Predicated on the idea that someone installed a few hundred thousand backdoors for a reason, you might also want to put a canary out by adding a PHP script to/scripts/root.exe on your own webserver which contacts the calling machine and shuts it down (if it's IIS). Remember to keep a record of who hit you and only respond every few minutes, finally giving up after (say) 3 to 5 tries so that your own server can't be provoked into DoS-like activity.
If lynx -dump -head on that (yes, you do have to replace X.X.X.X with a real address) returns a MIME type ofapplication/octet-stream, you're in business.
If you find any infected machines, put a text file on the desktop (called something like YOU_HAVE_A_VIRUS.txt) with a warning in it (and the URL of your favourite Linux distro), and shut the machine down. If you want to get fancy, add a command to one of the startup methods to remove root.exe from the scripts directory.
You will be doing them (and everyone else) a favour by reducing the number of potential DDoS attackers available, and by closing a hole to destructive visitors.
Passive method (although I'm now down to less than one hit per IP per day):
The solution is to develop with PostgreSQL regardless of what your deployment DB will be. Their docs favor standard SQL. The code you develop will work with the proprietary DBs as well.
And besides that, you will (1) probably know why your code works and (2) not have to deal with next-version breakages anywhere near as often.
You're equating a few tools with a whole slew
on
Windows in 2020
·
· Score: 2
Compare what ships with Debian to what ships with Windows.
Compare the severity of the exploits (e.g. DSA-067 gets you limited control of the Apache user, CodeRed gets you unlimited control of the whole machine) and the difficulty of using them (DSA-071 or 068 cause an application or service crash in special circumstances, SirCam sends your secrets around the world).
That's like equating FIND.EXE with grep, or EDLIN.COM with vi, and being proud of the DOS app having less known vulnerabilities.
You're comparing strawberries and potatoes, Doug.
Microsoft don't ship TCPdump, so nobody reports vulnerabilities in it. There are dozens of webmail apps available for Linux, and most are reported at places like Debian. There is just one shipped with Windows (Outlook) and little else gets its bugs reported (-: maybe because Outlook fills quota quite handily all by itself?:-).
secondly, microsoft, coke, wotc, rambus, intel - they're all at the top of their respective markets because they give people what they want. they answer demand.
All of the companies listed (but can't speak about WOTC) work very hard to create a demand for their products and services. You left out phillip morris and a few others. Perhaps I should be daring and mention that you also left out the drug cartels. This is not what people want, it's what they've been told they want.
Can you honestly tell me that Peruvian natives actually wanted black caffienated phosphoric acid before CCC moved in and flogged it to them, hard? People don't actually want ``Word'' or ``Windows'', they want software that does certain things, or even more so, they simply want to do certain things, and Microsoft have - at great expense - sold them on the idea that the Microsoft Way is the best (only) way, and please pay at the till on the way out.
What they are doing now is escalating that to the point of being able to make you pay every time you breathe or blink. Bill's attitude is probably very much along the lines of ``let them eat cake.''
microsoft provides software that is easy to navigate
Yah, like Microsoft Bob with the reversed OK and Cancel buttons, those useless disappearing menus, and that fsking PITA paperclip. Oh, and dear old Word, with Format-everything-else in the Format menu, but Format-Page in [drum roll...] the file menu! Of course! No thanks.
an os which is unparallel in simplicity
``Simplicity,'' yes, but simple not in the sense of easy to use. Simple in the sense of having important bits missing, like security (CodeRed/SirCam/PWL-files/CIFS-hole-de-jour,PPTP,...), timesharing (WinModems), user awareness (Windows login), reliability (all, especially Bill's '98 USB scanner driver:-), consistency (NT GUI routing != text) standards (Kerberos/AD/IE-MIME-handling), flexibility (FIND.EXE,EDLIN.COM), honesty (DR-DOS crash code in WFW3, ``IE is necessary for Windows''), and much else. Any modern Linux installer and/or system management toolset (think DrakConf) eats Windows for manageability, and Konqueror (for one example) stands between Explorer and WorkPlaceShell for elegance and consistency.
the best web browser that i can think of offhand
For...? Stepping on HTML mines? It took them a hell of a long time to get IE smooth, most of the Open browsers are up on it in half the time.
amd and intel make beautiful chips at low prices
Samsung make even more beautiful chips (Alphas) but Intel may not let them play in that space for long. And tell me that Intel haven't pulled out all the stops to cut AMD, Firewire and everyone else who even smells of competitor off at the knees, I dare you...
the ability to destroy competitors who improve on your product, for example, is a particularly ugly piece of legislation designed to protect businesses by stifling innovation.
