sherrif, Software Usability Research Coordinator, Software Antidefenestration Agent, Software Security Bosun, Software Emergency Response Marshal, Software Planning Team Leader,...
Personally, I rather favour the job title 'The Computer Guy'. It abbreviates nicely to TCG, which sounds vaguely important, and it's what everybody calls me anyway.
> It was common in the early 1980s that PC Games were bootable.
Yes, but this was abandoned when two things happened:
1) Due to advances in computer technology, most computers had
these cool new things called "hard drives", many of which
would hold up to ten megabytes or more.
2) Due to advances in game technology, driven by consumer
demand for graphics, some of the games were starting to
have a little trouble fitting on a single 360K floppy.
If the game were designed to be installed onto the hard
drive, you could put it on *two* floppies, which allowed
more than twice as many graphics.
All of the above are quite garish by default, but with some tweaking of the settings you can get them looking pretty decent... though I'm still waiting for the thEmacs theme to get ported to Gnome2.
Don't want to support N operating sytem versions, but want anyone with a CD to be able to play your game? Distribute your game on a LiveCD with the OS included; you get full control over the exact version of every piece of software -- the only variables are the hardware, then, and anyone with a PC can play your game.
Of course, for speed reasons you want to offer an option to install to a disk image on the hard drive, and for that to be practical it would be really nice to have read/write NTFS support. Hopefully we'll get that Real Soon Now.
You can get Knoppix 3.2 from cheapbytes.com, though they don't seem to have Gnoppix yet for some reason. Their CDs don't have what I would call eye candy (no fancy logos or anything), but they are labelled in a passably-nice font, and the label (apart from the black letters) is at a glance invisible, not one of those ugly white labels you sometimes see on cheapies. For what they charge, it's a pretty decent option.
I agree that I would like to get one with some nice eye candy, though, maybe (part of) that Knoppix image of the eye that shows while it's starting, or something.
> No offense, but aren't you trying to manipulate the data to > arive at your preconscived notion?
Not deliberately; perhaps I'm biased toward certain conclusions, but the raw number of compromised servers isn't a particularly important thing anyway. If you asked my to speculate about *why* there are so many compromised Windows systems, I'd say it's because there are a lot of complete idiots maintaining Windows systems, who would do no better if they were maintaining Linux. Like I said, I see *lots* of traffic from compromised IIS servers, but I'm pretty sure a great deal of it is the same few servers over and over and over again, because the admins simply refuse to learn about patches. We have a number of Windows systems at work (no Windows _servers_, though...), and to date the most alarming security incident I've encountered was when NAV on two WinXP Pro systems found a virus in a file in the 'Shared Documents' folder (from whence it would not have been executed any time soon, but nevertheless...); I traced the issue to having NetBIOS over TCP/IP enabled (which is the default), and so for the moment I switched NetBIOS to only route over IPX/SPX, which the router won't pass over the T1. (At some point I intend to put all the Windows systems behind an IP Masquerade gateway, which will help somewhat more.) And, frankly, I don't spend a great deal of time on security. So Windows isn't really a security nightmare, if you have some idea what you're doing. It's just that there are some people out there who don't have that ounce of clue, and most of them are running Microsoft software (probably because they (almost) can).
If you test in Konqueror, it should do fine in Safari as well. If you test in Mozilla (either Navigator or Firebird), you've got Camino covered also. Didn't OmniWeb recently switch to one of those two rendering engines also? That of course leaves out MSIE, the mac version of which has very different rendering quirks from the Windows version, but Safari will hopefully phase out the Mac version of MSIE within a couple of years.
My problem is MSIE for Windows. Even assuming I'm willing to boot into Windows for testing, how can I test in both IE5 and IE6? I am *not* going through the uninstall/reinstall process every time I want to test a web page. Currently I'm just writing to specs and *hoping* it will do mostly okay in MSIE, but in practice I know that there will be times when it doesn't. I recently discovered, for example, that MSIE5.5 does not support applying CSS attributes to child elements (e.g., ".sidebar > div { padding: 0.5em; }"). I haven't tested that in IE6... do I really have to get VMWare just to test my web pages?
