> I didn't say it was hard, I just said you might have to do some tweaking. > Many Windows-based RDBMS solutions don't come with drivers for > unix, or for > every flavor of it, and a lot of sysadmins are going to end up using free > stuff like unixODBC, iodbc, and/or FreeTDS to get their data from an > MS-based database. And you can't tell me this doesn't constitute > "tweaking". > Having done it (successfully), I wouldn't say it was hard, but it wasn't a > slam-dunk, either. >
I really don't see how this is any different from Windows. What's the difference between using unixODBC or Data Sources Control Panel. The two even look the same. I'll admit with Linux and open source you have more options. For instance, you could easily use the perl modules DBD::ODBC or unixODBC. These options are whats great about open source project, and whats free as in speech about them. > > Well, Apache has had an exploit or two released for it (not as > many as IIS, > to be sure, by a long shot). I also noted that one reason IIS/Windows > machines get targeted so often is because they are closed source and > Microsoft has had little incentive to code securely until relatively > recently. > > But my point wasn't that IIS was the big target (although it is), but > Windows. Windows networks are ubiquitous, and the web server is simply one > point of entry to them. Compromising an IIS machine is usually easier > because the software is by default configured poorly. Unless a blackhat is > just into defacing websites, their real interest in a web server is as a > point of entry to the rest of the network. That's where a > MS-based server is > going to be more interesting as a compromised system, and one (of many) of > the reasons that I think IIS systems are a more attractive target. > IIS isn't the "big target". According to the Netcraft Survey, Apache holds a 60% market share compared to IIS's 30% market share. Which is the bigger target again? I'd love to see numbers proving your point on why blackhat attack servers. >From my experience most hackers are script kiddies. Who hack for a few reasons, dos attacks against another site, start a ftp warez server, or a irc chat server. Why would a Windows server be anymore lucrative then a Linux server running Apache? Check out http://project.honeynet.org, which will confirm my assumptions. > As I said, they can both be properly secured, given the > appropriate effort. > Don't blame software for stupid sysadmins, and, while it's a > laudable goal, > don't expect better default configurations to fix security flaws. Work > instead on educating people charged with maintaining these systems. I agree with you on that point. =) > Now, how can anything I said in that above paragraph be construed as > "bashing" open-source? In fact, I praised the open-source methodology as a > way of improving security, and I pointed out that Apache support really is > great- IF you know where to look OR are willing to pay money. BUT, as just > about anyone on a volunteer mailing list will tell you when > someone gets too > demanding with their requests for help, they're not getting paid. It's a > fair and accurate response, but it is still not what someone on a deadline > or under the gun needs to hear. > > If I'm working on my own, great. I can afford to be patient, because from > experience, I know that eventually I'll get the answer, whether from > experimentation or by googling my ass off or getting an answer from a > mailing list. But if I'm on the clock and I need an answer because my > manager expects the system up or something done by a deadline, > I'm not going > to rely on people who don't owe me anything. That's where paid > support comes > in, and you can get that on both the IIS and Apache side of things- as I > pointed out. > > I only pointed out that with Apache, you can find paid support if you buy > your distribution and/or support. But if you're looking at Apache to save > money, then you better be prepared to take the risk of getting > what you pay > for. So you're saying IIS support is free unlike Apache? Ummm... Of course you're not going to get 24/7 support for Apache without paying anyone. You can't do that with IIS either. Even if you pay for IIS you still have to pay for support, so you get double charged. With Apache you can contact numerous companies and individuals for support, no matter what distribution you use. These companies and individuals can even patch bugs, or problems in Apache. How many MCSE do you know who can patch problems in IIS(no I'm not talking about hotfixes). > Apache is great, but it has risks associated with implementing it. So > does IIS. I think I offered a pretty balanced view of what the two have as > far as pros and cons. > > As an aside, I use, advocate, and support the use of open-source software > wherever I think it's appropriate to do so. I also participate in mailing > lists devoted to specific pieces of open-source software on my own time. I > don't think that I have ever done anything that could be accurately > construed as "bashing" open-source. It's not the be-all and end-all of > software or security, and isn't always the answer to a problem. > What problem doesn't open source answer? World hunger maybe, but it could come close =). -Jason Yates
