Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Slashback

Slashback: Snapshots, Amends, Bazaarity 388

Slashback brings you some follow-ups tonight about Gartner's recommendation to dump IIS, Charles Connell vs. Eric S. Raymond on Open Source project management, xStore and the GPL, and (yes) the results of Deep Space 1's latest Final Mission.

Microsoft is just as secure as the competition, says Microsoft. Jon_E writes: "According to this article Microsoft is responding to the Gartner Report which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."

Whether because of better-trained or more vigilant administrators, or some other factors, the Apache servers running many web sites certainly haven't seen the devastating outages in the past month (Code Red, Nimda) as certain large IIS installations have.

If animated, this might make a really good Saturday cartoon. cconnell writes "Last September, slashdot published my critique of Eric Raymond's essay The Cathedral and the Bazaar. There was a lively (and sometimes scorching) discussion that followed. Here is Eric's reply to my critique, which Slashdot readers might enjoy. And here is my reply to Eric."

This was not faked in the same studio as the "lunar landings." mrsmalkav writes "Deep Space 1 has passed by Comet Borrelly within 1400 miles and took some very pretty pictures of the comet's core, all while collecting lots of data about said comet. NASA's press release discusses some of the details and findings of the flyby.

This is actually really impressive given that there was very little hope for this mission. From the Mission Logs on DS1's site, '[T]o be honest, DS1's visit with the comet simply is unlikely to work as well as we hope. Many mission logs have described the difficulty of keeping this aged and wounded bird aloft, and the encounter with Borrelly will present Deep Space 1 with the greatest challenge yet in its historic trek through the solar system.'"

Saint Aardvark writes "Space.com has an article about the images taken by DS-1, and they're stunning." And eldurbarn points to the NASA Images of comet Borrelly online at JPL.

How to satisfy customers with license objections, Part II brtb writes: "Soon after Slashdot posted my DiscZerver-GPL writeup last week, xStore added a link in their Download section for information about the use of GPL software in their products. Below is the e-mail I received in response (address changed to protect the spamless). Congratulations to xStore for supporting Free Software and bringing the DiscZervers into compliance with the GPL.

From: "Support" [support@xstoreonline.com]
To: "brtb" [slashdot@brtb.org]
Subject: "RE: GPL SOURCE CODE"

xStore is committed to complying to the full letter and spirit of the GPL. We are currently investigating the allegations of non-GPL compliance and communicating with the GNU.ORG and Free Software Foundation on this issue. We will produce a response to your request that is mutually acceptable to the copyright holders of the programs we have used that fall under the GPL and xStore itself. Due to the recent acquisition of this product, we are still in the process of preparing the required source code for distribution. xStore is commited to bring the DiscZerver product into GPL compliance, if it is indeed found to be not in compliance.

In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem]. In addition, please send us a self addressed stamped envelope suitable for mailing a CD-ROM along with $14.95 to:

xStore, Inc.
Federal Highway Center
1200 North Federal Highway
Suite 200
Boca Raton, FL 33432

After we receive your written request along with the above items, we will process it and promptly send you the disc when it becomes available.

This thanks to the mostly behind-the-scenes work of people at the FSF. Congratulations to xStore for respecting the intent of the programmers whose work they're consolidating and packaging.

This discussion has been archived. No new comments can be posted.

Slashback: Snapshots, Amends, Bazaarity

Comments Filter:
  • by ruebarb ( 114845 ) <coloracheNO@SPAMhotmail.com> on Tuesday September 25, 2001 @08:06PM (#2350436)
    Just out of curiousity...how does this engine work...what principles of physics does this satellite use and what would it's benefits be?..first time I heard of one is when I found that's what powers TIE fighters

    : ) - It's true...TIE = Twin Ion Engine

    • by Coniine ( 524342 ) on Tuesday September 25, 2001 @08:11PM (#2350462)
      An ion engine ionizes neural atoms then accelerates the charged particles and emits them as a high energy stream. The ship accelerates in the opposite direction of course. One potential source of atoms ( rather than carrying them along as a payload ) is to use a magnetic field to gather material that is just out ther in "space".
    • by Danny Rathjens ( 8471 ) <slashdot2@@@rathjens...org> on Tuesday September 25, 2001 @08:15PM (#2350490)

      DS1 How the Ion Engine Works [nasa.gov]

      Has a great description. It even has pretty pictures.

    • For the best explanation of ion propulsion that's used in the DS1 probe, see the Ion Propulsion FAQ [nasa.gov] at NASA's JPL site.

      For more information on the DS1 probe itself (and the technologies that it tested), see the DS1 Home Page [nasa.gov], also on the JPL site.

    • by d.valued ( 150022 ) on Tuesday September 25, 2001 @08:18PM (#2350504) Journal
      This is simple physics, boys and girls.

      First things first, you need a spacecraft as light as possible. Anything not needed goes away. Basically, you're left with the instrumentation, the navigation, the cameras, solar panels, batteries, and a couple of sizeable tanks of xenon.

      Yes. Xenon. The heaviest non-radioactive noble gas.

      Now, xenon is normally inert like other noble gases. I mean, there are no natural compounds containing any noble gas because they have no natural need to enhance their electron shell configuration.

      However, xenon is pretty large (as atoms go) and, given enough juice (courtesy our light and ability to live, the sun, hence the solar panels), you can ionize xenon. You can strip off an electron or two and it's useful (For example, the compound XeF6, xenon hexafloride. What it's good for? Dunno. Still doesn't change the fact it exists.) More importantly, it's charged and can be directed.

      Then, it's a simple matter of a small aperture (which can be directed), a positively-charged grid, and the xenon leaves in the direction opposite the spacecraft goes.