Yes, and haven't Microsoft just used that ability to the hilt whenever opportunity arose? Have they stopped? Will they ever? Discuss.
after all, i personally favor letting idiots not wear their seatbelts so that when they crash into something going 60 mph, their stupidity will be removed from this earth.
Would it impact your gross stupidity at all to learn that eight times as many car accident victims are maimed for life as are killed outright? And even more are permanently handicapped? What you are advocating would cause a dramatic increase in the societal burden of caring for incapacitated accident victims, which is the direct opposite of where your pious bullshit was evidently directed.
ms does not need a patch - it will die, eventually, if it's not what the people want.
The trick is to prevent M$ from altering ``what people want'' to suit their accunting department.
It's automatic... systematic... hydromatic...
on
Windows in 2020
·
· Score: 2
This is not because they will be run by bad sysadmins, but because they will - as with many MS systems running Code Red right now - not be administered by anyone at all.
We need a CLI version of those pretty GUI updaters. Debian is already set, of course. Not a complete answer, of course, but done with a touch of planning will eliminate 99% of failure-to-update errors.
One thing I noticed is that the whole "homogeny" thing is based around the fact that Windows is the only operating system.
Isn't that pretty much true right now (and for the past 5 years)?
On the desktop, yes. Something like 95% penetration. Not in server-space (halleluyah!) else CR2 would have pretty much axed the Internet for a fortnight.
The real fix is to disable the extention mappings for things like.ida/.idq and so on
The real fix is to install some other web server. If it supports PHP you can also migrate your VB ASP scripts using ASP2PHP. But maybe you don't want to drag extinct-but-doesn't-know-it-yet methodology and technology across to your shiny new server?
And... since you're changing such a major server component, why not change the whole server so that you're not, one day, forced to upgrade to Windows XP and bleed money for insecure software for the rest of your life? Install Service Pack MAXINT today!
How come despite there being (at the time) three times as many Apache servers up as IIS, there wasn't a shadow of the traffic that CodeRed caused?
Software has bugs. They get found, they get fixed, move on.
Don't tell only half a story, and leave out the exciting bits that make it all flow. ``They get found'' seems to have take, oh... six years, is it now? Why? (1)
Not only that, breaking Apache (to pick a common example) doesn't automagically get you superuser capabilities. Why not? (2)
It's been four years now since Apache had a hole this bad, but IIS had them somewhere between monthly and quarterly. Why? (3)
<upside-down><font size="1">1. Only Microsoft can see the source, and their programmers generally don't understand security. 2. IIS is design-insecure partly because takes as many shortcuts as it can to avoid being molasses-slow. Did you know that the Mindcraft benchmarks used FAT instead of NTFS for the same reason? 3. Performance and user friendlyness and saleable features are all more important to Microsoft than security or stability.</font></upside-down>
This is like selling a shotgun that only fires when pointed at another weapon that is pointed at it, and cannot be modified to do anything else.
However, many people will (as you have done) only see that ``it is a shotgun'' (and panic), not that it is totally harmelss except as used against armed attackers! This is important because some drooling idiots will now conclude, ``it's OK to sell shotguns because SlashDot has done it already''.
As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.
Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:
* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;
* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);
* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;
* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in/usr/bin,/usr/local/apache/bin,/opt/apache/bin or any one of a number of places; your web pages might be in/home/httpd/html,/var/www/html,/usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;
* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;
* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.
Using Microsoft software costs you all of these advantages and more.
Use this tool, you can install Service Pack MAXINT
on
Code Red III
·
· Score: 2
The magic word is ASP2PHP. Apply this to the offending projects, kiss IIS and Windows goodbye forever. Ahhhhh! Feels so good! Won't run down your battery! Made entirely from all-Open ingredients!
