| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: steve at videogroup.com (Steve) Subject: Re: MS-02-052 + blackholing MS On Monday 23 September 2002 04:26 pm, lists_full-disclosure@...kuncle.net wrote: >It's not about whether or not there have been X advisories for a > product in the last Y days/weeks/months - when I choose a product > with an eye towards security, I look at the long-term track record of > the product, and of related products produced by the same group or > company. Apache has a pretty stellar track record over its lifetime. > So does OpenSSH. Microsoft may have had a good month or two lately > (or not!), but their track record ranks among the worst in the > industry. That said ... > >For me, it's both a matter of principle (I don't like MS software or > business tactics, and refuse to support either) and practicality (the > idea of having to admin a Windows network is the stuff nightmares are > made of; thanks, but no thanks). > >Yes, windows server products can be locked down. My gripe is with the > amount of relative effort required to do so, compared with a good > free *nix equivalent - FreeBSD, for instance. Not to mention the > disturbing trend towards patches that have EULAs requiring one to > give remote administrative access to MS for the purpose of ensuring > no copyright infringement, etc. (I'm sure they have cleaned up the PR > disaster that issue was; the underlying corporate attitude that > caused it has not changed in the last 10+ years.) The funny part is that this is exactly my view. I took it for granted that it was shared by most people here. Of course there's a diff between securing boxes and systems and actually doing all the daily maintenance. I don't have any idea how many here does both. Take Dell f.ex. They reboot their 200 Win servers every night to make sure they are stable the next day. When a company their size decides it's what's needed, one can only wonder how many other ones does it too. (NT 3.5x had an automatic reboot built in which would reboot it up to every 39 days.) The GUI produces a false promise that it's easy to maintain because it's easy to look at. I saw a posting someplace where the admin was complaining that he had to open a config file with an editor! What is the world coming to. Imagine that! : ) MS has created a currupted concept of what it takes to be an admin. They are the ones who put together the howto manage their systems which is used to train every MSE etc. All of which is a pie in the sky unless you are really, really good. Yet I had no problem getting my very first Linux box running stably. Which was a broken Slakware version in -94/95. (A few years ago I used to provide solutions to windows shops. My customers covered the US and included the Marine corp as well as small ISP's etc. About 3000 total. Of all of them only two had uptimes of a year or more. They were in a glass house scenario. What kind of crap is that when you don't dare doing anything because it might become unstable? Granted, you don't let any idiot play on it, but that applies to any server. I have no qualms about adding stuff to my key *nix boxes in fear they might become unstable. They stay up nicely until I bring them down for whatever reason.) One just cannot speak of maintaining windows and *nix in the same breath. Which of course also goes back to the *nix concept of all being a file and where Bill thought he was smart by making everything an object. It might be, though I doubt it, but for sure not in his incarnation. -- Steve Szmidt V.P. Information Technology Video Group Distributors, Inc.
Powered by blists - more mailing lists