Hello Vegeta,
This will be my last public word on this topic (we are here for jboss,
no?!?)
> I agree completly. But UNIX/Apache administrators tend to be
> more competent
> than Windows/IIS administrators. Many Windows administrators are
> incompetent
> and I base my policy is heavily influenced on the fact that it is very
> probable that the administrator of a windows/IIS is an
> incompetent. It is a
Well, if you tell it... this is just a matter of probability then...
> fact. Check the netcraft october survey
> (http://www.netcraft.com/survey/)
> and see that right now more than 30% of IIS sites are vulnerable
> in some way
> (purchasing in an IIS site is like gambling that Ichiro Suzuki
> will not bat a
> hit at a given turn).
> More frightening is the fact that by june almost 80% of IIS sites were
> vulnerable.
This argument is not clean. This has been discussed recently on NTBugTraq.
See post in attach.
> That is right. I never pay with credit cards in any place where I have to
> lose sight of my card and that includes restaurants.
Even if you do not loose sight of your card, people just need to know your
card number and name...
> In my country (Venezuela) there are several stores that do not have a POS
> terminal to process the credit card (can you believe that?)
yes.
> use a thing
> that leaves a carbon copy of the card to the store. I never buy
> from those
> sites even if I do not lose sight of my card.
I always do ;) What is the risk?
And I sometimes drink wine, beer, I drive a car (not at the same time
though), etc. Life can be so dangerous! ;)
> Actually, I use my credit card mostly to buy on the Internet at a
> few places
> that I beleive that are well administered.
Interesting! How do you make to distinguish a well administered from a
non-well administered web site? the logo? The background color?
And what make you think that Flashline is unsecure? Just because it runs on
NT4.0? You're kidding?
> It may seem paranoid, but the policy has worked well so far.
Mine too. :)
Too bad. I am sure you would have found JBoss documentation useful.
Cheers,
Sacha
--- Begin Message ---
I obviously triggered a nerve, probably more due to my wording than my lack
of a High School education...;-]
That said, consensus seems to be;
1. NetCraft didn't do any extrapolation, that was done by others reporting
on NetCraft's survey results.
2. The sample size ("several hundred") could be adequate for extrapolation,
it depends on whether or not the sample was RANDOMLY chosen from the greater
population.
3. The Web Server Security dataset clearly wasn't randomly chosen. It was
100% of the IIS boxes they did the security tests on (100% of the subset
they did security testing on that were IIS).
Ergo, extrapolation of the results should not be done, and isn't
statistically representative of the IIS servers on the 'net. Each person can
decide for themselves whether the boxes tested should or shouldn't have been
clean at the time they were being tested.
NetCraft should add a question to their process which asks the owner of the
box to rate the security of the box they're having tested prior to the
tests. If everyone requesting the test thinks their box is secure, the test
results mean one thing...if they all think their boxes are insecure already,
the results have a different meaning.
Cheers,
Russ - NTBugtraq Editor
--- End Message ---