      Don't expect this to power any spacefighters, however. At full power, the force this produces will barely move a piece of paper in front of it. The beauty of ion engine, though, is that because in space, inertia isn't hampered except by collision or a gravity field, this little bit gets larger as time increases. It's not much force, but given time it gets zooming.
    • by ghostlibrary ( 450718 ) on Tuesday September 25, 2001 @08:24PM (#2350535) Homepage Journal
      Since an Ion engine ionizes its supply of onboard gas (so it gets an electrical charge), then electrically accrelerates it out the back, that's why TIE fighters make that wooshing noise. All the gas they expel makes for enough of an atmosphere for sound to carry to the nearby cameras :)
    • Someone else has already mentioned how they work. The weakness of an ion engine is that it's incapable of accelerating very quickly. On the other hand, it's extremely efficient, and capable of eventually producing extremely high speeds. You can read more information on NASA's ion propultion FAQ [nasa.gov]

      Oh - and anyone who's ever played TIE Fighter [lucasarts.com] knows that an Imperial fighter has a hell of a lot more get-up-and-go than Deep Space 1. So ion engines with that kind of punch are still a long way off. ;)
    • Ion engines work by accelerating charged particles (ions) electrically rather than accelerating molecules chemically. A conventional rocket motor works by taking a fuel/oxidizer mix that contains stored chemical energy, releasing the chemical energy by burning the fuel/oxidizer, and using the generated heat to accelerate the combustion products out of the rocket. In an ion engine, OTOH, an inert gas (xenon) is ionized and the ions are accelerated by passing them through an electric field (and then throwing them out of the engine).

      There are two important criteria to use in judging an engine: thrust and specific impulse. The thrust is how hard the rocket can push (i.e. its force) and is a combination of how rapidly it can push reaction products out and how fast they're going. Specific impulse measures how fuel efficient the rocket is, i.e. how much thrust it can get from a given amount of 'fuel', and basically depends on the velocity of the reaction products leaving the thruster. Chemical rockets can achieve much higher burn rates than ion engines, so they can produce much higher thrust. Ion engines, though, can achieve much higher specific impulse, because they can accelerate ions to much higher velocities by using energy accumulated from solar panels or radiothermal generators.

      Overall which one you want to use depends on circumstances. Chemical rockets are necessary for things like getting into orbit in the first place, because you need to have a thrust/weight ratio > 1 to get off the ground, and ion engines can't get there. OTOH, once you're in space you can't easily get more fuel, so the greater efficiency of ion engines means that they make a good propultion system for long, deep space flights.

  • Zimmermann Article (Score:5, Informative)

    by fizban ( 58094 ) <fizban@umich.edu> on Tuesday September 25, 2001 @08:10PM (#2350457) Homepage
    There's another article in the NYT about the encryption restrictions being brought up for debate and it includes a nice jab at the Washington Post for misquoting Zimmermann on his PGP interview. Check it out here:

    http://www.nytimes.com/2001/09/25/technology/25COD E.html [nytimes.com]
  • ObMSBash (Score:5, Funny)

    by ENOENT ( 25325 ) on Tuesday September 25, 2001 @08:11PM (#2350463) Homepage Journal

    From the IIS article:

    ...what differentiates Microsoft is our industry-leading response process."

    I couldn't agree more. Apache just can't compete with the speed of Microsoft's PR department in spinning every horrendous hole as "innovation".

    • Re:ObMSBash (Score:2, Funny)

      by buffy ( 8100 )
      > "Gartner's recommendations ignore the fact that > security is an industry-wide challenge, and
      > serious vulnerabilities have been found in all > server products and platforms," said Jim
      > Desler, a Microsoft official. "IIS is as secure > as our competitors' products, and what
      > differentiates Microsoft is our industry-
      > leading response process."

      And the Linux/Open Source/GNU/Slashdot/Freedom Fighters of the World/Whatever everywhere collectively respond: "Oh, is THAT what you call it?"

      Gads.

  • $14.95 (Score:3, Offtopic)

    by AndrewHowe ( 60826 ) on Tuesday September 25, 2001 @08:13PM (#2350472)
    I hate the .95 thing. It's everywhere you look. Oh wow that's only fourteen dollars! Oh wait...
    I could almost understand it on standard retail stuff, but in this case... Does it not seem a little frivolous?
    • Re:$14.95 (Score:5, Informative)

      by andrewb ( 23571 ) on Tuesday September 25, 2001 @09:07PM (#2350694) Homepage
      Ah, yes. That would be a kibblesworth of 5c.

      KIBBLESWORTH (n.):
      The footling amount of money by which the price of a given article in a shop is less than a sensible number, in a vain hope that at least one idiot will think it cheap. For instance, the kibblesworth on a pair of shoes priced at £19.99 is 1p.
      -- The Meaning of Liff, by Douglas Adams & John Lloyd
    • Re:$14.95 (Score:4, Interesting)

      by Wraithlyn ( 133796 ) on Tuesday September 25, 2001 @10:04PM (#2350849)
      Actually, the they switched everything over to .99 and .95 with the invention of the cash register, the idea being to force the cashier to open up the cash box to retrieve change, which makes it much harder for them to pocket the cash for themselves without anyone noticing.
      • Re:$14.95 (Score:2, Insightful)

        by muffel ( 42979 )
        Actually, the they switched everything over to .99 and .95 with the invention of the cash register, the idea being to force the cashier to open up the cash box to retrieve change, which makes it much harder for them to pocket the cash for themselves without anyone noticing.
        Just in case you were being serious -- that is utter bullshit. (The reason is of course psychology: No matter how smart you are and if you know about it or not -- if you casually see 14.95 you think 14, not 15. That's an extra buck for every item sold)
    • Re:$14.95 (Score:3, Insightful)

      by Wanker ( 17907 )
      I'm sure one person who gets the CD will immediately make it available on a website someplace. Then everyone else can get it for free.

