You start off making some valid points. However.
Regarding patching: you're telling me there's never been an apache patch?
How about an iPlanet patch? And you can apply it without restarting any
daemons? Right. No Apache patches. Ever. They come perfect, right out of
the box, every time. I think they DO have patches, they just call them
REVISIONS.
Regarding reboot while patching IIS: three days out of 90. Not bad. One
day a month maintaining an IIS box. Big deal.
The TV analogy: Ever seen the watch that will serve as a remote control?
We still buy the tv. People can hack cell phone calls, yet we still used
them. Phone lines can be tapped, we still use the phone. My car got broken
into last week. The autobody shop said "Locks are meant to keep honest
people out". If someone wants in, really, they'll get in eventually. You
can't stop them. You can only make the effort to keep it difficult.
I like what they said in "the score": If Someone built it, it can be taken
apart. Don't for a second think that *nix is any more secure than WinBlows.
Nobody has forced you to accept "appalingly poor quality software simply
because the majority don't know". The majority DOES know I'm afraid. If
YOU don't like it, switch professions. Be thankful you have a job. I am.
Without this majority, there wouldn't be the need for IT professionals.
That's the way the world works. It's not like a virus has never been
written for *nix, or a worm, or a DoS attack, or bad code. It's a way of
life in IT.
-----Original Message-----
From: Toby Tremayne [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 10:02 PM
To: CF-Talk
Subject: Re: Check out what Gartner is recommending. Drop IIS!
<cfwhinge>
I'm sorry - I've been avoiding it but I have to jump in here...
I keep reading on this list and others, and in so many news articles about
windows only being targeted because it's the most popular, and about it
being down to irresponsible admins etc etc. Both of these points are in
some ways valid, but to me these people seem to be missing the point.
Yes, less of this would happen if admins were responsible and used all
the latest patches etc etc. But what am I missing here -why is it nobody
seems to see that the entire concept of windows and iis patches is the
problem in the first place - we need to patch our servers because they are
a)in some places so pathetically coded and/or untested that they break down
and let all kinds of nonsecure access through and b)at development time it
is obviously decided that security is not cost effective to implement.
These worms are all aimed at the fact that explorer/iis/outlook let you
arbitrarily execute all kinds of foreign code or local commands without any
kind of checking or restraint whatsoever. And yes perhaps there are patches
for the majority of these - but they should never have been released
requiring those patches in the first place. Windows is targetted not purely
because of it's market share but because it makes possible the functions of
these worms. I don't agree with the idea that there are more windows based
hackers than unix based hackers - the thought is ludicrous - and it makes
little difference. You don't need any great level of expertise to write one
of these things, and as bad as the last year or two have become it's
astounding there aren't more of them. And still microsoft continues to
release software with these vulnerabilities coded into them - and we
continue to buy them.
Look at it this way, if someone made a television that did all the
normal stuff, but had an extra "feature" that let anyone arbitrarily connect
to it and start changing your channels, you'd never buy it. And if you'd
already bought it and later found out, you'd kick up an enormous stink. It
ought to be no different with software - especially software that's mission
critical and costs you large sums of money when it fails - not to mention
inadvertently hammering the daylights out of *other* people's software
without you being able to stop it.
These are just my opinions, but I'm seriously tired of the fact that we
who know better get forced to accept appalingly poor quality software simply
because the majority don't know or care what the problems are and follow the
upgrade paths dished out to them. We don't help this situation any when we
let these kind of arguments ride without pointing out the truth.