Encourage the author (Naken) and you'll soon be able to bin VB screen apps as well. Woohoo!
I think that if somebody wrote something similar to this for apache, we would get similar results.
Disagree. Apache doesn't answer requests as root, and the apache user (usually nobody, apache or httpd) can't write anywhere useful. IIS answers requests as the kernel. ACLs? What ACLs? Banzaaai!
I also routinely mount/var,/home,/tmp all nosuid,nodev to slow down root exploits, and usually mount/boot and/usr readonly to slow down trojans and speed up fscks if the power vanishes. Not a lot of people do this kind of thing, but it's nice to know that Apache itself isn't very vulnerable, and what I'm doing is basically insurance.
There's also the issue of change and diversity. For example, older Apaches tend to default to/home/httpd/... and newer ones to/var/www/... (and who knows where Slackware would put it?) which would trip over hard-coded paths in attack kits. Likewise, many modern Apache installs (e.g. Mandrake) tend to use virtual hosting for everything. Relying on a specific module, or on the state of a specific feature, would also be a loser. Microsoft == monoculture == fragile.
Mandrake installed in a server configuration does start a web server (and other things), but it specifically tells you about it during installation, and you have to click [Yes] to make it happen. They also do things like starting with ALL:ALL:DENY in hosts.deny, meaning that even with services running, a crackers' hope is likely end in futility. Many packagers are following suit.
Debian's automatic updates also take the dodo-or-busy sysadmin out of the loop. Mandrake, RedHat and others are following suit.
Summary: no, we wouldn't. Even though there are twice as many Apache sites as IIS. OTOH if M$ also had 95% penetration of the web server market, the Internet as we know it would be history by now.
Extra credit: Disinfect the machine with the security patch from the MS Web Site.
Not so easy, the right service packs appear to be required first. So your little proggie would first have to determine what was needed, second download and install it all, then finally clean off the rootshell.
patch is available, MS patches known to cause other issues, we hear it
A disproportionate number of the hits on my (Australian) web servers [sources] are from asian countries, leading me to suspect that perhaps the non-English versions of the patch and/or some of the prerequisite Service Packs were released late and/or not as well publicised.
If I was forced to ride shotgun on one of these security sieves, I'd be checking for patches twice daily. And I'd have the sucker behind a non-M$ reverse proxy.
It's a bit slap-dash, but here's CodeRed2 Explorer for your PHP-enabled web server. No need for Telnet, even: explore Windows-land a click at a time from the comfort of your browser. (-:
PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained:-)
SlashDot (the pikers )-: wouldn't let me post directly to this page.
Go back and have a look at the old security alerts. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. Buffer overflow in IIS. I'm sure you get the idea. And every one of those means, effectively, root access on that box. The only saving grace is that Windows systems generally don't have the full spectrum of interesting network tools available that Unix boxes routinely do. I'm not sure how to call that an advantage, but I do know a number of people (think Mundie) who probably could.
We should petition Microsoft to Open Source IIS, purely as a matter of self defence.
ASP2PHP will pretty much solve that little issue for you. And remember to set up your new Apache-on-Linux installation for automated security updates. We work while you sleep. (-:
...after all, they've given up on Microsoft DNS for themselves, and MSN's outsourced web hosting includes Apache. There's nothing to stop them from telling Apache to lie about who it is, and use something like ChilliSoft for their own web services, and after that it's not such a big step (remember Apache's licencing) to MS-Apache. Then they can explain that they outsourced development in order to be able to focus on.NET, can't they? (-:
The problem with security is not that we don't know what to do. The problem is that so many of us don't do anything. That is what alarms Gibson, and in that he is correct. There are so many machines not being properly managed that damage is inevitable.
Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.
Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.
So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.
ASP2PHP exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.
Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.
Predicated on the idea that someone installed a few hundred thousand backdoors for a reason, you might also want to put a canary out by adding a PHP script to /scripts/root.exe on your own webserver which contacts the calling machine and shuts it down (if it's IIS). Remember to keep a record of who hit you and only respond every few minutes, finally giving up after (say) 3 to 5 tries so that your own server can't be provoked into DoS-like activity.
