kegetys 2 Posted February 13, 2004 I find it very sickening that some people look at sabotaging of the most successfull OS, that is easiest to use, as a good thing. Â If by "sabotaging" you mean finding security holes, then it really is a good thing for every OS out there, since the only way to get them fixed some day is to find them first. And the only way to get Microsoft to fix their holes seems to be to go public with it and maybe even write a nasty exploit. There's been many holes in Windows that MS has had months of time to fix them and haven't until the founder went public with it instead of just notifying Microsoft. Share this post Link to post Share on other sites
toadlife 3 Posted February 13, 2004 This must be a dream come true for some Linux kiddies... I'm sure Windows will hold up when you look at %usage vs malicious/sabotage problems. Apache is vastly more popular than IIS but I still hear more about IIS worms and hacked IIS servers. Of course it does not matter which one is used if basic security measures are not taken though. Apache is an httpd deamon - that's all. If you go into IIS and disable ALL scripting languages, and ISAPI extensions, it will be like just like Apache - a simple httpd deamon with not much to exploit. People who spout the Apache/IIS usage/hackage statistics forget that to make apache usefull, you have to install things like php, perl, mysql, OpenSSL, SSH, ect. These are all things that can be eploited, and they are exploited from time to time. IIS is easy to set up - therfore, you've got a bunch of monkeys running around the planet, setting up IIS servers for their companies, and getting them hacked. The same monkeys would cringe if they had to do this to install Apache... <table border="0" align="center" width="95%" cellpadding="0" cellspacing="0"><tr><td>Code Sample </td></tr><tr><td id="CODE"> ./configure make make install ...and then have to figure out what went wrong afterwards. Share this post Link to post Share on other sites
kegetys 2 Posted February 13, 2004 Apache is an httpd deamon - that's all. If you go into IIS and disable ALL scripting languages, and ISAPI extensions, it will be like just like Apache - a simple httpd deamon with not much to exploit. Wrong, if you look at the most serious exploits IIS has had, they are in the very core of it, from buffer overflows in request URL's to plain idiotic "just request /../../winnt/system32/config/SAM and you'll get it" bugs where its quite clear that whoever wrote it didn't give a second of thought to security. And, if you look at the statistics of webserver exploits, they are from "real" websites that are set up by (more or less) professional people, not just some "I didnt even know that thing was enabled" home users. Sure there has been and are exploits in Apache and its modules, but there are alot more in IIS. This though is partially because of the poor security model in Windows, so one "you can access any file" exploit can be used for very nasty things, while in a traditional Unix multiuser environment the server is restricted from doing nasty things to the system. Share this post Link to post Share on other sites
bn880 5 Posted February 13, 2004 It's ok, in general I agree with what toadlife just said. Because Windows (the actual OS) is so standard and has so many features already running and configured, it is easier to exploit. And people who use it do not spend their lives configuring the OS. However the main reasons windows is exploited a lot more: [*]It is a standard across most machines running it (no different kernel versions etc) [*]It is most popular (numerous out there) [*]People running it are often jsut barely able to figure out what to do to get their work done, let alone figure out how to secure/configure an OS [*]envy of the uniform standard and money Microsoft has basically, and I hate to put it as bluntly as this but; If you have a mission to sabotage an airport, do you A) sabotage the diesel fuel and solvents in various barrels around the airport or B) go straight fro the jet fuel in a central underground tank? you go for B) to see any predictable results, and this is Windows. Why bother with A) when it might knock out a Diesel engine or two (some kids linux that he's tweaking constantly anyway) Share this post Link to post Share on other sites