Here's some help with the math: according to my estimates, based on the network traffic that the (as yet unexploited, though I don't take this for granted) Linux-based CGI server at work logs, the _average_ Windows server is exploited by script kiddies, worms, or viruses several times per year. Now, some of that is the same servers being hit over and over again because the admins simply refuse to learn about patches, so a well-maintained Windows server will not be exploited that often. Still...
If there are more attacks on Linux servers, it's because there are more Linux servers, or because attacks on Linux servers get noticed, or something -- not because Linux is more likely to be targeted. Either that, or we're only counting attacks that were conducted against an individual server by an individual attacker with more skills than just the ability to run prefab breakin tools.
> I have to agree with the 'no gentoo on servers'.
I would qualify that a bit more: no gentoo on mission-critical production servers seems like a good rule of thumb.
I'm currently in the process of getting a gentoo server ready to colocate, but the purpose of this system is to provide a server I can *experiment* on (for learning purposes). I do intend to put some real content on it, of course, but nothing that will cause the world to end if it becomes unavailable for a couple of weeks. Because, I intend to use this server for things like...
* trying out new versions of Apache that I'm not sufficiently
confident to put on the cgi server at work
* trying out other server technologies that I don't have a need
for at work, but want to get familiar with
* testing out server code that I write myself in Perl. (Have
desire to write my own mailserver software? Check. Intend
to put it on a production server right away? Heckno.)
Gentoo is an excellent choice for this sort of thing, IMO.
> wu-ftpd comes to mind...
ftp in general is something you should keep turned off unless you
actually need it, moreso even than is true for services in general,
not because it's more vulnerable than other services so much as
because it gains you unwanted extra attention from the script
kiddies. That goes triple for anonymous ftp.
We do have one system that has to have ftp. I chose proftpd for it,
and yes, I updated it after the recent announcement. And it doesn't
permit anonymous login, because we don't need that.
Except, computer programs are smarter than grammophones, and can be
designed with logic that recognises such invalid or troublesome input
and responds in some fashion (e.g., spits an error message at you).
That way, the troublesome input doesn't destroy the record player.
(It still can't be played, of course...)
Why does this thread remind me of the current poll on Perlmonks?
If a text-based browsers is an acceptable option, no browser has a
better built-in text editor than Emacs/w3. It's fully extensible,
fully scriptable, and closer to fully featured than any other editor
available today. The more advanced features do have a learning curve,
but what fully-featured thing doesn't?
> Don't open email in a reader that will automagicly execute whatever
> it opens (ie: unpatched outlook)
They say Outlook is patched for this. Yeah, whatever; a specific
case has been patched. It's been patched many times before, and it
will be patched again, and still it will automatically execute
certain types of attachments and *hope* the authors have now finally
thought of all the bad things such content could do and specifically
prevented each of them. Only, they obviously haven't yet because
the rate at which new ones are discovered has not diminished in the
slightest.
Bah. Save yourself a lot of trouble: don't use Outlook at all.
All of the above. Turn off the services you don't use, put all your
systems behind a firewall based on a different OS (e.g., Windows
behind Linux, Linux behind BSD, or whatever), do NAT on the firewall
and only forward through existing and related traffic plus any
specific ports you actually need, and keep up-to-date on security
patches. Doing all of the above will cost you less time per year
than *one* serious infection.
Oh, and: don't use Outlook. Ever.
> 1) pull the ethernet cable
> 2) enable XP's built-in firewall
> 3) download patch
Yes, I always pull the ethernet cables before downloading things...
(Ahem. I know what you meant, though.)