If you find any infected machines, put a text file on the desktop (called something like YOU_HAVE_A_VIRUS.txt) with a warning in it (and the URL of your favourite Linux distro), and shut the machine down. If you want to get fancy, add a command to one of the startup methods to remove root.exe from the scripts directory.
You will be doing them (and everyone else) a favour by reducing the number of potential DDoS attackers available, and by closing a hole to destructive visitors.
Passive method (although I'm now down to less than one hit per IP per day):
And besides that, you will (1) probably know why your code works and (2) not have to deal with next-version breakages anywhere near as often.
But keep whining or Mr Nezzer will send his penguins out to find out why you've stopped. (-:
That's the big thing about open source: freedom (or call it control) - not price, not features. Don't like it? Change it or choose another.
Nobody seems to have noticed SAP DB becoming Open Source last year, but it too is powerful and reliable and includes full transaction support.
Compare what ships with Debian to what ships with Windows.
:-).
Compare the severity of the exploits (e.g. DSA-067 gets you limited control of the Apache user, CodeRed gets you unlimited control of the whole machine) and the difficulty of using them (DSA-071 or 068 cause an application or service crash in special circumstances, SirCam sends your secrets around the world).
That's like equating FIND.EXE with grep, or EDLIN.COM with vi, and being proud of the DOS app having less known vulnerabilities.
You're comparing strawberries and potatoes, Doug.
Microsoft don't ship TCPdump, so nobody reports vulnerabilities in it. There are dozens of webmail apps available for Linux, and most are reported at places like Debian. There is just one shipped with Windows (Outlook) and little else gets its bugs reported (-: maybe because Outlook fills quota quite handily all by itself?
All of the companies listed (but can't speak about WOTC) work very hard to create a demand for their products and services. You left out phillip morris and a few others. Perhaps I should be daring and mention that you also left out the drug cartels. This is not what people want, it's what they've been told they want.
Can you honestly tell me that Peruvian natives actually wanted black caffienated phosphoric acid before CCC moved in and flogged it to them, hard? People don't actually want ``Word'' or ``Windows'', they want software that does certain things, or even more so, they simply want to do certain things, and Microsoft have - at great expense - sold them on the idea that the Microsoft Way is the best (only) way, and please pay at the till on the way out.
What they are doing now is escalating that to the point of being able to make you pay every time you breathe or blink. Bill's attitude is probably very much along the lines of ``let them eat cake.''
Yah, like Microsoft Bob with the reversed OK and Cancel buttons, those useless disappearing menus, and that fsking PITA paperclip. Oh, and dear old Word, with Format-everything-else in the Format menu, but Format-Page in [drum roll...] the file menu! Of course! No thanks.
``Simplicity,'' yes, but simple not in the sense of easy to use. Simple in the sense of having important bits missing, like security (CodeRed/SirCam/PWL-files/CIFS-hole-de-jour,PPTP,. ..), timesharing (WinModems), user awareness (Windows login), reliability (all, especially Bill's '98 USB scanner driver :-), consistency (NT GUI routing != text) standards (Kerberos/AD/IE-MIME-handling), flexibility (FIND.EXE,EDLIN.COM), honesty (DR-DOS crash code in WFW3, ``IE is necessary for Windows''), and much else. Any modern Linux installer and/or system management toolset (think DrakConf) eats Windows for manageability, and Konqueror (for one example) stands between Explorer and WorkPlaceShell for elegance and consistency.
For...? Stepping on HTML mines? It took them a hell of a long time to get IE smooth, most of the Open browsers are up on it in half the time.
Samsung make even more beautiful chips (Alphas) but Intel may not let them play in that space for long. And tell me that Intel haven't pulled out all the stops to cut AMD, Firewire and everyone else who even smells of competitor off at the knees, I dare you...
Yes, and haven't Microsoft just used that ability to the hilt whenever opportunity arose? Have they stopped? Will they ever? Discuss.
