IIS6 security?

Whats so wrong with that? MS is spending millions of dollars to produce IIS, it damn well better be more secure. I don't like the idea of a product that costs many hundreds of dollars being less secure than one that is a free download.

-zac

Yeah good point. I guess it's just a shock to see a webserver that is like a trojan to sudently be known to be secure.

IIS 6 already has securtiy holes.. chack k-otik. u'll know.. apache is fundamentally more secure than IIS will ever get because it is open source.. u can customise it to ur needs.. once that is done apache is a lot safe and stable than IIS..

u dont hack into software.. u hack into the mistakes of the programmer.. more the number of programmers lesser the number of mistakes.. and apache has a large portion of the hacker community working on it.. that's a lot compared to the people working on IIS..

Bugmenot.

What IIS 6.0 security holes?

"Yeah good point. I guess it's just a shock to see a webserver that is like a trojan to sudently be known to be secure."

How can anyone possibly be this stupid?

"u dont hack into software.. u hack into the mistakes of the programmer.. more the number of programmers lesser the number of mistakes.. and apache has a large portion of the hacker community working on it.. that's a lot compared to the people working on IIS.."

Well, fuck me.

Everyone at Ars: Hi Mom!

are you new here?

Your right, his post did seem a little too intelligent for the audience.

If you run a decent amount of services on Windows Server 2003 you'll find yourself applying about a good 10 security patches every month or so.

Least someone got my point.

Either way, do a search on milw0rm and tell me how many script kiddie exploits get returned for IIS, and how many get returned for apache. If you don't feel like looking, heres the results:
11 for IIS since 2000-11-18
20 for apache since 2003-04-04

A Security Focus Vulnerability search for apache and one for IIS both return 4 pages of results.

So if someone wants to go through and show me how all the IIS flaws are huge holes and all the apache ones are tiny little bugs feel free. It just doesn't seem like apaches all that more secure than IIS to me.

-zac

This is an outright fallacy: open source does not guarantee security any more than closed source denies it. Apache has had more than its share of exploitable vulnerabilities over the years, much the same as IIS. What it ultimately boils down to is that programmers make mistakes that aren't caught before the product ships. If you don't believe me, check the last five years or so of the Bugtraq archives - you'll find a wide variety of vulnerabilities and exploits for both.

This is another fundamental flaw in the way people view open source. More programmers does not necessarily equal better code. That doesn't mean that it equals worse code, but you do have more people with their own ideas of how everything should be done. What this means, really, is that without proper independent code review, any closed- or open-source project faces a greater chance of exploitable vulnerabilities making it in.

Microsoft has engineering resources that can only be described as 'massive'. How many people really work on Apache, anyway? A lot of contributors doesn't necessarily equate to a lot of people working on it - I can correct typos in the documentation, submit it, and say that I've 'worked' on Apache. Someone who's actively working to improve the threading model in it, however, is doing something way more valuable that what I am.

And lest this sound like an anti-open-source diatribe, it isn't. But people need to figure out that using one model over the other doesn't necessarily confer any superiority in terms of the quality and security of the software being developed. Good coding practices, independent code review, and actively finding and fixing existing problems in the code count for a lot more than adding features before fixes, or fiddling with one's pet part of the code.

Also:

I'm aware that you're in India and that English is one of probably at least two languages you speak, but please don't use SMS-speak here. It makes even intelligent replies sound utterly stupid.

IIS 6 is not that new and pretty damn secure

Microsoft contracted Dave Aitel, Dildog, and one other person (I think K2) to audit IIS6 and made huge changes to the security architecture of IIS in response to the seemingly endless string of vulnerabilities in previous versions of IIS. IIS6 has a good history with very limited known security issues. MS really made a big effort to straighten IIS out, and it shows.

Anybody who thinks open-source has security advantages over closed-source has clearly not read enough open-source code

As opposed to reading closed-source code?

http://episteme.arstechnica.com/grou...1#883004516731

Don't feed the cross-forum trolls.

Yup

How is this for a response to your quip: if you do not have experience reading closed-source software, by either working for commercial software vendors or being paid to audit closed-source software, then you have no ground to stand on in this debate. Only developers and code auditors that have substantial experience working on or studing both open and closed source software have any basis for making a claim one way or another. Vulnerability statistics do not backup the arguments from either side.

Idiot trolls. they are anti-open source people at heart, to even go down to the level of trolling here to try and give their point that "because it's free, it can't be as good".

Might want to close this thread or move it to /dev/null