RPC is a service you don't need. Turn it off. Not that turning on
the firewall is a bad thing, but turn RPC off. Also, unbind File
and Print Sharing from the TCP/IP on your internet connection. Also,
turn off Windows Messenger Service and any other services you don't
need. This is the same advice *nix people give eachother: turn off
any services you don't intend to actually use. Then, when you read
the slashdot story next week about the new worm, you can glance it
over, determine that the worm comes in through IIS, remember that you
turned IIS off, and relax.
Oh, and: don't use Outlook. Ever. Get Pegasus Mail, or something.
> Gee, since I've never been infected by a virus or worm, and I've
> been using Windows since forever (both client and server side),
> I don't feel I have that much to worry about.
Well, 99% of all Windows worms aren't Windows worms per se, but worms
that impact software that only runs on Windows (usually Outlook, IIS,
or MS SQL Server, but sometimes it's something else). There are the
occasional worms that really do attack Windows itself, like the one a
couple weeks back (that attacked around the same time as SoBig; I
forget what it was called), but many of these can't infect you if you
are up-to-date on your security updates, and most of the rest will be
stopped by any half-decent firewall. So yeah, with safe computing
practices you can run a secure network with Windows systems. That
said, at work I just finished putting all the Windows systems behind
an IP Masq gateway, because it seemed easier than keeping track of all
the security measures I would have to take otherwise. (The NAT of
course does not protect against client vulnerabilities, but I don't
permit Outlook on my network, which helps a LOT; there are easily
ten times as many Outlook malwares as there are security exploits
for Windows itself. This latest is just the most recent.)
> NTFS, which has readonly support
Indeed. IMO, read/write support for NTFS is one of the top three most
overdue features the Linux kernel needs. A versioned filesystem (a la
what VMS has, but built from the ground up for Linux) is another. I'm
sure there's a third feature as long overdue as these two, but I don't
know what it is.
> Itanium is NOT a late-comer to the 64-bit desktop 64-bit market.
You did say desktop, right? Then, you're right, as near as I can
determine: Itanium isn't a latecomer; it's a no-show. Unfortunately,
thus far so is x86-64; everything I've seen so far is rackmount stuff.
I'm hoping this will change soon; when I buy my next desktop, I'm
going to want one that can handle more than 4GB of RAM, but I won't
be ready to give up extant applications.
You don't upgrade to get a faster CPU. Not these days. You upgradee new board supports SATA RAID, which will give you a performance
for other reasons -- your old motherboard is maxed out for RAM, and
you need more. Your old motherboard is USB1.1 and you want 2.0. You
could get an expansion card, but you've only got one slot left and you
really wanted to add IEEEwhateverthenumberisforthattrademarkedbus.
Th
boost for disk-intensive applications. And so on and so forth.
Do you go for a faster CPU while you're upgrading? Well, sure.
Nobody wants to buy a new computer with the same MHz number as the
old one, for psychological reasons if nothing else. But unless you
raytrace animations for a living or something, it's probably not the
thing driving you to upgrade.
> Maybe I'm paranoid, but I can't stop thinking that's MS fault!
It's been a couple of years, and their EULA has probably changed two
dozen times ad interim, but when I actually read Microsoft's privacy
policy, it essentially said, in heavy verbiage, "we will sell your
address to whomever will pay for it". By heavy verbiage, I mean
something of the form, "may share said contact information with
select business partners in order to provide value-added services"
or some such rot. If your eyes glaze over at the first hint of
weaselese, you wouldn't catch it, but it seemed pretty clear to me
that they were saying they would sell my address. Maybe I'm just
paranoid, though. After all, Microsoft is a very reputable company,
as everyone here knows, and so maybe I'm just not giving them enough
benefit of the doubt in my poor understanding of EULA verbiage.
This is it! If you patch this one, sendmail will be secure! Really!
Of course, they said that the last twenty times, but this time for
real, because sendmail is focused on security, just like Microsoft!