      After all, that's what "freely redistributable" is all about. Only one poor chum has to eat the media costs. ;-)
    • Actually most smart retailers HATE doing this. It makes it harder for everybody.

      Except for one thing. Study after study has shown that the "vain" hope isn't in vain. Items marked at .99 or .95 or whatever sell significantly better.

      You'll find some stores that use .99, .98, .95, etc, on different items as well. This is done for internal data collection, the different penny amounts standing for different product catagories.

      By the way, in the *wholesale* trade, pricing this way is a garunteed way to *lose* business. Business operators want to do business in even amounts.

      If the average consumer were as savy as the average business operator we could do away with the whole pennies thingy.

      KFG
  • by Ghoser777 ( 113623 ) <fahrenba@ m a c . c om> on Tuesday September 25, 2001 @08:13PM (#2350475) Homepage
    Not the best solution, but as the article says, there aren't a lot of virsuses for the mac for this reason. So one thing that can make your servers more secure is to use a more obscure OS and know it really well.

    One other note: I thought a majority of web servers run a varient of linux. So because they have the market share, wouldn't hackers attack them more? I just think it's harder to attack something that is open source because so many bugs can can be found by the community and fixed by the community, while bugs for IIS can rarely be fixed by the community.

    Plus a lot of people just hate microsoft in general.

    F-bacher
    • by jiheison ( 468171 ) on Tuesday September 25, 2001 @08:25PM (#2350540) Homepage
      Plus a lot of people just hate microsoft in general.

      I think that you have hit the nail on the head here. Microsoft is simply a high profile target, but it is also despised for it's arrogant, "our software is superior and everyone else sucks" attitide. Basically, their arrogance inspires people to try to take them down.

      Unfortunately, I see more and more people in this forum with a similar attitude about the superiority of Linux and Open Source in general. I see a day very soon when people will get tired of kicking the M$ security dead horse. The real challenge will be in targeting Open Source alternatives. What hacker wouldn't want to be the first to bring Apache?

      Then again, maybe Apache really is invulnerable to significant exploits.

    • by throx ( 42621 ) on Tuesday September 25, 2001 @09:00PM (#2350672) Homepage
      I thought a majority of web servers run a varient of linux

      Here's the key to it. The majority of servers run some variant of Linux. Most buffer overflow bugs require a specific offset and known layouts in memory. If you look at the specific versions out there IIS is probably the most common single version of any product out there (can you get this info from Netcraft?)

      On the other hand, it could just be stupid admins - check out http://www.netcraft.com/Survey/vuln.gif. I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...
      • I'm sorry, but those numbers make me puke when I think any of those people seriously call themselves admins...

        You miss the point that most of these people don't consider themselves admins due to the simple fact that they don't know IIS is running. The majority of people who hit me with Code Red and Nimda attacks had the default "Under Construction" page. Yes, some people are ridiculously stupid, but some others just trusted that Microsoft would set their computer up for the standard user, not for the standard admin.
        • Correct me if I'm wrong, but I didn't think IIS (or Personal Web Services) was installed by default on Win2k Pro? This is all supposition because I can't remember whether I deliberately turned it on when I installed my machine or not (it's set to only accept on 127.0.0.1 though).
      • by scooterbooter ( 521625 ) <sdavis.royallepage@com> on Tuesday September 25, 2001 @11:46PM (#2351181)
        Okay, it's time to debunk the M$ admins are lazy myth a bit..

        Here's my work environment -- the products that I'm supposed to install, after I've chosen the hardware for 700+ desktops, and maintain, after writing policies and ops documentation.

        Exchange (10) Servers, IIS (7) Servers, MS-SQL 6.5 and 7 (5) servers, Metaframe/NFuse (4) servers, RAS, VPN, 45 NT servers for general ops of all this stuff, a couple of Debian boxes for internal DNS, FreeBSD running MRTG, Nessus, etc, perform 2nd level support for 8 clueless admins and 6 semi-knowledgable ones. Additionally, let's not forget the "uhh, how do I do a word merge", boss ranting about multicasting (for which I am going to modify configs on 12 cisco Routers and godonlyknows how many switches), write policy and operational documentation for all of this. Manage the "network consultants" than run DNS, e-Trust and FW-1, provide support and knowledgable comment towards a $2mil software app development process in terms of "net and O/S", deploy 2000 server *sigh* next month and ensure that everyone makes a backup occasionally. (play nice with audit, 20 mangers and two other organizations [1 that owns us, 1 that we own]).

        If *ANY* of you suckers handle all that daily, and still have time to mess with patches on a regular basis, I'd love to see you in action. This seems to be quite a common scenario for a lot of mid/small size companies, in my experience.

        I'd love to live in your dream world. People wonder why I'm an alcoholic. :-P Perhaps if I had a nice farm of 600 identical boxes, I'd be a perfect admin. This is life, folks. Get on with it without making the comments -- without understanding the other side of the fence.

        I did realize about three months before codered that we were a screaming hole for IIS exploits. Do I have time to cull through 30+ patches and tinker with which are appropriate to apply? Nope. Result: Nimda runs rampant still this week because I've been stuck in innane meetings all day.

