
Linux Security: Reflections on 2002, Eye on 2003 129
Mirko Zorz writes "Here are the reflections on Linux security in 2002 and predictions for 2003 by Bob Toxen, one of the 162 recognized developers of Berkeley UNIX and author of the acclaimed book "Real World Linux Security" already in its 2nd edition. Read more at Help Net Security."
Disappointing article (Score:4, Insightful)
Re:Disappointing article (Score:3, Informative)
Actually two...
As the worldwide recession continues in 2003, budget pressures will help move the world from expensive SysAdmin-intensive proprietary solutions to Linux. Even the last two holdouts, Sun and Microsoft, have grudgingly started to embrace Linux.
Re:Disappointing article (Score:4, Insightful)
Re:Disappointing article (Score:1)
Re:Disappointing article (Score:4, Insightful)
Most of the predictions were "more of the same". I seriously doubt we'll be seeing "a major Cyberterrorism event" though -- I usually expect to hear this from sensationalists, not legitimate security experts. Think Steve Gibson. [grcsucks.com] In fact, the theorized cause of these massive DDoS attacks is supposed to be windows systems, and the Raw Sockets are Evil [grcsucks.com] thread is brought back to mind.
One big unforgivable mistake in the article: there was no bug in DNS -- there was a bug with BIND [isc.org]. Anyone using nameservers or libraries that were not part of BIND were unaffected. The fact that he assumes BIND is the only DNS server in the world is a big mistake, and one of the reasons DJBDNS [cr.yp.to] doesn't get enough airtime.
Overall, I didn't see anything in the article that I didn't already see a hundred other places.
Personally, I'd like to hear what the authors of Hacking Linux Exposed [hackinglinuxexposed.com] have to say. Their book has a lot more grit and less soft-shoeing over the topics. Real World Linux Security has always been too full of stories and not enough answers for me. (Of course I bought the 2nd edition anyway.)
Re:Disappointing article (Score:1)
Near the end, end of honeypots?! (Score:4, Insightful)
He forgets the other valuable feature of honeypots. You can deploy prototype installations and observe the kinds of attacks in the wild, to get a feel for the capabilities of the advisary. These techniques change over time, and that information is invaluable when determining where effort needs to be focused in a security plan for your product.
This short-sightedness casts doubt on some of the other parts of his essay, other than on the obvious points (to us at least, those involving Microsoft, Hollywood, the man keepin us down, blah blah blah)
Honeypots are awesome. (Score:5, Informative)
Of course honeypots can also be used to learn what hackers do. The Honeynet Project [honeynet.org] is a great place to go to learn how to set one up securely so it can't be used to attack other people.
In fact, today a new version of honeyd [tracking-hackers.com] was released:
Toxen's fear of Honeynets and Honeypots shows the "if I don't understand it, it's not good" theory I find in too many managers. He should take some time to run a honeypot or two and see how useful they can be.Re:Honeypots are awesome. (Score:2)
Re:Honeypots are awesome. (Score:1)
Re:Near the end, end of honeypots! (Score:2, Insightful)
If the honeypot is not breached is the system secure? Of course not. You have learned nothing. If you instead did that code audit and security audit then you would have more confidence that it was secure than when you started.
I stand by my claim that for most people, the time spent on a honeypot does not have technical value.
But the time spent is trivial. (Score:1)
Then, you simply take aside a sysadmin and teach her how to install your package. Give them pointers on how to do a good installation. Then, let them install it on the machines on the DMZ. Some other person will install your load testing utility on yet another server on the DMZ which will hammer the machines, simulating heavy usage conditions. You will already have this tool too, if you have been testing your code.
Finally, do other important things. Every once in a while, check to see what, if anything, has happened to your honeypots. If they have been poked and proded at regularly, you will ONLY then spend the additional time analyzing it for faults, break-in attempts, etc.
Moreover, if the simulated load tool suddenly complains it can't talk to your application, then you switch focus and do a postmortem analysis of the dead machine on the DMZ. You can probably discover a quick fix or weak point right away.
The chance that you may have such a situation is valuable, and so is the knowledge that (provided the machine has been sufficiently poked at and fanagled with) it is resistant to, at least, unimaginative adversaries.
The key is to not put more than enough effort into the application than is necessary. For certain apps, certainly the honeypot test is overkill, or unneccessary. But there will be other cases where you can dedicated a small portion of time to the setup and monitoring of a production machine, to see how it currently resists real-world stress. The question is at what point does the early testing outweigh later struggles with security updates, errata, patches, and that ilk; those things that will be discovered after it deploys.
Of course, no app will gain critical attention until after it's released and it becomes widespread, and there it will meet the most sophisticated attempts to break in. But you don't want to give anyone the wrong first impression, when your software gets trivially borked in that first month.
