----- Original Message -----
From: "Vic Parat (NSS)" <[EMAIL PROTECTED]>
To: "Chris Berry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Tuesday, July 01, 2003 12:28 AM
Subject: Re: Ten least secure programs
> I would definitely question some of your choices (is Apache more secure
than
> IIS?)
Yes, very much. :-)
> but I think top honors for "the ten least secure computer items" is an
> under qualified system administrator.
I agree 100%. This is also why all the programs mentioned as insecure too,
those pesky humans!
Anyway, while I agree with you, the fact remains that the programs
themselves differ from problems, one more so than the others. Surely a
secured Windows server is more secure than a non-secured Linux server, but
that's sort of a strange argument to make.
This thread is about insecure programs, nothing more, nothing less.
Sometimes they are more insecure than others due to a common configuration
error or default setting and that comes down to a lame sys admin. Really
though, how many people are really even qualified sys admins?
Anyway, the point being, some programs are far more exploitable, in their
default or highly configured state, than others... when comparing them as
default to each other, as well as configured well, to each other. Then,
comparing them. Also, mind the fact that depending on what you're talking
about, some of them don't allow you to have the control to configure them
and are thus insecure.
For example, Windows only allows to much. There's a lot you can do, but
mostly a lot you can not. Whereas a Linux of FreeBSD system, you have much
more you can do, right down into hacking the kernel however you want, and
even if far more involved of a process and much more skills needed, it's up
to the person and their skills to configure, hack and use their skills to
make the server/system far more secure than say a Windows system doesn't
allow.
Personally, I find that a default Windows set up is about as insecure as a
default Linux set up. Both need to have a lot done, but you can do a lot
more with a Linux system. Do most people have the time, let alone the
comprehension? Surely not, so we go back to your comment about unqualified
sys admins. I couldn't agree more. However, two qualified sys admins
skilled in their respective areas, the Linux sys admin can do more, unless
that Windows sys admin is privileged enough to be offered the Windows source
code to review and modify to locate and close any potential holes.
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