Ahem. I won't let sendmail anywhere near any network I administrate,
ever. Argue the relative merits of the other options -- qmail,
postfix, exim, or Net::Server::Mail, but pick one of them, because
letting sendmail listen for incoming connections from the internet,
given its (in)security record, is about as smart as using Outlook
to get your mail. It hasn't been six months since the last sendmail
remote root exploit, and it won't be six months until the next one.
Some things never change.
> fail to see what Burt Reynolds has to do with it.
Nothing. He was talking about Jim Carey.
> Buffer overflows have been known for decades, why are these
> buffer overflows still so prevalent?
In a large program like MySQL, religiously checking each and every
buffer, each and every time anything is stored in it, without missing
any, is *hard*, because there are *lots* of buffers and they get
things stored in them by *lots* of different parts of the code.
The real solution is to use a langauge with builtin memory management.
Until recently this was impractical for performance reasons, but with
VHLL technology improving and hardware improving, it won't be too long
now before it's practical to write almost everything (save the boot
loader and scheduler and a few other lowlevel tidbits) in VHLLs. It
will then take more than twenty years to cycle out all the existing
legacy software and replace it with newer stuff, but hey.
> It just sucked before to have a masters degree along with several
...
> years of experience and have an official title of "Software
> Practitioner." Bleh!
'Practitioner' is too bland, but there are plenty of interesting
words in the English language, words with positive connotations,
besides 'Engineer'. Try some of these on for size: Software Systems
Coordinator, Software Architect, Software Management Expert, Software
Consultant, Software Wizard, Software Technician, Software Remediation
Advisor, Software Selection Counselor, Software Coordination Leader,
Software Developer, Software Design Coordinator, Software Implementor,
Software Department Head, Software Overlord, Regional Software Arch
Policymaker, Software Incident Investigation Captain, Software
Design Committee Chairman, Software Implementation Partner, Software
Quality Control Sherrif, Software Usability Research Coordinator,
Software Antidefenestration Agent, Software Security Bosun, Software
Emergency Response Marshal, Software Planning Team Leader,
Personally, I rather favour the job title 'The Computer Guy'. It
abbreviates nicely to TCG, which sounds vaguely important, and it's
what everybody calls me anyway.
> It was common in the early 1980s that PC Games were bootable.
Yes, but this was abandoned when two things happened:
1) Due to advances in computer technology, most computers had
these cool new things called "hard drives", many of which
would hold up to ten megabytes or more.
2) Due to advances in game technology, driven by consumer
demand for graphics, some of the games were starting to
have a little trouble fitting on a single 360K floppy.
If the game were designed to be installed onto the hard
drive, you could put it on *two* floppies, which allowed
more than twice as many graphics.
All of the above are quite garish by default, but with some tweaking
of the settings you can get them looking pretty decent... though
I'm still waiting for the thEmacs theme to get ported to Gnome2.
Don't want to support N operating sytem versions, but want anyone
with a CD to be able to play your game? Distribute your game on a
LiveCD with the OS included; you get full control over the exact
version of every piece of software -- the only variables are the
hardware, then, and anyone with a PC can play your game.
Of course, for speed reasons you want to offer an option to install
to a disk image on the hard drive, and for that to be practical it
would be really nice to have read/write NTFS support. Hopefully
we'll get that Real Soon Now.
But the idea is solid.
You can get Knoppix 3.2 from cheapbytes.com, though they don't seem
to have Gnoppix yet for some reason. Their CDs don't have what I
would call eye candy (no fancy logos or anything), but they are
labelled in a passably-nice font, and the label (apart from the
black letters) is at a glance invisible, not one of those ugly white
labels you sometimes see on cheapies. For what they charge, it's
a pretty decent option.
I agree that I would like to get one with some nice eye candy, though,
maybe (part of) that Knoppix image of the eye that shows while it's
starting, or something.
> but a 17GB live cd would take quite a lot longer... day or two...
> Hey, I only get 5GB a month. Make that 3 1/2 months for me!
cheapbytes.com -- never underestimate the bandwidth of Priority Mail.