Finally, the code audit will reveal whether you have used best practices and your code meets the specs. But it won't tell you when your specs, requirements or best practices are wrong from the start. EG, there is nothing wrong at all with in.rshd, it's a tank. You can throw anything at it, and it behaves exactly as it should. But its assumptions about the operating environment (a secure network where no one can have a privledged port) is a pipe dream. Thus, it is trivially hijacked and exploited.
And flying cars (Score:3, Funny)
Re:And flying cars (Score:2)
It was predictions for 2003 not 2030.
Linux security? (Score:1)
I fail to see how his predictions, which include things like large truck bombs and wide scale DDoSs, are all Linux related. It read more like Chicken Little's predictions.
Real World Computer Security (Score:4, Funny)
2.) Use RPM based Linux Distribution and leave system alone (risky as swimming in a americanized river).
3.) Use OpenBSD and leave system alone (like sitting on a Sunday with your grandma in Utopia(tm)).
Is this the type of "security" they're talking about? I don't know of one system that advertises itself as "secure" other than OpenBSD. For an opensource site like slashdot I think the best tool for the job should definantelly be used.
Or if you insist on a RPM Linux solution, ge Bastille. And possibly look into a non-RPM based distro, for servers debian certainly works quite well. And if your server is IMPORTANT at all, subscribe to bugtraq, cert, and anything else that applies to your OS. It wouldn't hurt to check the homepage of your OS at least once a week either. And do routine audits on your system.
Security isn't hard if you actually make it a point to be conscious about it.
Re:Real World Computer Security (Score:2)
The clean water act is a sham and anyone living on the ol miss knows it.
Re:Real World Computer Security (Score:1)
I spent 20 years of my life living right beside the Mississippi River which runs straight through the middle of the USA, and it is the most god awful dirty water that I have ever seen.
The clean water act is a sham and anyone living on the ol miss knows it.
Try looking at the water in a Mexican or Indian river.
You don't realize how clean that water is, considering the amount of industry that relies on it.
Re:Real World Computer Security (Score:4, Informative)
It's hard to believe that something in the wonderful utopia of wonderfulness which is America can have something so dirty running right down the middle of it.
You think it's so clean?? I'll getcha a glass, and we'll see if you want to drink it, considering how "Clean" it is.
Re:Real World Computer Security (Score:1)
Re:Real World Computer Security (Score:2, Informative)
OpenVMS/SE-VMS, OS/400, HP/UX BLS, Linux w/ Pitbull/LX, Solaris/AIX w/ Pitbull
ok, none of these systems is totally open source, but all of them have pretty good security
Re:Real World Computer Security (Score:2)
Huh? (Score:3, Insightful)
As another responder so aptly pointed out, the package management system has nothing to do with security, unless you are using file verification as part of your security plan (which isn't a bad idea.. do "rpm -Va" for system-wide verification of all files known about in the rpm database).
However, if you have to support real-world applications, and not just your webserver at the other end of your cable modem, there is another aspect to system security and stability, and that is THIRD PARTY VENDOR SUPPORT.
Now, I realize that the number of guys on /. who actually do stuff for a living that doesn't include final exams is minimal. However, if my boss/engineering staff/customer wants a product for a specific purpose, say, backups, or CRM, or CMS, I don't have the power to say "well, sorry, but we only run StinkyFeet Linux, not Blue Bonnet like that vendor requires". If they don't can me, they'll just go with a Windows-based app to get around that headache.
So then, what good does it do to have several distros around? They all run the SAME PACKAGES, imagine that! And when there is a hole in OpenSausageStuffer on an RPM-based distro, there is going to be a hole in OpenSausageStuffer on a non-RPM-based distro. The Horror!
So instead of having one distro network-wide, which has the same version/feature set across all systems, and the same cronjobs for updates, etc, i now have several, because some fool decided that he didn't have the time to make the appropriate decisions and shut things off. hmmm...
And that doesn't even get into the headache of trying to deploy my own packages, or dealing with the preferences of my users, or with the terms of a contract.
In short, being a stick in the mud about distros isn't going to gain you anything. And not learning how to do your own security in favor of a crutch like Bastille isn't going to gain you anything either. Jay has a good idea, and it's great for noobs, but if I'm paying you (or if you're paying me) to secure a system you better fucking know exactly what is going on. And when security requirements change, you better be able to handle it. Relying on someone else's idea of secure is a place to start, not the final answer to your own security. Security is a process, not a product, no matter what your little imagination tells you.
When it comes to system security, the best distro for the job is the distro you know the best, not the /. poster's favorite distro. A newbie to HandCreamBSD isn't going to be any better off than a newbie to Blue Bonnet Linux.
