| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <444E9F3C.40900@utdallas.edu> Date: Tue Apr 25 23:15:16 2006 From: pauls at utdallas.edu (Paul Schmehl) Subject: What is wrong with schools these days? Valdis.Kletnieks@...edu wrote: > On Tue, 25 Apr 2006 12:00:22 PDT, Bill Stout said: >> You know, having made a few NTexploit lists in the past, I wanted to >> make the point the M$ was less secure. Unfortunately the facts were >> against me. >> >> Two IIS 6.0 vulnerabilities reported from 2003-2006 >> http://secunia.com/product/1438/ >> Twenty-eight Apache 2.0 vulnerabilities reported from 2003-2006 >> http://secunia.com/product/73/ > > Scroll down a bit, and you'll discover a nice pie chart of how critical > they were - 50% of the IIS were 'Moderate', while only 33% of the Apache were. > You can make statistics lie any way you want. ;) > > Also, selecting IIS/Apache, which is installed on few Windows or Linux boxes > by default, doesn't tell you anything regarding the underlying security. You > could as well chosen Microsoft Office and OpenOffice and made the same claim. > As I'm sure Valdis knows, I wasn't trying to make the point that any OS or application is more or less secure than any other. You can get into pissing contests about your OS/application being better than someone else's until everyone turns blue in the face, and it won't change the fact that *all* OSes and applications are insecure if incorrectly configured and/or maintained. I have long had the policy that, if you're not going to use an application (like apache or IIS) then it should not even be installed, because, if it is installed and not enabled, it will not be properly maintained and updated. And I can *guarantee* you that *someone* will enable it sooner or later, in its vulnerable state and no one will realize it until the box is hacked. I also have a policy that I avoid software that has a poor security track record. So, I don't use Internet Explorer - on any platform - and I don't use sendmail - on any platform. The first thing I do, when I set up a FreeBSD box is uninstall sendmail and install Postfix. It's not that I like Postfix more. It's that Postfix has had very few vulnerabilities in it, and sendmail has them routinely. It tells me that the programmers writing the former understand security better than the programmers writing the latter. It's nothing personal. They both do a job that needs to be done. One makes me worry less. If you have something installed on a computer, you *must* keep it up to date, even if you *never* use it, because the bad guys *will* use it. 100% guaranteed. Personally, I prefer unix (FreeBSD) and Mac (OSX), and I avoid Windows whenever possible. But I've been running Windows since the early DOS days, and I have yet to have a single box I maintained broken into. (Nor have I had a unix box or Mac that I maintained broken into.) That doesn't make me a genius. It just means I've been conscientious and lucky. I've seen a lot of break-ins, on every single OS you can imagine. I have *yet* to see a properly maintained box be broken into. Configuration and maintenance is everything. OS and application is almost irrelevant. If you leave the keys in your Ferrari and the door unlocked, it's going to get stolen. It doesn't matter at all that the Ferrari is worth 100 times as much, goes 100 times faster or is 100 times more beautiful than my beat-up, old, rusty Pontiac. The Pontiac is locked, and I have the keys in my pocket. If more people understood this, we'd have a lot less computer break-ins. -- Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5007 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060425/90a91157/smime.bin
Powered by blists - more mailing lists