----- Original Message ----- From: "Dan Bartley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 12:39 PM Subject: RE: Ten least secure programs
> You might want to study the statistics for the past year before making > "my favorite OS" statements. When exactly did I claim Linux was my favorite (kernel)? I was making one example, comparing the ability to have control with Linux vs. Windows. That is all. > Linux actually came out on top of the pile > for number of security holes, number left unfixed, number of actual > compromises and slowness in dissemination of information and fixes. And what is to stop you from fixing things if the vendor or community is slow to? > FreeBSD came out among the best, or near, I believe. Windows was in the > middle. I really do not think so, Windows has never compared as being more secure, unless you are comparing unskilled system admins that go with the default installs. Then, yes, Windows would likely be more secure. You don't let a 3 year old drive a BMW on a racing source either, just to say that a Yugo is a better car for racing. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. -----Original Message----- From: Tim Greer [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 02, 2003 13:31 To: Vic Parat (NSS); Chris Berry; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Ten least secure programs ----- Original Message ----- From: "Vic Parat (NSS)" <[EMAIL PROTECTED]> To: "Chris Berry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, July 01, 2003 12:28 AM Subject: Re: Ten least secure programs > I would definitely question some of your choices (is Apache more secure than > IIS?) Yes, very much. :-) > but I think top honors for "the ten least secure computer items" is an > under qualified system administrator. I agree 100%. This is also why all the programs mentioned as insecure too, those pesky humans! Anyway, while I agree with you, the fact remains that the programs themselves differ from problems, one more so than the others. Surely a secured Windows server is more secure than a non-secured Linux server, but that's sort of a strange argument to make. This thread is about insecure programs, nothing more, nothing less. Sometimes they are more insecure than others due to a common configuration error or default setting and that comes down to a lame sys admin. Really though, how many people are really even qualified sys admins? Anyway, the point being, some programs are far more exploitable, in their default or highly configured state, than others... when comparing them as default to each other, as well as configured well, to each other. Then, comparing them. Also, mind the fact that depending on what you're talking about, some of them don't allow you to have the control to configure them and are thus insecure. For example, Windows only allows to much. There's a lot you can do, but mostly a lot you can not. Whereas a Linux of FreeBSD system, you have much more you can do, right down into hacking the kernel however you want, and even if far more involved of a process and much more skills needed, it's up to the person and their skills to configure, hack and use their skills to make the server/system far more secure than say a Windows system doesn't allow. Personally, I find that a default Windows set up is about as insecure as a default Linux set up. Both need to have a lot done, but you can do a lot more with a Linux system. Do most people have the time, let alone the comprehension? Surely not, so we go back to your comment about unqualified sys admins. I couldn't agree more. However, two qualified sys admins skilled in their respective areas, the Linux sys admin can do more, unless that Windows sys admin is privileged enough to be offered the Windows source code to review and modify to locate and close any potential holes. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. ------------------------------------------------------------------------ --- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------