kegetys 2 Posted February 13, 2004 If you have a mission to sabotage an airport, do you A) sabotage the diesel fuel and solvents in various barrels around the airport or B) go straight fro the jet fuel in a central underground tank?you go for B) to see any predictable results, and this is Windows. Â Why bother with A) when it might knock out a Diesel engine or two (some kids linux that he's tweaking constantly anyway) You forget that many, especially serious, security flaws in Windows, Linux and other OS's are found not by people seeking to "hack" into systems but people who seek security holes in order to report them to get them fixed, either by hobby or as a job. Most severe Windows exploits like the RPC hole a while ago were found like this, and only after it was publicated an exploit was released. (Of course its possible that some people have found them before and used them on random occasions) Think of a security inspector coming to your airport, if your diesel fuel storage tanks are open for public to access he's going to tell you to seal it off, even if it wouldn't be a likely target to sabotage. Not to mention, that in the open source world, searching for security flaws is extremely easy compared to the closed world of Windows. You can just scan the source for uncareful uses of memory to find a place to do a buffer overrun exploit. In Windows, you need to run the binary and feed data to it while its running and monitor it with a debugger or such and see where your data ends up, which is much much more work. Windowses have had alot of these and other exploits, which tells you that they aren't coded with very much time put to security (like viewing the source for potential holes by those who have access to it), which leads to the holes ending up in products. In the OSS world the exploits are easy to find and fix by anyone before your program ends up in wide use even if you are a bad programmer. An important factor is also the difference between goals of Microsoft(= Make alot of money, if a hole exists its not wise to fix it unless it causes trouble since fixing it costs money) and the OSS community(= Make good software, if a hole exists most programmers want to fix their "child" and if they dont someone else will). Share this post Link to post Share on other sites
bn880 5 Posted February 13, 2004 Okay, and so there may be a percentage that try to find the exploits to report them. I know about that, still does not change anything as I meant malicious sabotage... EDIT: ANother question is what would you want with Windows being open source, when you already have Unix based OS's which are. It would be a very nasty scene if all of a sudden everyone started running different Windows Kernels, you owuld not have the software portability you have today (and I mean without changing source code and makefiles). Share this post Link to post Share on other sites
toadlife 3 Posted February 13, 2004 Wrong, if you look at the most serious exploits IIS has had, they are in the very core of it, from buffer overflows in request URL's to plain idiotic "just request /../../winnt/system32/config/SAM and you'll get it" bugs where its quite clear that whoever wrote it didn't give a second of thought to security. Ok, I wont argue with that - but point was more to the fact that the people who run IIS servers are a different breed from the ones who run apache servers. IIS cab be secured and those exploits you described (/../../winnt/system32/config/SAM) can be EASILY mitgated by basic security planning. THe problem is , as you point out is the system administrator is left with more securing to do with windows machines than with unix systems. Quote[/b] ]And, if you look at the statistics of webserver exploits, they are from "real" websites that are set up by (more or less) professional people, not just some "I didnt even know that thing was enabled" home users... And there is usually a huge difference is the abilities of your standard IIS admin vs. your standard unix admin. Most IT people I have met that do windows only, think of security as a product and not a process. Share this post Link to post Share on other sites
der bastler 0 Posted February 13, 2004 ANother question is what would you want with Windows being open source, when you already have Unix based OS's which are. It would be a very nasty scene if all of a sudden everyone started running different Windows Kernels, you owuld not have the software portability you have today (and I mean without changing source code and makefiles). Magic words: Lean kernel, system interfaces and standards. Just two example for Linux games: "Savage" and "Return to Castle Wolfenstein: Enemy Territory". No problem to play them --and there are several Linux kernel versions out there: 2.6.1 (new, fast), 2.6.0, 2.4.22 (which I prefer due to nForce chipset), 2.2.x (old) Installation of commercial products is possible and easy. MATLAB is running on my Gentoo powered notebook --I just had to execute the install script... Someone mentioned it before: OFP2 --what about a Linux version? Share this post Link to post Share on other sites
bn880 5 Posted February 13, 2004 Like i said, you already have Unix based operating systems to lean up your Kernel. Share this post Link to post Share on other sites
