* Jay D. Dyson (jdysonat_private) [011017 22:08]: > -----BEGIN PGP SIGNED MESSAGE----- > > On Wed, 17 Oct 2001, Mark Kennedy wrote: > > > I disagree that all Microsoft is doing is diverting attention. They > > raise some legitimate questions and concerns. > > I could not possibly disagree more. They are blaming the > discoverers of their flaws for their security problems. That's not only > poor judgment, it's deceptive to the consumer. > > Rather than admit the glaring flaws in their own product, they > decide to publicly bash the firms that are helping people defend their own > networks. > > > Their problems are another topic. But just because they are the source > > of the vulnerability does not undermine their valid concerns on how that > > vulnerability is disclosed. > > Sure does. Do note that Microsoft only endorses thos products and > services in which they can make a buck. All the while, they go out of > their way to demonize every open source and security-related product and > firm that is given out for free. > > That's not just stupid, it's just another shining example of their > anti-competitive tactics. > M$ has a neat way of making claims with enough truth to make them sound viable. I manage a collection of about 55 webservers with an even mix of Apache and IIS. I KNOW how much work is involved in patching and securing IIS servers, and I KNOW how much work is involved in securing Apache. We've never had a remote compromise of a webserver (other than internal audits). We got hit on a few poorly configured shares with Nimbda, but that is the extent of our vulnerability on our IIS servers. We patch hard, we patch fast, we patch often. (There you go, Chesty Puller, wherever you are.) My personal opinion is that IIS is crap. My personal opinion is that M$ couldn't program without buffer-overflows if their corporate life depended on it. My personal opinion is that M$ seems incapable of fixing a unicode exploit in one try. My professional opinion is "I recommend Apache, but I'll administer whatever you want". The reason I wanted the stats is so that I can know for myself whether full-disclosure speeds up the process or not. I get the impression that most software firms would rather hush up a bug rather than patch it. It takes less work and less knowledge to start a media campaign than it does to fix a buffer overflow. I also want to know whether Open Source companies patch faster than closed source. I think they do, but I don't have numbers to back it up. I'll soon start the movement here to move to Apache. I'm just picking up some ammo. Thanks, JJ -- J. J. Horner "H*","6a686f726e657240326a6e6574776f726b732e636f6d" *************************************************** "H*","6a6a686f726e65724062656c6c736f7574682e6e6574" Freedom is an all-or-nothing proposition: either we are completely free, or we are subjects of a tyrannical system. If we lose one freedom in a thousand, we become completely subjugated.
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:12:55 PDT