Lots of good points Rey, I agree with you. I think my comments were perhaps aimed a little more at MS then at the article itself, but it's interesting to take note of other articles that report the 'report' as it were. Take this for example: http://it.mycareer.com.au/breaking/2001/09/25/FFXI5T3L0SC.html?NDailyH This report lacks the 'urgency' of the original cnet post so I think that perhaps part of the issue is the news reporting. Having read the above link prior to your original post the first word I noticed was 'immediately' (in bold and at the beginning of the article). This lowers the credibility of the report itself IMO. You sound like you know more about this then I, but do you really believe that IIS is as secure as apache etc? Benjamin PS For me this isn't an issue of cash/cost of ownership etc, just security (Which is grave indeed - obviously). ----- Original Message ----- From: "Rey Bango" <[EMAIL PROTECTED]> To: "CF-Talk" <[EMAIL PROTECTED]> Sent: Wednesday, September 26, 2001 6:22 AM Subject: Re: Check out what Gartner is recommending. Drop IIS! > Thanks for the feedback bud but I still disagree. IIS and Microsoft are just > the flavor of choice now for the cracker community. If you go to > SecurityFocus.com, you'll see that both Linux and Apache have a long history > of security issues. Look up Sun and you'll find the same thing. If we were > to call IIS "shaky" simply because of the current security issues, then I'm > not exactly sure what to call the other operating systems that at one time > had many security breaches and to this day, still have to constantly patch > their implementations. > > I truly hope MS is sincere in their statement of rewriting IIS but > inevitably, there are still going to be hacks. The strongest OS that I've > seen publicly available is OpenBSD and that's because they audit *every* > line of code in their BSD offering and many of the accompanying packages. > Those that can't be audited are put into a "ports" tree and an advisory is > specified accordingly. Anyone that would come out and say that SunOS, Linux > or FreeBSD (very good webserving alternatives) are without security issues > would be a liar. > > I certainly acknowledge that IIS & WinNT/2K have some security issue but I > have seen and experienced the same thing on other OSes. > > As for Gartner, like I mentioned originally, they sway with the wind. I find > them to be very good sometimes and VERY crappy on other occasions. I've seen > they're reports for the last eight years, through the client/server days and > now with ecommerce and, frankly, have seen a steady decline in their > analysis of anything. Its almost as if they just hire any schmoe to do a > review of some business practice, regardless of that person's skills or past > experiences. I remember when they smacked Sybase around because they didn't > have row-level locking when in reality, 90% of DBMS users, at that point, > had no need for that feature because they weren't in a high-OLTP > environment. Its was stupid and this latest report is right in line w/ the > deteriorating level of their reports. It makes very poor fiscal sense for a > large corporation to drop critical web servers and start a huge migration to > a new platform of which they probably have no knowledge. You want to see a > real security mess? Get a bunch of MS-focused companies to switch to Linux > and watch the crackers have fun. Then lets see what Gartner would have to > say. > > A better argument would've been to recommend that companies start taking > security seriously and invest in training their existing staff as well as > supplementing those overburdened admins. > > Rey... > > ----- Original Message ----- > From: "Benjamin Falloon" <[EMAIL PROTECTED]> > To: "CF-Talk" <[EMAIL PROTECTED]> > Sent: Tuesday, September 25, 2001 3:42 PM > Subject: Re: Check out what Gartner is recommending. Drop IIS! > > > > Maybe a little OT, but my 2c. > > > > I wouldn't call that stupid at all. > > Consider all of the attacks aimed squarely at IIS in the past few months. > > It's only going to increase. I've had personal experience with being > hacked. > > I run 2 internal IIS development boxes for CF and an internal hack > replaced > > *ALL* index.htm, default.htm files in all folders in the web serving > > directory. Lucky more files where cfm. > > > > I'm not a 'server' admin (by title) but I can thank MS for this. If they > > released a tighter web server with less vunerabilities maybe there would > be > > fewer viruses/hacks that could penetrate. People shouldn't need to have to > > patch every week. > > > > Doesn't that fact indicate that just *maybe* the software itself is pretty > > shaky? > > > > Consider this quote from the article, > > > > "Gartner remains concerned that viruses and worms will continue to attack > > IIS until Microsoft has released a completely rewritten, thoroughly and > > publicly tested, new release of IIS," > > > > Rewritten. That would be a good idea. Try to imagine a pair of pants with > as > > many 'security' patches as is and will continue to be required for IIS. > I'd > > say the pants would be more patches than pants. > > > > Just a thought, > > > > Benjamin > > > > PS maybe apache would be a good alternative. > > > > > > > > ----- Original Message ----- > > From: "Rey Bango" <[EMAIL PROTECTED]> > > To: "CF-Talk" <[EMAIL PROTECTED]> > > Sent: Wednesday, September 26, 2001 3:03 AM > > Subject: OT: Check out what Gartner is recommending. Drop IIS! > > > > > > > Now, I've always found Gartner to sway in a particular direction based > in > > > the wind changes and the phases of the moon but this recommendation is > > just > > > plain stupid. Check it out: > > > > > > http://news.cnet.com/news/0-1003-200-7294516.html > > > > > > Rey Bango > > > > > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Get the mailserver that powers this list at http://www.coolfusion.com FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