kegetys 2 Posted February 13, 2004 EDIT: ANother question is what would you want with Windows being open source, when you already have Unix based OS's which are. A legally accessible windows source code would be useful to provide the intercompatibility between Windows and other operating systems that Microsoft doesnt not want to provide, like full NTFS read/write support, DirectX support, or provide a better view on how the windows API works so Windows "emulators" like WINE wouldn't need to reverse-engineer everything, same for Samba. It could also be used to make versions of Windows kernel with support for standards like NFS that Microsoft doesnt want to provide either. After that, having both Windows and Linux coexist in the World would be a tad easier, and movement from Windows to another OS would not be such a big step (and why not the other way too, but who would want to do that? ;)). Share this post Link to post Share on other sites
denoir 0 Posted February 14, 2004 Anyways, as far as I understand IIS is bundled with Windows servers and used in >90% of the cases while apache is used almost exclusively in unix. Possibly. Personally I never figured out how to configure IIS so I run Apache No, but seriously, for those of you who know the field - is there any relevant difference? I'm planning on sooner or later doing a re-install of my XP (I've had the same installation since 2001 and it's getting fairly sluggish). I'm not sure if I should continue with the Apache or to embrace the IIS. I'm currently working a lot with .NET, so that functionality would be nice. Does anybody know if you can run Perl under IIS? Share this post Link to post Share on other sites
toadlife 3 Posted February 14, 2004 Does anybody know if you can run Perl under IIS? LOL. Of course you can. Hop on over to Activestate and download Activeperl (under the "Languages>Downloads" section). I've configured the same application to run on both IIS and apache with minimal changes. Share this post Link to post Share on other sites
SKULLS_Viper 0 Posted February 14, 2004 Quote[/b] ]Microsoft Confirms LeakPossibly traced to Unix developer Microsoft has confirmed that portions of the Windows 2000 and NT4 source code are in fact floating around the web, though they insist there was no breach of their corporate network. The leak instead appears to have originated from long-time Redmond partner Mainsoft, who utilize the code to create native Unix versions of Windows applications. Microsoft has released a statement on the leak, which suggests that "at this time there is no known impact on customers" and that the source code is not complete. BetaNews is claiming the source code was stolen from a Linux developer's PC at Mainsoft. According to BetaNews, the examination of the core dump and other files indicate the PC belonged to Mainsoft's Director of Technology, Eyal Alaluf. Share this post Link to post Share on other sites
shinRaiden 0 Posted February 14, 2004 The primary problem as I see it is thus: xNIX by default is just the skeleton. Most everything is applications seperate from the 'OS'. Lots of stuff can or is turned off by default. Most importantly, users in general are actually somewhat interested in taking personal and proactive administrative measures. With windows, (for litigation reasons, not for functionality) everything is the system-borg. Everything is cross-incestualized, and it is specificly designed (for litigation reasons) to be impossible to unravel. You 'NEED' these features, so they are all turned on for spiffiyness's sake. Firewall? Why would need that? Aren't people friendly? Lets be friends everyone... I design stuff with MySQL, PHP, ActiveState Perl, and Apache on an XP pro system, then implement it on linux servers. IIS does everything to/with everyone, all turned on out of the box for your friendliness. Apache spits out pages period. Add a mod_x here, a mod_y there, pick and choose only what you need, and lock that down, and it's cool. To sum it up, with Windows, you get all the doors out of the box, and they're all open. With Unix, there are no doors, and they'd be locked if they were there. It's a fundamental logical difference, and unreconcilible. Share this post Link to post Share on other sites
toadlife 3 Posted February 14, 2004 To sum it up, with Windows, you get all the doors out of the box, and they're all open. I havn't played with it yet, but have heard from many who have that Windows Server 2003 comes with virtually every feature of IIS disabled by default, which is a good start. Now they just need to un-hinge everything and get rid of the stupid 'localsystem' account. Share this post Link to post Share on other sites
