Sign in to follow this  
sean

...and MS wants you to switch from Unix

Recommended Posts

10-April-2002: Eight new IIS security holes exposed

We see headlines like that about what?--every week now? MS claims that "there is a way out" (away from unix), yet the only thing MS has proven is that the lastest versions of windows are suitable for nothing but a desktop OS. As many of you have now heard, MS can't even run an anti-unix marketing campaign properly (the website was hosted on a non-windows server apparently running a mysql backend). Come on now, windows can't even run hotmail--that's like IBM offices running Maxtor HDD.

Unix, BSD, and various linux flavors may not be perfect, but they have no where near the problems of windows. As far as IIS goes, I avoid it like the plague in my line of work--apache is vastly superior (not to mention many other webservers out there). The most bizarre thing is that this status quo of steady problems with MS almost seems acceptable; I don't hear any stories about Bill Gates recently throwing sun monitors out of windows. :lol:

Share this post


Link to post
Share on other sites

Yea, I have to agree, Windows is just not bullet-proof enough for a serious server enviroment.

It works fine for small offices however, 5 to 30 people...

Jason

Share this post


Link to post
Share on other sites

Microsoft has obviously not made security the priority that it should be. They have done poorly, and deserve the chastisement they are receiving.

As for UNIX however, I would not let it off the hook so quickly. The most significant, and widespread security failure that I am familiar with, was Robert Morris’ worm. This worm brought not just the internet, but the Vaxen and Sun machines themselves to their knees, due to exploits in both sendmail and fingerd.

Let us not forget the sophistication of ftp and telnet’s authentication schemes, until recently the backbone of UNIX communication.

Given UNIX’s long and terrifying history of security holes, it is impressive that some members of the community have made security a real priority in recent years, often at the expense of features.

It is time Microsoft did the same.

Share this post


Link to post
Share on other sites

10-April-2002: Eight new IIS security holes exposed

We see headlines like that about what?--every week now? MS claims that "there is a way out" (away from unix)' date=' yet the only thing MS has proven is that the lastest versions of windows are suitable for nothing but a desktop OS. As many of you have now heard, MS can't even run an anti-unix marketing campaign properly (the website was hosted on a non-windows server apparently running a mysql backend). Come on now, windows can't even run hotmail--that's like IBM offices running Maxtor HDD.

[/url']

First, I agree and would not use Windows as a server except under circumstances in which it was absolutely necessary. That said, most Hotmail frontend webservers are now running on Windows 2000, which is in a way proof that Windows can scale as a webserving platform.

A few years ago, they tried to switch from FreeBSD and failed quite miserably. When they switched to Windows 2000, IIRC, the server farm went from about 4500 to just over 6,000. (not sure what it is now), because Exchange (if Exchange is what they are using) was less efficient than Qmail, which is what they were using up to that point. Now, one thing to note is that I believe Exchange was designed as a corporate workgroup server. Most ISPs with a competant tech crew, at least in Phoenix and Idaho, which used Windows for serving did not use Exchange for mail. It's the wrong tool for the job. (of course, most ISPs that I have seen use Windows as the server platform had decision makers that didn't seem terribly clueful to begin with, but some were, and at least Windows is easier for a clueless newbie to run than Unix, IMO)

I remember reading that after the huge Hotmail crash a while back, "some" of the servers were made FreeBSD again for, to paraphrase the MS rep, "stability reasons." No idea how many, exactly, or why only some of them.

Anyway, their backend DB servers still run on Solaris/SPARC boxes, or did as of about a year ago and probably still do today. MS SQL really is not in the same league as Oracle, DB2, etc.

Unix, BSD, and various linux flavors may not be perfect, but they have no where near the problems of windows. As far as IIS goes, I avoid it like the plague in my line of work--apache is vastly superior (not to mention many other webservers out there). The most bizarre thing is that this status quo of steady problems with MS almost seems acceptable; I don't hear any stories about Bill Gates recently throwing sun monitors out of windows. :lol:

I agree that IIS is an absolutely horrible platform for serving due to its security record, which sucks immensely, but keep in mind that Apache is available for Windows, and version 2.0 is supposed to be just as stable under Windows. (Whether Windows itself is just as stable as Unix is another issue entirely :-)

Speaking of Exchange Server, by the way, I think that is one thing that Unix needs to reclaim more market share from Windows. AFAIK, Unix just doesn't have anything that will function as an exchange server, and even if Exchange sucks (which would be difficult to judge), that it has no real competition is a big problem for Unix workgroup servers.

Actually, I think there's a similar product for Z/OS, can't reemmber the name, but who's going to buy one of those things [iBM mainframe] as a workgroup server?!

Share this post


Link to post
Share on other sites
As for UNIX however, I would not let it off the hook so quickly.  The most significant, and widespread security failure that I am familiar with, was Robert Morris’ worm.  This worm brought not just the internet, but the Vaxen and Sun machines themselves to their knees, due to exploits in both sendmail and fingerd.

True, but Fingerd is hardly required for most servers and Sendmail hasn't had any serious security flaws for years. Which is incredible considering how complex it is.

Also note that there is Qmail, which has never once had a serious security flaw. If you know of one, there are several multi-thousand dollar rewards with your name on them. :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this