Would it impact your gross stupidity at all to learn that eight times as many car accident victims are maimed for life as are killed outright? And even more are permanently handicapped? What you are advocating would cause a dramatic increase in the societal burden of caring for incapacitated accident victims, which is the direct opposite of where your pious bullshit was evidently directed.
The trick is to prevent M$ from altering ``what people want'' to suit their accunting department.
We need a CLI version of those pretty GUI updaters. Debian is already set, of course. Not a complete answer, of course, but done with a touch of planning will eliminate 99% of failure-to-update errors.
On the desktop, yes. Something like 95% penetration. Not in server-space (halleluyah!) else CR2 would have pretty much axed the Internet for a fortnight.
SlashDot/XP? Didn't pay your software rent?
The real fix is to install some other web server. If it supports PHP you can also migrate your VB ASP scripts using ASP2PHP. But maybe you don't want to drag extinct-but-doesn't-know-it-yet methodology and technology across to your shiny new server?
And... since you're changing such a major server component, why not change the whole server so that you're not, one day, forced to upgrade to Windows XP and bleed money for insecure software for the rest of your life? Install Service Pack MAXINT today!
How come despite there being (at the time) three times as many Apache servers up as IIS, there wasn't a shadow of the traffic that CodeRed caused?
Don't tell only half a story, and leave out the exciting bits that make it all flow. ``They get found'' seems to have take, oh... six years, is it now? Why? (1)
Not only that, breaking Apache (to pick a common example) doesn't automagically get you superuser capabilities. Why not? (2)
It's been four years now since Apache had a hole this bad, but IIS had them somewhere between monthly and quarterly. Why? (3)
<upside-down><font size="1">1. Only Microsoft can see the source, and their programmers generally don't understand security. 2. IIS is design-insecure partly because takes as many shortcuts as it can to avoid being molasses-slow. Did you know that the Mindcraft benchmarks used FAT instead of NTFS for the same reason? 3. Performance and user friendlyness and saleable features are all more important to Microsoft than security or stability.</font></upside-down>
This is like selling a shotgun that only fires when pointed at another weapon that is pointed at it, and cannot be modified to do anything else.
However, many people will (as you have done) only see that ``it is a shotgun'' (and panic), not that it is totally harmelss except as used against armed attackers! This is important because some drooling idiots will now conclude, ``it's OK to sell shotguns because SlashDot has done it already''.
Shouldn't be too hard to alter one of the standard installers to:
What have I forgotten?
As has been so often pointed out, many of Microsoft's fixes also often break things, and they have a nasty habit of occasionally including "improvements" that eventually dead-end you and don't become obvious for some time - like well after it's too late to back out the patch. These features combine to make many admins that I know highly reluctant to install Microsoft's fixes.
/usr/bin, /usr/local/apache/bin, /opt/apache/bin or any one of a number of places; your web pages might be in /home/httpd/html, /var/www/html, /usr/local/apache/html or anywhere the admin chose to put them. It might be running chrooted, it might or might not have zero or more of a great number of modules enabled, and so on;
Apache is more of a monoculture (about twice as much) than IIS, yet Apache worms this bad generally don't happen because:
* Apache is not design-insecure, as is practically every Microsoft product - for example, Exchange's security goolies are still flapping in the breeze (have to be due to fundamental design) and I expect to see another CodeRed appear targeted for it Real Soon Now;
* If you want active facilities, you have to install them - or at least switch them on - because they either don't come with the base server (e.g. PHP) or aren't available in default pages to exploit (e.g. XSSI);
* The active facilities can only touch as much as the webserver can touch. Users named ``apache'' or ``nobody'' generally don't have write access to a great deal of the file system;
* Even though Apache as such is a monoculture, there is great variety between Apaches. They run on a wide variety of CPUs and OSes. Your binaries might be in
* Apache adheres to standards; a lot of IIS holes have been in Microsoft special features;
* Apache's code (including most common add-ons) has been examined by a wide variety of eyes using a wide variety of techniques.
Using Microsoft software costs you all of these advantages and more.
The magic word is ASP2PHP. Apply this to the offending projects, kiss IIS and Windows goodbye forever. Ahhhhh! Feels so good! Won't run down your battery! Made entirely from all-Open ingredients!
