Full Disclosure mailing list archives
Re: MS-02-052 + blackholing MS
From: lists_full-disclosure () darkuncle net (lists_full-disclosure () darkuncle net)
Date: Mon, 23 Sep 2002 13:26:06 -0700
--WN2ELtqJJ9aZ3yHj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 20, 2002 at 06:43:53PM -0500, SMoyer () rgare com said:
=20 Sho nuff, and all those all-Linux, all-BSD, all-Tru64, all-Websphere, all-IPlanet, and all-Apache shops out there have been nothing but rock-so=
lid
these past few months, lemme tell ya...=20
Take the advisories for those products from the last 6 months and compare with advisories for Microsoft products from the last 6 months. 'nuff said. It's not about whether or not there have been X advisories for a product in the last Y days/weeks/months - when I choose a product with an eye towards security, I look at the long-term track record of the product, and of relat= ed products produced by the same group or company. Apache has a pretty stellar track record over its lifetime. So does OpenSSH. Microsoft may have had a good month or two lately (or not!), but their track record ranks among the worst in the industry. That said ...
I had the no-MS approach a few years ago, but when the bottom fell out of the economy, telling people "no speaka NT" in an interview didn't earn me many points.
For me, it's both a matter of principle (I don't like MS software or busine= ss tactics, and refuse to support either) and practicality (the idea of having to admin a Windows network is the stuff nightmares are made of; thanks, but no thanks).
While WinDOS is a pain in the butt to lock down, it can be done, whether with 3rd-party tools or, increasingly, with stuff that actually ships with
Yes, windows server products can be locked down. My gripe is with the amount of relative effort required to do so, compared with a good free *nix equivalent - FreeBSD, for instance. Not to mention the disturbing trend towards patches that have EULAs requiring one to give remote administrative access to MS for the purpose of ensuring no copyright infringement, etc. (I= 'm sure they have cleaned up the PR disaster that issue was; the underlying corporate attitude that caused it has not changed in the last 10+ years.)
it. Actually, in a lot of ways the default installs of Solaris and HP/UX could be argued as being more trusting than, or at least as trusting as, =
2K.
And don't even get me started on Linux. Slack 8.1 still has portmap on by default. Blarg.
*nod* there are bad examples everywhere. Like I said, in my view it's a matter of considering a product's track record, and most importantly, wheth= er or not the tool fits the job at hand. IMO, while Windows products may be the right tool for the job in the desktop environment (not in mine, but granted I'm not your standard business customer), they are almost _never_ the right tool in the server room. Just because X Linux Distro ships with some insecu= re options on by default doesn't make WindowsXP Enterprise Professional .NET BackOffice Server Corporate Edition a better choice. In the end, if it's a choice between trying to admin a Windows network and a UNIX network, well, there's not much question in my mind. YMMV.
The way I look it, business needs and developers define the environment, =
and Businesses (or customers in general) define the needs. Developers, both commercial and otherwise, produce products to fit those needs. MS tends to produce products whose primary purpose is to produce a continual revenue stream for MS (primarily through license and upgrade fees). Security and functionality take a backseat to creating a revenue stream. Many open source software projects perform at least as well as, and in many cases are vastly superior to, the equivalent from MS. Developers don't define the environment - they build tools for use by end users. End users decide what tool will be= st fit their needs - unfortunately, end users are also rather susceptible to marketing and herd mentality.
our Sisyphean task is to keep it up and solid within the constraints we're provided. Some platforms make it harder than others, but that's why we get
That's true enough - sysadmins are frequently stuck with what's there when they get hired. Some of us are fortunate enough to have the latitude to rebuild things The Right Way. Others of us are hobbled and must resign ourselves to endless bandaids and patching of systems that should have been allowed to return to the dust long since.
to drive sports cars and wear leather pants to DefCon.=20
wow, I must be in the wrong end of system administration. :) Maybe if I started drinking the Microsoft koolaid I'd start sharing in their obscene profit level ...
I'll continue to curse MS daily, but I'll curse FBSD, HP, Cisco, Nortel, Theo, and whoever else ends up being a thorn in my side just as much.
*nod* As will I. But MS garners about 98% of my ire, because they're responsible for about 98% of my hassle and frustration as as administrator.
Dismissing a platform outright is not an option for me, and it's not an option for most people either. If it is for you, Steve, rock on. Hell, I'd
I think MS has built enough of a track record to warrant outright dismissal in the server arena, but even if for some reason it hasn't, in the end, it's still about using the best tool for the job. If you honestly think a Microsoft product is the best tool for the job, all things considered, then go with it. I rarely arrive at that conclusion myself.
shut down our I-net pipes if I could do it, and put every one back on VT220's and go back to one VMS box for the whole company, if I could do it and if it still served our business needs. =20 All our Hushmail-ites on this list are probably sitting on 2K / XP or VMW=
are
boxes themselves; at least I've never been able to get it to work in Mozilla. So sometimes you gotta dance with the devil, whether you want to=
or
not... You just make sure and wear a flame-retardant cumberbund and a cra=
sh
helmet. :)
:)
Besides, isn't this required reading in Redmond nowadays? ---> http://www.microsoft.com/mspress/books/5612.asp
Reading ain't doing, apparently. :)
(Hypocrisy disclaimer: I just gave hellNbak crap for running an Exchange =
box
on the I-net three days ago. So sue me.)
Right tool, right job. That's what it boils down to. --=20 -=3D Scott Francis || darkuncle (at) darkuncle (dot) net =3D- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui --WN2ELtqJJ9aZ3yHj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9j3jeWaB7jFU39ScRAuv1AJ9h8KkLcgTn/kAP7OIt2Ozrl+tBFACfZykQ Sju/3BnzImPjoHU4o4KL8Bs= =TSW0 -----END PGP SIGNATURE----- --WN2ELtqJJ9aZ3yHj--
Current thread:
- Re: MS-02-052 + blackholing MS Moyer, Shawn (Sep 20)
- Re: MS-02-052 + blackholing MS lists_full-disclosure () darkuncle net (Sep 23)
- Re: MS-02-052 + blackholing MS Steve (Sep 24)
- <Possible follow-ups>
- RE: MS-02-052 + blackholing MS Rob Rosenberger (Sep 23)
- Re: MS-02-052 + blackholing MS lists_full-disclosure () darkuncle net (Sep 23)