        Now: Suppose your boss is used to having a mini-vax, and asked for CPU usage reports by dep't and individual last week. Do you see the uphill battle? We're young. Management in a small/midsize company isn't likely to even understand what they have running, less what should be paid attention to technically. Politics, Politics, Politics all day long. Yay! Well, I guess of the rest of the world got messed, it's okay that we did too.

        Have fun admin'n your two Apache boxes. Good Night.

        No troll indended, it's just a rant.

        S.

        • > Result: Nimda runs rampant still this week because I've been stuck in innane meetings all day.

          Let me guess: Meetings about how bad Nimda is?

          Yeah, been there too. There's a reason that the term PHB caught on.

        • Hmmm . . . . You are so terribly busy, yet you still have time to actually read the comments on Slashdot.
        • One mail server - Unix scales.
          One web server - Unix scales.
          One print server - Unix scales.
          One file server - Unix scales.
          One Oracle database server - Unix scales.
          One middleware hub - Unix scales.

          Three DNS servers - On different networks.

          And one system to manage them all.

          I have no second level admins. For a similar number of users - about 800.

          It's just me and "It all just works". You feel free to go on running yourself ragged with crap systems. Eventually you'll get fired or burnt out and someone who knows what they're doing will fix it.

    • Not the best solution, but as the article says, there aren't a lot of virsuses for the mac for this reason. So one thing that can make your servers more secure is to use a more obscure OS and know it really well.

      Mac viruses aren't in wide circulation for reasons beyond numbers. Apple, unlike MS, actually secures things so that scripting can't run amok, as with ILOVEYOU and all the others. Fully scriptable OS are trouble waiting to happen and everyone BUT Microsoft knows it.

      And yes, Macs get viruses. There are also ways to trash a Mac system with scripting, but most of them aren't even a tenth as evil as this stuff coming to a Windows machine near you. Ironic, the last virus problem that I had to watch for were macro viruses that came through corrupted Word files. If you don't have Office on the machine, you don't have a problem--Appleworks and MacLink get the job done.

  • by Theodore Logan ( 139352 ) on Tuesday September 25, 2001 @08:14PM (#2350480)
    This was not faked in the same studio as the "lunar landings."

    Before you flame: yes, I know that was meant as a joke, and yes, this post is more than slightly off topic (but Slashback threads often are), but this is probably going to be discussed here sooner or later anyhow so I might as well take some preventative measures.

    The lunar landings were not fake. The "evidence" is poor at best, and just blatantly stupid otherwise. I won't reiterate all arguments against this silly conspiracy theorys validity, as you can read all about it, for example, here [badastronomy.com] or here [badastronomy.com].

    There are lots of nice conspiracy theories that really have some nice arguments that actually speak for them, but this is not one of those. This one should really die. Seriously, I'd go for Illuminati or Elvis any day of the week if this was my only alternative.

  • by phliar ( 87116 ) on Tuesday September 25, 2001 @08:16PM (#2350498) Homepage
    It's not like IIS has the same usage numbers among web servers as MS-Windows has on the desktop...

    They're targeted because they're the most vulnerable target. That's all.

    • Rember, though, PWS was effected by the holes as well which would likely bring the numbers up to those of Apache. Especially if you count the multitude of small web servers in large companies that aren't accessible from outside the wirewall but end up getting in and wreaking havoc within the corporate intranet.

      Especially in an all-Microsoft shop.
    • Actually, there are more servers running IIS than there are Apache. Not by much, but a little. It's confusing, because there are many more domains running Apache. Those rackmount colo shared server things are almost always linux. I saw a survey from netcraft on this pretty recently. I would link it if I knew where to find it.


      As a side note, Gartner must be moving from IIS, since their web server is down right now.

  • Cluley clueless (Score:5, Insightful)

    by sllort ( 442574 ) on Tuesday September 25, 2001 @08:19PM (#2350512) Homepage Journal
    Sorry, couldn't resist. But seriously:

    The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.

    You have to love how they pull the "everyone is jealous so they pick on us" stuff everytime they screw up. Suprise [netcraft.com], shitstreak, Microsoft does not make the world's most popular Web server. That's Apache. "Hackers", as you call these jerks, do not target Microsoft because they're the most popular. They target Microsoft because Microsoft has made itself an easy target by making it really easy to hack their products. If popularity made you a target, we'd see scores of Apache worms.

    • Re:Cluley clueless (Score:3, Insightful)

      by DrSkwid ( 118965 )
      from the plan 9 mailing list :

      I think you misrepresent the purpose of security. Its role is to
      prevent us getting work done. If someone constructs a security
      solution that is usable, experts will focus on it like a cat watching
      a mouse hole until a fatal flaw is found. This results in three
      things: 1) The technology is disabled, making it impossible to work
      again. 2) A solution is worked on, distracting people from getting
      regular work done. 3) Finally, a new solution is deployed, requiring
      people to spend time updating their systems and networks rather than
      getting work done. At this point, security has failed because people
      are working, so the cat goes back to the hole and in a few days the
      mouse emerges and is caught and life returns to normal.

      So the rule of security is the following: if you are able to work on
      something other than security, your system is insecure.

      -rob [Pike]
  • connel vs raymond (Score:3, Interesting)

    by ksw2 ( 520093 ) <[moc.liamg] [ta] [retaeyebo]> on Tuesday September 25, 2001 @08:20PM (#2350519) Homepage
    To me, it seems something is missing in this particular tennis match: cost of production. It would seem that the traditional management structure would be very difficult to adapt to a volunteer-based software project, whereas the CatB approach is perfectly suited.

    How many beneficial software projects simply wouldn't exist without this sans-management stucture?