</cfwhinge>
cheers,
Toby
P.S. Just for the record, I too run Win2K, IIS, AND Linux
------------------------------------------------------------------------
Life is poetry, write it in your own words
------------------------------------------------------------------------
Toby Tremayne
Architect / Developer
Code Poet and Zen Master of the Heavy Sleep
MercuryRed
Lvl 9, 123 Queen st
Melbourne
VIC 3000
p: +61 3 9605 5035
m: +61 416 048 090
ICQ: 13107913
------------------------------------------------------------------------
------------------------------------------------------------------------
DISCLAIMER - All errors and omissions excepted. This message contains
privileged and confidential information intended only for the use of the
addressee named above. If you are not the intended recipient of this message
you are hereby notified that you must not disseminate, copy or take any
action in reliance on it. If you have received this message in error, please
notify Mercury Red immediately
----- Original Message -----
From: Benjamin Falloon <[EMAIL PROTECTED]>
To: CF-Talk <[EMAIL PROTECTED]>
Sent: Wednesday, September 26, 2001 7:39 AM
Subject: Re: Check out what Gartner is recommending. Drop IIS!
> Very good intelligent responses Rey and Dave.
>
> Ultimately it comes down to responsible management in the form of
expertise
> as you both allude to. I think you have a good point though Dave in
> saying that IIS is maybe a little over-loaded. I read a report from
> some people administering army.mil (or something like that) just today
> and it's conclusion rested on the same principle of awareness.
> Interestingly, there conclusion was the in order for your 'average'
> set-up (read - no frills)
the
> most 'secure' server set-up (being less exposed) would probably be a
> Mac with a vanilla web server.
>
> This issue is so multi-faceted that it's impossible to cover specific
needs
> and unwise to generalise to much. One major issue in light the recent
Nimda
> worm is that because there are many irresponsible IIS admins these
> type of worms can spread even further and faster than before. An
> unfortunate side effect was articulated by our colleagues on one of
> the flash lists that people were being encouraged to increase there IE
> security settings to
avoid
> the infected servers (caused in part by IIS in combination with
> ActiveX - both MS). The side effect being that people visiting flash
> sites were getting security 'warnings'. I've had one of our clients
> call citing
people
> not wanting to enter the web site because of these warnings.
>
> If as you suggest Dave, these 'features' could be by default turned
> off
then
> maybe that's a start... But it seems to me that MS is being targeted
> more than anything else and its counter productive to the development
> community if MSs own software 'features and flaws' starts interfering
> with our work
in
> other way then just security (as the flash example shows).
>
> Benjamin
>
>
>
> ----- Original Message -----
> From: "Rey Bango" <[EMAIL PROTECTED]>
> To: "CF-Talk" <[EMAIL PROTECTED]>
> Sent: Wednesday, September 26, 2001 6:45 AM
> Subject: Re: Check out what Gartner is recommending. Drop IIS!
>
>
> > > My point is that you would have less exposure to risk running
> alternatives
> > > because they aren't a massive target like IIS is.
> >
> > Sorry bud but you're exposed with every server. I've got a T1
> > running in here and I scan the logs. I get probed all of the time on
> > all different types of ports and as I mentioned before, MS is just
> > the flavor of the month. Don't be surprised that while everyone is
> > making a big deal about IIS, someone's alrady coming out with a new
> > worm for Linux. There was a
> nice
> > juicy one just awhile ago that really slapped around several Linux
admins.
> >
> > You are exposed at the moment that you connect *any* server or pc,
> > with
> any
> > OS, to the Net and to assume that you would have less exposure to
> > risk
by
> > not using MS/IIS would be naive. *YOU* are the main determining
> > factor
in
> > how secure your box will be. Yes, applying patches is a PITA but its
part
> of
> > what goes with running a publicly accessible web server.
> >
> > Here's my take on this, irregardless of OS. If a person does not
> > know
how
> to
> > properly manage their box or doesn't have the time to do it, then:
> >
> > 1) They shouldn't be putting it out on Net or
> > 2) They should hire someone to do it.
> >
> > The management of a webserver is essentially a full-time job and
> > most
> people
> > treat that responsibility in a half-ass way. Then, when they get
> > hacked, they blame the OS. Its like raising a child. If you're not
> > prepared to
do
> it
> > the right way, then abstain, wear protecion or stay celebate! hehe.
