Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: What is wrong with schools these days?
From: Paul Schmehl <pauls () utdallas edu>
Date: Tue, 25 Apr 2006 17:14:20 -0500

Valdis.Kletnieks () vt edu wrote:
On Tue, 25 Apr 2006 12:00:22 PDT, Bill Stout said:
You know, having made a few NTexploit lists in the past, I wanted to
make the point the M$ was less secure.  Unfortunately the facts were
against me.

Two IIS 6.0 vulnerabilities reported from 2003-2006 http://secunia.com/product/1438/ Twenty-eight Apache 2.0 vulnerabilities reported from 2003-2006

Scroll down a bit, and you'll discover a nice pie chart of how critical
they were - 50% of the IIS were 'Moderate', while only 33% of the Apache were.
You can make statistics lie any way you want. ;)

Also, selecting IIS/Apache, which is installed on few Windows or Linux boxes
by default, doesn't tell you anything regarding the underlying security. You
could as well chosen Microsoft Office and OpenOffice and made the same claim.

As I'm sure Valdis knows, I wasn't trying to make the point that any OS or application is more or less secure than any other. You can get into pissing contests about your OS/application being better than someone else's until everyone turns blue in the face, and it won't change the fact that *all* OSes and applications are insecure if incorrectly configured and/or maintained. I have long had the policy that, if you're not going to use an application (like apache or IIS) then it should not even be installed, because, if it is installed and not enabled, it will not be properly maintained and updated. And I can *guarantee* you that *someone* will enable it sooner or later, in its vulnerable state and no one will realize it until the box is hacked.

I also have a policy that I avoid software that has a poor security track record. So, I don't use Internet Explorer - on any platform - and I don't use sendmail - on any platform. The first thing I do, when I set up a FreeBSD box is uninstall sendmail and install Postfix. It's not that I like Postfix more. It's that Postfix has had very few vulnerabilities in it, and sendmail has them routinely. It tells me that the programmers writing the former understand security better than the programmers writing the latter. It's nothing personal. They both do a job that needs to be done. One makes me worry less.

If you have something installed on a computer, you *must* keep it up to date, even if you *never* use it, because the bad guys *will* use it. 100% guaranteed. Personally, I prefer unix (FreeBSD) and Mac (OSX), and I avoid Windows whenever possible. But I've been running Windows since the early DOS days, and I have yet to have a single box I maintained broken into. (Nor have I had a unix box or Mac that I maintained broken into.) That doesn't make me a genius. It just means I've been conscientious and lucky.

I've seen a lot of break-ins, on every single OS you can imagine. I have *yet* to see a properly maintained box be broken into. Configuration and maintenance is everything. OS and application is almost irrelevant. If you leave the keys in your Ferrari and the door unlocked, it's going to get stolen. It doesn't matter at all that the Ferrari is worth 100 times as much, goes 100 times faster or is 100 times more beautiful than my beat-up, old, rusty Pontiac. The Pontiac is locked, and I have the keys in my pocket.

If more people understood this, we'd have a lot less computer break-ins.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]