  • NASA Funding (Score:3, Insightful)

    by jensend ( 71114 ) on Tuesday September 25, 2001 @08:22PM (#2350526)
    Here are NASA engineers, squeezing every last drop of science and knowledge out of projects which had justified themselves and their cost before the end of the Cold War- the possibilities presented by a modern project would now be so exponentially greater, due to increased technology, that it's ludicrous Congress doesn't invest in such more heavily. Perhaps one could add this to the list of things /. could become a million-strong lobby for.
  • by Cato the Elder ( 520133 ) on Tuesday September 25, 2001 @08:23PM (#2350533) Homepage
    Acutally, it is Cluely, someone from a firm called Sophos, who claims IIS is being targetted because it is widespread. The only Microsoft quote is from some Peon saying "IIS is as secure as our competitors' products, and what differentiates Microsoft is our industry-leading response process" Now, as to the first point, as some earlier poster pointed out Apache is still a leading webserver as hasn't had nearly the compromise. Sure, crackers will go after widespread targets. But they'll also go after the easier ones. As to Microsoft being distinguished by its response process, I couldn't agree more. Few other companies respond with as much hot air (This flaw would be very technically difficult to exploit...) and as cruddy patches. Just read through SecurityFocus.
    • by Anonymous Coward
      Apache is most popular server, by numbers - but many tiny sites are hosted with Apache. Sites that get half a hit per year, and even then it's accidental. Not just tiny sites, of course, just enough to substantially skew the numbers when you consider that not all sites are worth bothering to try and hack.
      IIS is most popular, by far, with commercial sites. According to NetCraft anyway.

      So kiddies, whatcha gonna hack? Commercial site or photos of mangy dogs.

      It's a reasonable argument, but not an acceptable excuse by itself.
      • So kiddies, whatcha gonna hack? Commercial site or photos of mangy dogs.
        Hey! My dog does _not_ have mange!

        Code Red and Nimda did not attempt to hack commercial sites. They relied on large numbers of (poorly |un-)secured servers managed by sleeping administrators. Judging by a sample of the attacks that came my way, I'd say 80% of the machines were running servers that the admin didn't even know about.

        And given the growing number of machines now equipped with an unnecessary webserver, matters are set to get worse.

        At least all the admins I was able to contact (with one exception) stated that they were now considering a UNIX-based solution for public webservers!
  • IIS Rewrite? (Score:4, Interesting)

    by hysterion ( 231229 ) on Tuesday September 25, 2001 @08:27PM (#2350550) Homepage
    "According to this article [zdnet.com] Microsoft is responding to the Gartner Report [gartner.com] which recommends that enterprises drop IIS by claiming unfair targeting due to their popularity."

    According to The Register [theregister.co.uk], their reaction also includes the following:

    Microsoft has been stung into action by Gartner security analyst John Pescatore's conclusion that businesses should ditch IIS - the Beast's own web server - for safer alternatives.

    Redmond is telling its sales channel that a rewrite of IIS is underway for version 6.0, and will introduce interim security measures along the lines of the lock-down utility, because, it says, "we also realize customers cannot wait that long." (...)

    The comments are in a bulletin sent to its sales staff and resellers, and seen by The Register. (...)
  • by bIOHZRd ( 196012 ) on Tuesday September 25, 2001 @08:30PM (#2350557) Homepage Journal
    subject says it all.

    http://www.msnbc.com/news/206711.asp
  • Face on The Comet (Score:3, Interesting)

    by Anonymous Coward on Tuesday September 25, 2001 @08:33PM (#2350571)
    Am I the only one that sees half of a face in the released picture of Comet Borely?

    This is the biggest image of it:

    http://nmp.jpl.nasa.gov/ds1/img/borrelly_1.jpg

    • by kfg ( 145172 )
      There must be intelligent alien life on the comet.
      Quick, alert the editors at that fine scientific magazine " Weekly World News."

      KFG
  • by Sloppy ( 14984 ) on Tuesday September 25, 2001 @08:35PM (#2350576) Homepage Journal

    The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.

    Then I must conclude that there are twice as many worms developed for Apache, than IIS. I feel sorry for all you poor Apache users. Your worm problems haven't received nearly as much publicity and sympathy. It must be a conspiracy.

    • Not only is Cluely factually wrong, his argument doesn't make sense. Even if you pretend IIS is the most popular web server, and thus more often targeted by worms, that would still mean it's more often targeted by worms, and thus an unusually vulnerable platform. It being "not Microsoft's fault" won't keep your server secure any more than "not Linux's fault" will help it write NTFS any time soon.

  • by Anonymous Coward on Tuesday September 25, 2001 @08:43PM (#2350601)
    Worms dont happen to Mac web servers running WebStar.

    EVER.

    Thats why no reports of ANY exploit has ever been published regarding the secure Mac OS. !

    consult bugtraq if you doubt this.

    This Gartner report is a sham unless it really discusses techical issues regarding the macs securuity as a web server.

    C Language alone is not the sole reason but the types of STRINGs used in ANSI C libraries certainly adds risk.

    Worms dont happen to Macs because Mac programmers rarely have buffer overrun problems because mac apps typically NEVER use null terminated strings and intead use "pascal" style strings that have a bounds of 255 and a marker in the front.

    Additionally mac programmers tend to know that there is no false sense of security because all code is running at supervisor level so programs, like Webstar, are careful not to do foolish things.

    Mac programs and executables NEVER can run merely from a data file named with a suffix such as .exe because macintoshes do not have file suffixes. The mac OS (9,x and older) uses a four byte file type designator that the user never sees and cannot be set carelessly.

    A further reason macs are more secure than unix (hundreds of documented exploits) and Win NT (almost as many exploits documented over the years), is because the mac does not have a command line shell and has no path to hijack. No command line and a modern type of interprogram communication prevent the silly weaknesses in other OSs.