> No offense, but aren't you trying to manipulate the data to
> arive at your preconscived notion?
Not deliberately; perhaps I'm biased toward certain conclusions, but
the raw number of compromised servers isn't a particularly important
thing anyway. If you asked my to speculate about *why* there are
so many compromised Windows systems, I'd say it's because there are
a lot of complete idiots maintaining Windows systems, who would do
no better if they were maintaining Linux. Like I said, I see *lots*
of traffic from compromised IIS servers, but I'm pretty sure a great
deal of it is the same few servers over and over and over again,
because the admins simply refuse to learn about patches. We have
a number of Windows systems at work (no Windows _servers_, though...),
and to date the most alarming security incident I've encountered was
when NAV on two WinXP Pro systems found a virus in a file in the
'Shared Documents' folder (from whence it would not have been
executed any time soon, but nevertheless...); I traced the issue to
having NetBIOS over TCP/IP enabled (which is the default), and so
for the moment I switched NetBIOS to only route over IPX/SPX, which
the router won't pass over the T1. (At some point I intend to put
all the Windows systems behind an IP Masquerade gateway, which will
help somewhat more.) And, frankly, I don't spend a great deal of
time on security. So Windows isn't really a security nightmare, if
you have some idea what you're doing. It's just that there are some
people out there who don't have that ounce of clue, and most of them
are running Microsoft software (probably because they (almost) can).
If you test in Konqueror, it should do fine in Safari as well. If
you test in Mozilla (either Navigator or Firebird), you've got Camino
covered also. Didn't OmniWeb recently switch to one of those two
rendering engines also? That of course leaves out MSIE, the mac
version of which has very different rendering quirks from the Windows
version, but Safari will hopefully phase out the Mac version of MSIE
within a couple of years.
My problem is MSIE for Windows. Even assuming I'm willing to boot
into Windows for testing, how can I test in both IE5 and IE6? I
am *not* going through the uninstall/reinstall process every time
I want to test a web page. Currently I'm just writing to specs and
*hoping* it will do mostly okay in MSIE, but in practice I know that
there will be times when it doesn't. I recently discovered, for
example, that MSIE5.5 does not support applying CSS attributes to
child elements (e.g., ".sidebar > div { padding: 0.5em; }"). I
haven't tested that in IE6... do I really have to get VMWare just
to test my web pages?
Here's some help with the math: according to my estimates, based
on the network traffic that the (as yet unexploited, though I don't
take this for granted) Linux-based CGI server at work logs, the
_average_ Windows server is exploited by script kiddies, worms, or
viruses several times per year. Now, some of that is the same
servers being hit over and over again because the admins simply
refuse to learn about patches, so a well-maintained Windows server
will not be exploited that often. Still...
If there are more attacks on Linux servers, it's because there are
more Linux servers, or because attacks on Linux servers get noticed,
or something -- not because Linux is more likely to be targeted.
Either that, or we're only counting attacks that were conducted
against an individual server by an individual attacker with more
skills than just the ability to run prefab breakin tools.
> No, I can't see any problems with your files...
Files? You have files? Where? No, I think you must have been
imagining them, because there obviously aren't any there.
> I have to agree with the 'no gentoo on servers'.
I would qualify that a bit more: no gentoo on mission-critical
production servers seems like a good rule of thumb.
I'm currently in the process of getting a gentoo server ready to
colocate, but the purpose of this system is to provide a server I
can *experiment* on (for learning purposes). I do intend to put
some real content on it, of course, but nothing that will cause
the world to end if it becomes unavailable for a couple of weeks.
Because, I intend to use this server for things like...
* trying out new versions of Apache that I'm not sufficiently
confident to put on the cgi server at work
* trying out other server technologies that I don't have a need
for at work, but want to get familiar with
* testing out server code that I write myself in Perl. (Have
desire to write my own mailserver software? Check. Intend
to put it on a production server right away? Heckno.)
Gentoo is an excellent choice for this sort of thing, IMO.