Encourage the author (Naken) and you'll soon be able to bin VB screen apps as well. Woohoo!
Disagree. Apache doesn't answer requests as root, and the apache user (usually nobody, apache or httpd) can't write anywhere useful. IIS answers requests as the kernel. ACLs? What ACLs? Banzaaai!
I also routinely mount
There's also the issue of change and diversity. For example, older Apaches tend to default to
Mandrake installed in a server configuration does start a web server (and other things), but it specifically tells you about it during installation, and you have to click [Yes] to make it happen. They also do things like starting with ALL:ALL:DENY in hosts.deny, meaning that even with services running, a crackers' hope is likely end in futility. Many packagers are following suit.
Debian's automatic updates also take the dodo-or-busy sysadmin out of the loop. Mandrake, RedHat and others are following suit.
Summary: no, we wouldn't. Even though there are twice as many Apache sites as IIS. OTOH if M$ also had 95% penetration of the web server market, the Internet as we know it would be history by now.
Not so easy, the right service packs appear to be required first. So your little proggie would first have to determine what was needed, second download and install it all, then finally clean off the rootshell.
A disproportionate number of the hits on my (Australian) web servers [sources] are from asian countries, leading me to suspect that perhaps the non-English versions of the patch and/or some of the prerequisite Service Packs were released late and/or not as well publicised.
If I was forced to ride shotgun on one of these security sieves, I'd be checking for patches twice daily. And I'd have the sucker behind a non-M$ reverse proxy.
PLEASE MIRROR THIS and post your mirror URLs in reply to this message (subject Mirror of CodeRed2) since that server is a club server, low bandwidth, low budget. But very secure (Debian on Sparc and well maintained :-)
SlashDot (the pikers )-: wouldn't let me post directly to this page.
Last week: 92
Last 32 hours: 196 (175 unique addresses)
Looks like it's concrete bunker time soon... )-:
We should petition Microsoft to Open Source IIS, purely as a matter of self defence.
...after all, they've given up on Microsoft DNS for themselves, and MSN's outsourced web hosting includes Apache. There's nothing to stop them from telling Apache to lie about who it is, and use something like ChilliSoft for their own web services, and after that it's not such a big step (remember Apache's licencing) to MS-Apache. Then they can explain that they outsourced development in order to be able to focus on .NET, can't they? (-:
Given that at least four components are necessary for a crack to be effective, removing any one of them will prevent the problem. These components are: malicious code, vulnerable service or device, access to same, lack of fixes or unwillingness to apply available fixes.
Evolution suffers the same type of problems. Hypermutation was recently discovered in components of an immune system and many hands were waved about what this proved. What was not explored was the nature of the mutations. They are almost deliberately allowed to ``go wild'' within very strict bounds, and the result (which would be disastrous outside the immune system) is that a large set of possibly useful responses are produced and tried as antigens in a very short time. However, if any one of a large set of very specific conditions were not met, hypermutation would be lethal. And you can safely bet that any retractions of the previous headlines will be four lines of fine print on page twenty.
So, given that convenience will tend to be chosen over better security (and partly becuase if an administrator goes for a more secure but less convenient solution they may actually suffer a greater security problem by encouraging (for example) undocumented sharing of passwords), a solution such as replacing Windows plus IIS with Linux/*BSD/whatever plus Apache will actually work, and much better than telling users and administrators that they're idiots. They either know that and have to live with it, or don't know it, never will, and will be annoyed every time someone tries to point this out.
ASP2PHP exists, and works, so there's no really sound reasons left for running IIS. It's also (especially in the name of avoiding monoculture) worthwhile checking out alternatives like Zope. The combination of an inherently more reliable service, and automated updates (I know that Debian, Mandrake and RedHat - at least - have these) will remove a vital section from the crackers' stairway to heaven.
Where Mr Gibson does score is in that not everyone needs to be running vulnerable servers to swamp and drown the Internet. Just enough twits to do the job. I'm currently wondering what social effect would drive IIS market penetration up 4% at the very instant this it's been shown to be a public menace. Again. Remember that it's been copping buffer overflows for the best part of a decade now, and doesn't look like stopping.