    Yet another reason the Mac is secure is vecause a mac program (either 68k or PowerPC) needs TWO files to execute and not one file. The second file is called the resource fork and it is genreally an invisible file kept tightly associated with a file. classic internet apps do not create or allow creation of these resource forks as side effects of merely storing data files. Macs are very secure from infiltration by dynamic creation of apps by rouge products on a server

    Another reason macs have NEVER been broken into running the WebStar server is because the mighty Mac OS Webstar server, (which typically costs over 400 dollars unfortunately), avoids ever executing cgi code files from directories where they ought not to be. A clever set of directory and folder control prevent the webserver from being hijacked unlike earlier versions of apache.

    The US army switched to Webstar webservers on macs when MS NT webservers kept getting hacked.

    There are thousands of major webstar servers out there. I think many are colocated at reprahduce.com cages.

    And mac NEVER get hacked. EVER. and NEVER have, even with public challenges and reward money.

    Sure, there may be some defects that might get discoverred one day, and surely any mac not runnning mac os such as ppcLinux, or MAc OS X (freeBSD derivitive) are hackable.

    But face it. Macs have NEVER been hacked and that is because of modern and sound design principles.

    Myself and other mac programmers I know have NEVER shipped a product containing a single null terminated C string, and do lots of paranoid error checking as well.

    Unix is hackable not because of open source, not because of popularity (both of which help) but because of all the things I mentioned here.

    But I agree about the other OS's sucking. parts of the older Mac OS itself is written using pascal strings, in fact the original ROMs were written using only pascal compilers and some assembly, and no C. But string overruns alone are not the ONLY reasons mac servers have never been hacked, (command line, dual fork, no extensions, etc etc).

    Wake up and quite being bigoted. "Never" is a good enough abosolute ajective for most logical people to draw up reasoned conclusions from.

    • by OSgod ( 323974 )
      Umm... about 6.5 years ago many university Mac labs were completely overrun -- shut down -- because of fast spreading viruses that moved like wildfire. I remember watching a lab shut down within 15 minutes (25 machines). Cleaned by the next day and then shut down again in another 15 minutes.

      The Mac is not invulnerable. Far from it. Webstar hasn't been hacked yet -- congratulations! That's good news and the developers deserve thanks.

      Of course if the Mac were in any way a significant platform for web serving it might make more of an impact. Right now it isn't nor does it look like it will be in the near future. As a matter of fact it is an extremely tiny server platform.

      The reasons that the Mac is a marginal platform for servers are many but center around a few significant facts. In the past they have not been built as true servers that can compete on a price/performance module -- not the cpu but the entire system. The development platforms for open source (Linux, etc.) and NT (IIS/ASP/etc.) implementations are easy, powerful and productive -- the Mac is not really superior and in some areas doesn't come close to the base functionality of either Linux or NT/2000.

      Frankly the Mac is a marginal system. Always has been. May always be. To move away from marginality it needs to present a compelling technical ability (i.e.: price/performance must soundly trounce the competition), an ability to deliver solutions swiftly and/or an ability to deliver web solutions that no other platform can do.

      Doesn't look good for the Mac.
  • by os2fan ( 254461 ) on Tuesday September 25, 2001 @08:44PM (#2350608) Homepage
    Some thing that passes through my mind is that companies that make trucks are not really good at making cars, and vice versa.

    MS had its roots in BASIC on small hobby computers. Much of what they have done since is summed up by their home-grown product: GeeWhizz Basic.

    The network that they have now is based on IBM OS/2 Lan Server, which they got in code sharing arangements with IBM. I mean, the OS/2 1.3 help file still serves me well under NT4.

    Their main contribution has to lay all sorts of flash in fanciful languages, purpose designed to ensure upgrades. Excel, for example, has had three entirely different languages in five years. Most people could not be bothered to learn the new language. A lot less macro writing happens now then in the days of Lotus 123 for DOS. Mind you, it does not stop the script kiddies, who are learning the latest exploits.

    Most MS products ship badly configured. Like, who would put a spell checker on a function key (F7), if spell checking is done live anyway. I mean, you either do it live because you have the juice, or you do it from the tools menu because you don't have the resources to run it all the time. Putting it on a function key is silly. Except to bring it up on sales promotions. "Yes, we have spell checker [press F7]".

    So their network stuff is full of flashing chrome designed to sell the thing to executives, and the scripts that run this chrome is by this set up, already in a form ready for remote exploits. Yes, you can configure it, if you want to stuff around in the registry and hidden settings. But most people dont have the knowledge or time to do something that should be a default or available choice.

    MS is a small system maker that is attempting to do big time: all they do is big time damage.

  • Doesn't Apache have like 2 times the market share than IIS? What do they babble about being too popular? I guess that the lack of viruses on Apache web servers might have something to do with the lack of visual basic module, maybe?

    Just kidding, but tell me one thing. I don't really care WHY the platform has more viruses, if its because its insecure or just more popular. There is clear account of HAVING more viruses and thus BEING more insecure and thus HAVING bigger
    TCO. In other words, reasons enough for replacing
    this unreliable service.

  • While We're At It... (Score:5, Interesting)

    by Greyfox ( 87712 ) on Tuesday September 25, 2001 @08:56PM (#2350657) Homepage Journal
    My Discordian sense of curiosity has kicked in again and I was wondering if we could use CSS in a clever way to encrypt Evil messages. From what I understand of how it works, a DVD is encrypted on several keys and the DVDs are loaded up with a key that should be able to decrypt the DVD. Can we create a DVD image such that most DVD players will play a burned image but one EXTRA SPECIAL DVD player mounted on the back of a camel will get extra subtitles? IE: One Extra Special key gets a bit more of the DVD than everyone else? It should be fairly easy to burn a firmware with an extra key and chuck it on to pretty much any commercial player, right?