bn880 5 Posted February 14, 2004 EDIT: ANother question is what would you want with Windows being open source, when you already have Unix based OS's which are. A legally accessible windows source code would be useful to provide the intercompatibility between Windows and other operating systems that Microsoft doesnt not want to provide, like full NTFS read/write support, DirectX support, or provide a better view on how the windows API works so Windows "emulators" like WINE wouldn't need to reverse-engineer everything, same for Samba. It could also be used to make versions of Windows kernel with support for standards like NFS that Microsoft doesnt want to provide either. After that, having both Windows and Linux coexist in the World would be a tad easier, and movement from Windows to another OS would not be such a big step (and why not the other way too, but who would want to do that? ;)). That'll be the day. i do agree with your point made before about some really off the wall bugs in windows security, a lot of those are a direct cause of bad culture IMO. And not 1/10th of required testing. (especially for the money we have to pay) Anyway, there are moronic bugs in Linux as well, like Kernels sources that won't compile fresh out of CD etc. And in my personal life I'd rather be in a "world of windows" than "world of Unix", where everything is almost 100% compatible with the OS on everyone's machine, everything is easy to set up initially and at least runs for some duration without you having to figure out too many htings before hand. It's a different story for I/O programming and semi-embedded designs, and even web serving is a different story since someone may wish to strip down and "tweak" to death for that purpose. Share this post Link to post Share on other sites
vektorboson 8 Posted February 14, 2004 Anyway, there are moronic bugs in Linux as well, like Kernels sources that won't compile fresh out of CD etc. Â And in my personal life I'd rather be in a "world of windows" than "world of Unix", where everything is almost 100% compatible with the OS on everyone's machine, everything is easy to set up initially and at least runs for some duration without you having to figure out too many htings before hand. There is the distribution called Lindows, which is supposed to be very easy to setup (you can install apps with on click and dependencies are solved automatically). There is a lot done in usability of Linux Desktops. But I stick to my SuSE. Btw. why would you complain about not being able to compile the Linux Kernel out of CD, when you even don't get a Windows Kernel out of CD? In the Windows world you've to pay for Updates/Upgrades which solve some bugs from former releases, in the Open Source/Free software world chance is high that you get a complete Desktop for free (and new major releases). Sure, there are many small little things in the Linux-world, which can annoy people, but let's admit, who hasn't accepted them under Windows? Â Share this post Link to post Share on other sites
bn880 5 Posted February 14, 2004 Aha yeah, and besites Lindows you have 100 other Unix based OS's, making apps non compatible with all of them until you modify the source. Why would I complain about Kernel source having stupid bugs? Because that is what Open source is for, that is what you say is the big plus of Linux over Windows (being able to tweak the Kernel), and yet it's got the same moronic mistakes as windows does. _thats_ what I'm saying. Windows has issues with what it does best, and Unix based Os's have issues with their feature. One of which is crummy documentation. Share this post Link to post Share on other sites
kegetys 2 Posted February 14, 2004 Aha yeah, and besites Lindows you have 100 other Unix based OS's, making apps non compatible with all of them until you modify the source. Depends, Lindows is based on Debian and using the Linux kernel, and pretty much every GNU/Linux distribution out there with the standard libraries will run the same binaries, no need to recompile them. You can take binary packages from Redhat and install them on Debian and they will work fine. Compiling things from source is very rarely needed today unless you want to do so for some reason of course. For different Unices, for example taking something from AIX to MacOS X might require some source changes but propably nothing major if its standard code (and I doubt any normal user would need to do that anyway). Share this post Link to post Share on other sites
der bastler 0 Posted February 14, 2004 Aha yeah, and besites Lindows you have 100 other Unix based OS's, making apps non compatible with all of them until you modify the source. Why do you think they would be incompatible? Right, you have dozens of distributions, Debian, RedHat, Suse, Slackware, Gentoo... But they all provide a kernel, a X11 window server and a desktop (KDE or Gnome or...) plus several libraries for different GUIs (GTK, QT). For example, on my desktop I run Gentoo Linux, kernel version 2.4.22-gentoo-r5 with XFree86 and XFce4. I can burn CDs and DVDs with K3B --that's a KDE application, but it doesn't insist on KDE. My LaTeX-Editor of choice is Kile, another KDE app that runs without the whole KDE package. Several other tools use the GTK library and guess what --they function perfectly. Same with OpenOffice. Incompatibility? No. Need to change the source? No. Share this post Link to post Share on other sites