> >
> > Thanks for the opinions, bud.
> >
> > Rey...
> >
> >
> > >
> > > Benjamin
> > >
> > >
> > > ----- Original Message -----
> > > From: "Costas Piliotis" <[EMAIL PROTECTED]>
> > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > Sent: Wednesday, September 26, 2001 6:19 AM
> > > Subject: RE: Check out what Gartner is recommending. Drop IIS!
> > >
> > >
> > > > You know it's funny though. A quick search at
> > > > www.securiteam.com
> shows
> > > that
> > > > Apache and iPlanet have many vulnerabilities as well. Think
> > > > perhaps
> > that
> > > > the research is simply political? Hackers seem to actually
> > > > target
IIS
> > > boxes
> > > > likely for their hatred of Micro$oft. I think there's more to
> > > > this
> than
> > > > meets the eye...
> > > >
> > > > Remember, nothing's ever secure. As stated in the movie The
> > > > Score:
> "If
> > > > someone built it, someone can break it".
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: Benjamin Falloon [mailto:[EMAIL PROTECTED]]
> > > > Sent: Tuesday, September 25, 2001 12:42 PM
> > > > To: CF-Talk
> > > > Subject: Re: Check out what Gartner is recommending. Drop IIS!
> > > >
> > > >
> > > > Maybe a little OT, but my 2c.
> > > >
> > > > I wouldn't call that stupid at all.
> > > > Consider all of the attacks aimed squarely at IIS in the past
> > > > few
> > months.
> > > > It's only going to increase. I've had personal experience with
> > > > being
> > > hacked.
> > > > I run 2 internal IIS development boxes for CF and an internal
> > > > hack
> > > replaced
> > > > *ALL* index.htm, default.htm files in all folders in the web
> > > > serving directory. Lucky more files where cfm.
> > > >
> > > > I'm not a 'server' admin (by title) but I can thank MS for this.
> > > > If
> they
> > > > released a tighter web server with less vunerabilities maybe
> > > > there
> would
> > > be
> > > > fewer viruses/hacks that could penetrate. People shouldn't need
> > > > to
> have
> > to
> > > > patch every week.
> > > >
> > > > Doesn't that fact indicate that just *maybe* the software itself
> > > > is
> > pretty
> > > > shaky?
> > > >
> > > > Consider this quote from the article,
> > > >
> > > > "Gartner remains concerned that viruses and worms will continue
> > > > to
> > attack
> > > > IIS until Microsoft has released a completely rewritten,
> > > > thoroughly
> and
> > > > publicly tested, new release of IIS,"
> > > >
> > > > Rewritten. That would be a good idea. Try to imagine a pair of
> > > > pants
> > with
> > > as
> > > > many 'security' patches as is and will continue to be required
> > > > for
> IIS.
> > > I'd
> > > > say the pants would be more patches than pants.
> > > >
> > > > Just a thought,
> > > >
> > > > Benjamin
> > > >
> > > > PS maybe apache would be a good alternative.
> > > >
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Rey Bango" <[EMAIL PROTECTED]>
> > > > To: "CF-Talk" <[EMAIL PROTECTED]>
> > > > Sent: Wednesday, September 26, 2001 3:03 AM
> > > > Subject: OT: Check out what Gartner is recommending. Drop IIS!
> > > >
> > > >
> > > > > Now, I've always found Gartner to sway in a particular
> > > > > direction
> based
> > > > > in the wind changes and the phases of the moon but this
> recommendation
> > > > > is
> > > > just
> > > > > plain stupid. Check it out:
> > > > >
> > > > > http://news.cnet.com/news/0-1003-200-7294516.html
> > > > >
> > > > > Rey Bango
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> >
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your ad could be here. Monies from ads go to support these lists and provide more
resources for the community. http://www.fusionauthority.com/ads.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
