[thelist] closed source securtiy was: DB Security

Daniel J. Cody djc at starkmedia.com
Thu May 3 17:11:12 CDT 2001


Ryan Finley wrote:
> 
> <<
> No its not. How many 'hackers' are beting on it every day exactly? How
> is the 'beating' making the webserver more secure? Is it really making
> it more secure? Very secure??
> >>
> 
> My main contention is that Microsoft products CAN be secure.  I'd wager a
> bet that almost ALL of the hacks on IIS are because a wannabe admin didn't
> apply a patch that came out 2 years ago!

Granted, there is no security with a lazy/stupid sys admin. Sure MS
products(and I'm not just picking on them here, I'm saying almost *any*
closed source application, ms was just my example thakns to the exploit)
can be secure. Anything *can* be secure.. The thing is though, shouldn't
your software be *inherently* secure? Especially software that can make
or break a business?

> <<
> MS and Apache release a new version of their web serving software the
> same day, to much fanfare. One week later, a buffer overflow is found in
> each piece of software. Now, which software would you rather be running?
> Apache, where the moment someone hears about the hole they're working on
> a fix because they can see the code, or you yourself could get under the
> hood, fix, recompile and be expliot free all in under 10 minutes? Or
> would you rather be running IIS where the hole is known(as this one was)
> but since the source code isn't readily available you need to wait on MS
> to acknowledge, fix, test, and deploy the fix on *THEIR* time?
> 
> Eeye informed MS about this two weeks ago, and thats how long it took
> for them to roll a patch. You do the math...
> >>
> 
> Most people running IIS can't even INSTALL Apache, let alone get down into
> the code of a webserver to fix a buffer overflow...

I'd say that most people running IIS *do* have the resources to fix
something if they had the source. As Netcraft.com points out, and as MS
fans like to point out everytime a new survey is released, IIS is *the*
main webserver for businesses. Many of those businesses like Dell,
Ebay,  Intel, and a shitload of other fortune 500's that we don't even
know about *do* have dedicated programming staff that could more than
handle a problem like this.

.djc.




More information about the thelist mailing list