der bastler 0 Posted February 14, 2004 Oh, I forgot: Gentoo is a source based distribution. Open source programs will be compiled automatically, e.g. to install k3b you need to type in <table border="0" align="center" width="95%" cellpadding="0" cellspacing="0"><tr><td>Code Sample </td></tr><tr><td id="CODE"> emerge k3b If this program needs a library, that library will be installed, too. You don't have to worry about it, this simple command will do it for you. Easy, hm? Another great command would be: <table border="0" align="center" width="95%" cellpadding="0" cellspacing="0"><tr><td>Code Sample </td></tr><tr><td id="CODE"> emerge ofp2-client Just a little client that needs the original CDs/DVDs. BIS don't need to provide the source, just a precompiled binary. This policy is working, look at Savage, Wolfenstein (the original, commercial one) or Unreal (Tournament). You buy the game, do an emerge gameclient and start gaming... Share this post Link to post Share on other sites
bn880 5 Posted February 14, 2004 Aha yeah, and besites Lindows you have 100 other Unix based OS's, making apps non compatible with all of them until you modify the source. Why do you think they would be incompatible? Right, you have dozens of distributions, Debian, RedHat, Suse, Slackware, Gentoo... But they all provide a kernel, a X11 window server and a desktop (KDE or Gnome or...) plus several libraries for different GUIs (GTK, QT). For example, on my desktop I run Gentoo Linux, kernel version 2.4.22-gentoo-r5 with XFree86 and XFce4. I can burn CDs and DVDs with K3B --that's a KDE application, but it doesn't insist on KDE. My LaTeX-Editor of choice is Kile, another KDE app that runs without the whole KDE package. Several other tools use the GTK library and guess what --they function perfectly. Same with OpenOffice. Incompatibility? No. Need to change the source? No. Well I'm tired of this discussion personally, like I'm tired after wasting at least one entire week on getting my linux to work semi-usefully this month. Not to mention it is such a pile of shit it was not shutting down properly and screwed up my HDD. I have not even the slightest notion of agreeing with any of you who say using Unix based operating sytems is currently as painless as Windows. I will now go and not care about the OS in the background, but other things that I want to do. Share this post Link to post Share on other sites
toadlife 3 Posted February 15, 2004 Well I'm tired of this discussion personally, like I'm tired after wasting at least one entire week on getting my linux to work semi-usefully this month. Not to mention it is such a pile of shit it was not shutting down properly and screwed up my HDD. I have not even the slightest notion of agreeing with any of you who say using Unix based operating sytems is currently as painless as Windows. I will now go and not care about the OS in the background, but other things that I want to do. I hear those complaints loud and clear. Many of the problems around Linux are that as soon as you try and do something that does not involve the default vanilla install, things can fall apart quickly, unless you are a Linux expert. You can run Lindows, but how much more control over your OS do you have then? Lindows is built to do everything for you, just like windows, and IMO you lose many of the advantages of an open system with Lindows. Go find a piece of X software for Linux that is NOT a precompiled binary, and requires a library that your Lindows machine doesn't have installed. Compile and install the library you need and then compile and install the X program, and see if everything goes well. Chances are it wont. Same goes with my favorite Unix, BSD. With my Free BSD distro, I got X/KDE up and running, and wanted to install Mozilla, so I look at the packaged available from their site. Mozilla 1.5 was available, but only a beta version of 1.6 was. I wanted mozilla 1.6, so I went to their site to grab it. Of course, no binary was available for BSD (only for Linux), so I grabbed the source and extracted it. The read me tells me I need the 'F' libraries and the 'g' libraries to compile, so I go to the respective sits and get those libraries. Now, the read me for the 'F' library says it needs the 'h', 'i',and 'j' libraries to compile...so I go an get those libraries. So I compile and install the 'h', 'i' and, 'j' libraries, but the 'i library gives some error saying it can't find the 'k' library when I try and compile it. So now I have to get the 'k' library. I get it and compile/install it, and then go back and try to compile the 'i' library, but it still says it can't find the 'k' library, even though I verify that it is installed and the specific files that the 'i' libraries need are in the appropriate folder. In the end, I give up and install the Mozilla 1.5 package from the Free BSD site and it works fine. Now, I have a GeForce4 card, so I would like some OpenGL