    Could we, in fact, turn a Disney DVD into a terrorist tool? Has it already been done? Should we be encouraging Congress to ban the CSS encryption scheme because it could have been used in such a way? Interesting questions, no?

  • by sheldon ( 2322 ) on Tuesday September 25, 2001 @09:21PM (#2350731)
    In quite a number of the responses I've seen there has been discussion about whether IIS is simply more targetted, or really insecure.

    Some have discounted the more targetted point of view because Apache is reportedly far more popular. Ok, granted. But now for my sad analogy... Single family homes are far more popular in the United States than skyscrapers, but when terrorists want to make a point, what types of buildings do they attack?

    People who write viruses may not be "terrorists" as they aren't trying to kill people. Sometimes they don't even have a point to make, but they most certainly want to cause financial damage, so who better to target?

    • Hrm... yes, but when smuggling weapons onto the plane (infiltrating to cause havoc), it's best to go to airports with poor security.

      If MS continues to stealth-install IIS (so that admins don't patch it cause they don't know it's there) and if they continue to leave holes in browsers (like always executing .eml files) then their OS will keep being hijacked.

  • After we receive your written request along with the above items ($14.95 & A S.A.S.E), we will process it and promptly send you the disc when it becomes available.

    Seems like they want to not make it as easy as possible for people to get the code...

    So, brtb, when you receive the disk, could you set up a sourceforge project and upload the files..? so otehrs can have a peak without the $ and snail-mail bother...

    • Well, I think I can get the school to pay for it; in any case, putting it on SourceForge won't be a problem. =] If anyone wants the address once I get it up, post your (spamproofed, whatever) email here somewhere (or email slashdot@brtb.org) and I'll send a link to everybody. It'll be interesting to see what exactly they send me on the CD (what code is there, what condition it's in, etc)...
  • Every day I get about 10,000 attempts by various people to execute CMD.EXE on my server (a FreeBSD box!) and so compromise it. I consider each of these attempts to be an attack. Can I sue these attackers? If not can they be tried in a criminal court? If not can I sue the morons who are negligent enough to run a server with known and well publicised bugs without patching. Surely someone can be sued here. Anyone out there a lawyer?
    • by Phrogman ( 80473 ) on Wednesday September 26, 2001 @12:38AM (#2351301) Homepage

      I have been thinking about this as well as one of the places I do contract work for is getting pounded daily with Nimda and Code Red I/II attacks as well. Since the box is running Linux, the attacks don't matter but I have been wondering if there is some way that a sysadmin could take advantage of these requests to stop the attacking system.

      Various people have mentioned writing a white hat virus that would shut down the attacker and all that - but in reality that just puts you in the same boat as someone attacking their system - and its therefore illegal.But if someone's computer makes an http request for a file from my server, am I responsible if what they get is not what they might expect to get?

      What if I was to create a file consisting of nothing but the letter X that was, say, 1Gb in size, and leave it on my linux webserver with a name like "root.exe"? It wouldn't take all that many requests for the attacking system to run out of HD space. Granted service on my server might suck for a bit, but eventually if enough linux admins did this the target systems would simply shutdown for lack of swap space or HD space or whathaveyou.

      Or perhaps I tell Apache to treat .exe files as PHP files and process them accordingly. Then I create a PHP script that sends prints nothing but Xs or random numbers in a long string back to the requesting server (with the execution time limit for PHP turned off). It would be like 5 lines of code total.

      After all, its my server, so presumeably I put the file there for my own purposes, indicated in robots.txt that I dont want it indexed etc. If some other system makes a request for that file which I have in no way indicated is present on my system, isn't there fault/problem if the file is too big, or causes problems at their end?

      I am sure the clever folks at /. could think of other things that could be done in this manner.

      Just food for thought, and I would love to see some suggestions...

  • So Microsoft is claiming "unfair targeting due to their popularity"?

    Do they mean popularity as a target of Internet worm/virus/trojan attacks? :)
  • ...I once received an email that read something to this effect:

    Hi! This email virus works on the honor system. Delete some random files and then forward this email to everybody in your address book.

    Hmmm... I wonder if sending this email to a bunch of random people constitutes setting off a virus?

    • Damn, that is one effective virus! It can spread over web pages! Apparently, after reading your post on Slashdot, I just accidently propagated it to some of my (soon to be ex-?) friends.
  • Ok, I'm tired of seeing people always throw out that since Apache has more market share than IIS there are more Apache servers sitting on the Internet. This is simply not true, IIRC, from the numbers we saw for code red.

    There are thousands of people running IIS on Win2k server, many of which are 31337 warez puppies on cable modems who installed win2k server because it was the biggest Win2k download and hence had the most stuff. These people are not included in the "market share" of IIS webservers.

    The exploits for IIS worked not because of the relatively small number of sysadmins who did not update their IIS servers eventually .. it worked because of the tens of thousands of IIS servers running by people who didn't know they were there.

    No competent sysadmin had their system compromised by Code Red, and if they did, they had it patched quickly. The people who got Code Red 2 were not part of the "market share" .. and probably never knew they had it.

