Valdis.Kletnieks@vt.edu wrote:
On Tue, 25 Apr 2006 12:00:22 PDT, Bill Stout said:
You know, having made a few NTexploit lists in the past, I wanted to
make the point the M$ was less secure. Unfortunately the facts were
against me.
Two IIS 6.0 vulnerabilities reported from 2003-2006
http://secunia.com/product/1438/
Twenty-eight Apache 2.0 vulnerabilities reported from 2003-2006
http://secunia.com/product/73/
Scroll down a bit, and you'll discover a nice pie chart of how critical
they were - 50% of the IIS were 'Moderate', while only 33% of the Apache were.
You can make statistics lie any way you want. ;)
Also, selecting IIS/Apache, which is installed on few Windows or Linux boxes
by default, doesn't tell you anything regarding the underlying security. You
could as well chosen Microsoft Office and OpenOffice and made the same claim.
As I'm sure Valdis knows, I wasn't trying to make the point that any OS
or application is more or less secure than any other. You can get into
pissing contests about your OS/application being better than someone
else's until everyone turns blue in the face, and it won't change the
fact that *all* OSes and applications are insecure if incorrectly
configured and/or maintained. I have long had the policy that, if
you're not going to use an application (like apache or IIS) then it
should not even be installed, because, if it is installed and not
enabled, it will not be properly maintained and updated. And I can
*guarantee* you that *someone* will enable it sooner or later, in its
vulnerable state and no one will realize it until the box is hacked.
I also have a policy that I avoid software that has a poor security
track record. So, I don't use Internet Explorer - on any platform - and
I don't use sendmail - on any platform. The first thing I do, when I
set up a FreeBSD box is uninstall sendmail and install Postfix. It's
not that I like Postfix more. It's that Postfix has had very few
vulnerabilities in it, and sendmail has them routinely. It tells me
that the programmers writing the former understand security better than
the programmers writing the latter. It's nothing personal. They both
do a job that needs to be done. One makes me worry less.
If you have something installed on a computer, you *must* keep it up to
date, even if you *never* use it, because the bad guys *will* use it.
100% guaranteed. Personally, I prefer unix (FreeBSD) and Mac (OSX), and
I avoid Windows whenever possible. But I've been running Windows since
the early DOS days, and I have yet to have a single box I maintained
broken into. (Nor have I had a unix box or Mac that I maintained broken
into.) That doesn't make me a genius. It just means I've been
conscientious and lucky.
I've seen a lot of break-ins, on every single OS you can imagine. I
have *yet* to see a properly maintained box be broken into.
Configuration and maintenance is everything. OS and application is
almost irrelevant. If you leave the keys in your Ferrari and the door
unlocked, it's going to get stolen. It doesn't matter at all that the
Ferrari is worth 100 times as much, goes 100 times faster or is 100
times more beautiful than my beat-up, old, rusty Pontiac. The Pontiac
is locked, and I have the keys in my pocket.
If more people understood this, we'd have a lot less computer break-ins.
--
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