in my X Environment. Again, at Nvidia's site they only have automatic installers for Linux - so I download the driver source and extract it. The read me lays out a few requirements that I already have, so I go ahead and compile/install it - SUCCESS! So the last thing I have to do is make some tiny changes in my X86config file, which I do. I restart X, and everything loads up just fine. Then I open up some KDE multimedia program and my computer locks up solid. - (NOTE that my computer NEVER locks up under windows) - I hard reboot and try to load X and it errors out, saying some files are missing. I try and uninstall and reinstall XFeee86 and it wont work for some other cryptic reason. This is where my wonderfull Unix distro is at the moment - in a state of command line bliss. At work I'm setting up an Open BSD box to work as a Spam gateway, and types of things aren't a problem, as the X environment isn't neccessary. Note that all of the problems I have ever run into with Linux/BSD have always involved the X system. If you stick to the console and do you bidding from there, things tend to work. Share this post Link to post Share on other sites
der bastler 0 Posted February 15, 2004 Same goes with my favorite Unix, BSD. With my Free BSD distro, I got X/KDE up and running, and wanted to install Mozilla, so I look at the packaged available from their site. Mozilla 1.5 was available, but only a beta version of 1.6 was. I wanted mozilla 1.6, so I went to their site to grab it. Of course, no binary was available for BSD (only for Linux), so I grabbed the source and extracted it. The read me tells me I need the 'F' libraries and the 'g' libraries to compile, so I go to the respective sits and get those libraries. Now, the read me for the 'F' library says it needs the 'h', 'i',and 'j' libraries to compile...so I go an get those libraries. So I compile and install the 'h', 'i' and, 'j' libraries, but the 'i library gives some error saying it can't find the 'k' library when I try and compile it. So now I have to get the 'k' library. I get it and compile/install it, and then go back and try to compile the 'i' library, but it still says it can't find the 'k' library, even though I verify that it is installed and the specific files that the 'i' libraries need are in the appropriate folder.In the end, I give up and install the Mozilla 1.5 package from the Free BSD site and it works fine. That's why there are package systems which care about the dependencies... Quote[/b] ]This is where my wonderfull Unix distro is at the moment - in a state of command line bliss. At work I'm setting up an Open BSD box to work as a Spam gateway, and types of things aren't a problem, as the X environment isn't neccessary. Note that all of the problems I have ever run into with Linux/BSD have always involved the X system. If you stick to the console and do you bidding from there, things tend to work. Just for the records: Linux != BSD Share this post Link to post Share on other sites
denoir 0 Posted February 15, 2004 Well I'm tired of this discussion personally, like I'm tired after wasting at least one entire week on getting my linux to work semi-usefully this month.  Not to  mention it is such a  pile of shit it was not shutting down properly and screwed up my HDD. I have not even the slightest notion of agreeing with any of you who say using Unix based operating sytems is currently as painless as Windows.  I will now go and not care about the OS in the background, but other things that I want to do.   Yeah, I couldn't agree more. While Linux certainly has increased its ease of use over the years, it still only applies if you are going to use just the standard stuff. Anything beyond that is a pain. For people that have no knowledge about computers you can rule out Linux straight away. And you'd be surprised how large percentage of people that use computers today don't even understand the basic concepts of a directory structure. Windows on the other hand has some nasty tendencies in the opposite direction. It gets too dumbed down so that it annoys more advanced users. My biggest beef with Microsoft is when it tries to predict how I'm going to use my computer and introduces silly structures as "My Documents" or "My Pictures" that get preferential treatement from the OS. But that's the future. As more and more people use computers they will get more primitive, simple and limited interfaces. So I personally feel a bit caught in between. I don't want to look under the hood at the level that Linux makes you, but I also don't have any interest in having a pre-defined system that forces you to work the way Microsoft thinks you should work. Fortunately XP is fairly scalable and you can turn off most of the silly features. I hope that they'll continue having a layered interface where the user can choose the level of complexity and type of interface. Share this post Link to post Share on other sites