  • by StenD ( 34260 ) on Tuesday September 25, 2001 @09:53PM (#2350818)
    In the meantime, please provide xStore with information so that we can send you, the user of this product, the package that you are entitled to. Please provide the serial number of your DiscZerver product and the 'system page' with your response. The 'system page' is located at [http://your_Zerver_name_or_IP_address/admin-cgi/s ystem].
    I hope you told them that they cannot limit their obligation to provide copies of the source code to those with DiscZervers. From the GNU GPL FAQ [fsf.org]:
    What does this "written offer valid for any third party" mean? Does that mean everyone in the world can get the source to any GPL'ed program no matter

    what?
    "Valid for any third party" means that anyone who has the offer is entitled to take you up on it.
    If you commercially distribute binaries not accompanied with source code, the GPL says you must provide a written offer to distribute the source code later. When users non-commercially redistribute the binaries they received from you, they must pass along a copy of this written offer. This means that people who did not get the binaries directly from you can still receive copies of the source code, along with the written offer.

    The reason we require the offer to be valid for any third party is so that people who receive the binaries indirectly in that way can order the source code from you.
    • Hrm, interesting; I had not thought about that when I read it the first time. When I send in a request for the code (sans serial number, now), I'll ask them about it.
  • by Chagrin ( 128939 ) on Tuesday September 25, 2001 @09:54PM (#2350821) Homepage
    • Graham Cluley, senior technology consultant at security firm Sophos, is concerned that a mass move to alternative Web server software would cause more disruption than sticking with Microsoft IIS and patching it. "Code Red was less about the vulnerability of IIS, as all software has bugs, but more about system administrators ignoring the warnings that came well in advance of Code Red," said Cluley.

    Hmm... where do I remember him from? [techtv.com]
    • "The average person in the street doesn't need to worry, as they would have to be specifically targeted," said Graham Cluley, an Internet security expert with antivirus firm Sophos.

    Always nice to have a few staunch supporters ready to jump to your defense :)
  • The problem with surveys like Netcraft is that they only take into account web servers. But because IIS is an integral part of the operating system (tm), it gets installed on all sorts of things which aren't web servers, making it thus more popular than Apache, and a better target for worms.

    Of course, you can't really blame these people for not keeping the web server they didn't know about (but probably paid for) up to date, and you may wonder why the server has to include features that MS can't make secure the first time when it does not, in fact, have to include any features at all.
  • Excerpted from Netcraft's Web Server Survey http://www.netcraft.com/survey/ [netcraft.com]

    The Netcraft Web Server Survey is a survey of Web Server software usage on Internet connected computers. We collect and collate as many hostnames providing an http service as we can find, and systematically poll each one with an HTTP request for the server name. In the August 2001 survey we received responses from 30,775,624 sites.

    Market Share for Top Servers Across All Domains August 1995 - August 2001

    [graphic [netcraft.com]]

    58.08% Apache
    26.47% Microsoft
    04.29% iPlanet
    02.64% Zeus

    Take that, marketroid!

  • by un4given ( 114183 ) <bvoltz@@@gmail...com> on Tuesday September 25, 2001 @11:34PM (#2351148)
    Thus, using Internet-exposed IIS Web servers securely has a high cost of ownership. Enterprises using Microsoft's IIS Web server software have to update every IIS server with every Microsoft security patch that comes out ? almost weekly.

    This is the biggest problem with maintaining Microsoft networks. Exploits in IIS or Windows are far too frequent, and almost all patches require reboots. You can imagine the response I get when I call management every other week and say "I need emergency downtime to patch 65 of our servers...".

    Microsoft loves to talk about how their software has a lower TCO than other operating systems. Perhaps they don't count the cost of man-hours spent applying patches, or the downtime involved?
  • by Anonymous Coward
    Apache on VMS when you really want a locked down reliable server and can pay for it. A VMS Alpha survived Capture the Flag at this year's DEFCON. VMS at DEFCON [pointsecure.com] We run VMS for web and database servers and laugh at the Microsoft worms. Reliablity and security sell.

    Now that Windows XP is here does that make Windows NT and Windows 2000 a legacy product?

  • Microsoft IIS (Score:3, Insightful)

    by GreyPoopon ( 411036 ) <gpoopon@@@gmail...com> on Wednesday September 26, 2001 @06:09AM (#2351719)
    I can't believe some of the hogwash in Microsoft's response to the Gartner report. Here's my favorite:

    The attempt to rank vendors according to their security success rate is a risky business. The aim of most virus writers is usually for their worm to achieve its biggest impact, and so will target platforms that are widely used. "Microsoft is targetted as it is so popular, rather than the system being the least secure," said Cluley.

    So, I guess use of Apache must not be too widespread, eh? Now I'm not going to try to make the uneducated claim that Apache is really more secure than IIS, but for some reason there are far fewer security breaches on Apache. Maybe it's because virus writers are more supportive of Apache. Who knows? Unless something has changed in the last year, Apache still has the largest install base out there, and based on Microsoft's reasoning it should have the largest number of exploits.

    I read the entire Gartner release, and I thought it was very insightful. They didn't say, "Take down your IIS servers." Instead, they carefully qualified it, suggesting that "...enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS, including moving Web applications to Web server software from other vendors, such as iPlanet and Apache." Note the key word investigate. Also note that they only suggest this for people hit by both viruses.

    Microsoft's rebuttal also fails to properly address a serious issue: "cost of ownership." They make the wonderous claim about how fast they release patches to fix these security holes. What they missed entirely was the fact that a company can't be paying for the resources and downtime to apply a patch WEEKLY, not to mention the need for somebody to constantly watch for a security update so that it can be installed before somebody exploits it.

    What Microsoft *should* have done (IMHO) is kept their mouths shut and swing some resources into either rewriting IIS or truly removing security holes, and then have a surprise release to counter Gartner's arguments.

Time to take stock. Go home with some office supplies.

Working...