RE: Ten least secure programs

From: Brad Bemis (Brad.Bemis_at_airborne.com)
Date: 07/07/03

  • Next message: David: "Re: Ten least secure programs" 
    Date: Mon, 7 Jul 2003 08:09:27 -0700
To: "Dan Bartley" <bartleyd@corp.netcarrier.com>, security-basics@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    That is a great observation. Many people appear to forget this when the
    Microsoft bashing begins...

    - - Brad Bemis

    - -----Original Message-----
    From: Dan Bartley [mailto:bartleyd@corp.netcarrier.com]
    Sent: Thursday, July 03, 2003 12:40 PM
    To: security-basics@securityfocus.com
    Subject: RE: Ten least secure programs

    You might want to study the statistics for the past year before making
    "my favorite OS" statements. Linux actually came out on top of the pile
    for number of security holes, number left unfixed, number of actual
    compromises and slowness in dissemination of information and fixes.

    FreeBSD came out among the best, or near, I believe. Windows was in the
    middle.

    Best Regards,

    Dan Bartley

    - -----Original Message-----
    From: Tim Greer [mailto:chatmaster@charter.net]
    Sent: Wednesday, July 02, 2003 13:31
    To: Vic Parat (NSS); Chris Berry; oclug@oclug.org;
    windows2000@freelists.org; security-basics@securityfocus.com
    Subject: Re: Ten least secure programs

    - ----- Original Message -----
    From: "Vic Parat (NSS)" <vic.parat@nssecurity.com>
    To: "Chris Berry" <compjma@hotmail.com>; <oclug@oclug.org>;
    <windows2000@freelists.org>; <security-basics@securityfocus.com>
    Sent: Tuesday, July 01, 2003 12:28 AM
    Subject: Re: Ten least secure programs

    > I would definitely question some of your choices (is Apache more
    secure
    than
    > IIS?)

    Yes, very much. :-)

    > but I think top honors for "the ten least secure computer items" is an
    > under qualified system administrator.

    I agree 100%. This is also why all the programs mentioned as insecure
    too,
    those pesky humans!

    Anyway, while I agree with you, the fact remains that the programs
    themselves differ from problems, one more so than the others. Surely a
    secured Windows server is more secure than a non-secured Linux server,
    but
    that's sort of a strange argument to make.

    This thread is about insecure programs, nothing more, nothing less.
    Sometimes they are more insecure than others due to a common
    configuration
    error or default setting and that comes down to a lame sys admin.
    Really
    though, how many people are really even qualified sys admins?

    Anyway, the point being, some programs are far more exploitable, in
    their
    default or highly configured state, than others... when comparing them
    as
    default to each other, as well as configured well, to each other. Then,
    comparing them. Also, mind the fact that depending on what you're
    talking
    about, some of them don't allow you to have the control to configure
    them
    and are thus insecure.

    For example, Windows only allows to much. There's a lot you can do, but
    mostly a lot you can not. Whereas a Linux of FreeBSD system, you have
    much
    more you can do, right down into hacking the kernel however you want,
    and
    even if far more involved of a process and much more skills needed, it's
    up
    to the person and their skills to configure, hack and use their skills
    to
    make the server/system far more secure than say a Windows system doesn't
    allow.

    Personally, I find that a default Windows set up is about as insecure as
    a
    default Linux set up. Both need to have a lot done, but you can do a
    lot
    more with a Linux system. Do most people have the time, let alone the
    comprehension? Surely not, so we go back to your comment about
    unqualified
    sys admins. I couldn't agree more. However, two qualified sys admins
    skilled in their respective areas, the Linux sys admin can do more,
    unless
    that Windows sys admin is privileged enough to be offered the Windows
    source
    code to review and modify to locate and close any potential holes.
    - --
    Regards,
    Tim Greer chatmaster@charter.net
    Server administration, security, programming, consulting.

    - ------------------------------------------------------------------------
    - ---
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top
    analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access
    in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    - ------------------------------------------------------------------------
    - ----

    - ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    - ----------------------------------------------------------------------------

    -----BEGIN PGP SIGNATURE-----
    Comment: KeyID: 0xB8F26ADD
    Comment: Fingerprint: 6E1C D617 CD65 A203 7FD5 4C68 90E7 39F4 B8F2 6ADD

    iQA/AwUBPwmNJ5DnOfS48mrdEQLQvgCgkXi2QQW+icFrSXRyV/LDghVo9gYAmwR/
    zkpHqHe5stvSdAzaGFMJr5Ry
    =LUaj
    -----END PGP SIGNATURE-----

    ---------------------------------------------------------------------------
    Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
    The Gartner Group just put Neoteris in the top of its Magic Quadrant,
    while InStat has confirmed Neoteris as the leader in marketshare.
         
    Find out why, and see how you can get plug-n-play secure remote access in
    about an hour, with no client, server changes, or ongoing maintenance.
              
    Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
    ----------------------------------------------------------------------------

  • Next message: David: "Re: Ten least secure programs"

    Relevant Pages

    • Re: DB2 queries without using MF.
      ... That Windows data cannot be adequately secured is a canard. ... well now we know how secure the the links are just wonder how the 37 *MILLION* credit card numbers that got stolen... ... Don't confuse the desktop PC with the server. ... I have experienced an auditor trying to do his job and he is twarted at every turn. ...
      (bit.listserv.ibm-main)
    • Re: Ten least secure programs
      ... end-user type programs or server programs as well? ... about more secure alternatives? ... Subject: Ten least secure programs ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • RE: [OT] M$ collaborates with Suse
      ... Most hosting facilities do allow FrontPage and/or FTP access...FrontPage ... Remote Administration to an actual server can be done with a Terminal ... Secure Administration on the inside can be done with Scripting. ... decent free SSH Servers out there for Windows and I like freeSSHd. ...
      (Debian-User)
    • Re: Viruses
      ... were slow to ship systems that installed secure by default. ... I don't believe it has as many server listener ... practically any time you look at a Windows box sideways. ... users are more vulnerable than average linux users. ...
      (rec.photo.digital)
    • Re: "Shanghai Stock Exchange" and OpenVMS
      ... it infected the windows server above it. ... secure, but what is actually done in real life. ...
      (comp.os.vms)