--mandi
Re:Huh? (Score:2)
Okay When I said RPM-Based Linux Distributions I was refering to the "Big Three" (RedHat, Mandrake, and SuSE) all these distros come with a HUGE amount of overhead with the install of the system. Packages that are not neccessary for a security based system. Unless you specifically hold a gun to the installer's head it will install everything and the kitchen sink for the "Linux Experience (TM)".
Distributions such as Debian, Slackware, and Gentoo, CAN use RPM, but aren't part of the "Big 3" and do have the ability to install a bare bones system install with almost nothing from the get go, making the ability to build the system up from scratch easier for the admin to maintain.
As you noted in your wonderful reply, BSD may not be the answer, but OpenBSD is the ONLY Operating System to date that I've seen where even a newbie can rest a little easier knowing that the system is completely secure (so long as they install only what came with their CD). Why is this, because that's what OpenBSD is famous for and what OpenBSD is really good at.
If there is a company that wants to use "EgoStroking Linux" then that is what you are going to have to work with, but I have yet to see a secure system taht doesn't following the "K.I.S.S." model (and no that's not a detroit rock band ...) "Keep It Simple and Secure" in which something that is not neccessary to the system is not installed or used and if it is installed is deleted. All dameons are run in unprivledged accounts with little or no access to the system as a whole and with communications of programs limited to what is neccessary (IE: Is there a reason to have a time server on a web box? If not then disable the thing).
Rip up the RC's and anything else not neccessary at startup, make sure your directory permissions are tight, and for god sakes self audit your system.
So basically we're actually in agreement, but you decided to take my "sort of a joke" comment a little too seriously.
And I'll go to my grave saying that the most secure server is the one that is a molten goo in the middle of the earth.
Damn (Score:5, Funny)
Unfortunately, a fair number of "Mom and Pop" sites use IIS, though a surprisingly high percentage do use Linux. For this reason, before giving my credit card to a new web merchant I always do:
nmap -O -sS -F -P0 -T Aggressive newguy.com
Stealth port scan with agressive timing? Now that's consumer activism.
Re:Damn (Score:5, Insightful)
Yeah, and I'll bet he gives his credit card to waiters in restaurants all the time. The only time I've ever had someone try to use a credit card number stolen from me, it was a busboy at a local Cambodian restaurant (they caught the guy too).
Re:Damn (Score:4, Interesting)
You just summed up the difference between using a credit card at a restaurant and using one online.
I do not think he is paranoid. Three months after CodeRed first appeared, one out of ten "secure" or "comercial" IIS websites were still infected. [netcraft.com] (Note the word "secure" as in encryption and the word "infected" as opposed to merely "vulnerable".)
Re:Damn (Score:2, Funny)
You nmap newbie.. If you were a really 31337 haxor you'd know how to use nmap. Bitch!
Re:Damn (Score:3, Interesting)
Re:Damn (Score:1)
Wow, a professional journalist missed the nuance of italicized text preceding my comment. See, we Slashdot folk do that when we quote somebody else. While I applaud your concern for Bob Toxen's buying habits, the fact that he has written one of the industry's most important books on computer security lends a certain weight to his words.
On a side, note, just where are these opulently paid Linux integrators?
RWLS != most important (Score:2, Insightful)
No, this is not a troll, it's my book review. Toxen should write a book about his days working with the BSD folks, he'd sell a million. But as a Linux security book, I'd suggest the man pages first.
Re:RWLS != most important (Score:2)
But as a Linux security book, I'd suggest the man pages first.
Well, I am a professional security consultant, and I find Toxen's work to be eminently practical and useful. I'm not personally famimiliar with anything the man pages have to say about password policies or paths of vulnerability. On my system, I don't seem to have manual entries for either of these.
Re:Damn (Score:1)
nmap -O -sS -F -P0 -T Aggressive www.amazon.com
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 207-171-182-16.amazon.com (207.171.182.16):
(The 1098 ports scanned but not shown below are in state: filtered)
Port State Service
80/tcp open http
443/tcp open https
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=2.54BETA31%P=i586-pc-linux-
TSeq(Class=RI%gcd=1%SI=1130%
TSeq(Class=RI%gcd=1%SI=1F64%TS=U)
TSeq(Cla
T1(Resp=Y%DF=N%W=800%AC
T2(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=800%ACK=S++%Flags=UAPR%Ops=WNME
T4(Resp=Y%DF=N%W=800%ACK=S%Flags=AR%Ops=WNMETL
T5(Resp=N)
T6(Resp=Y%DF=N%W=800%ACK=S%Flags=AR
T7(Resp=Y%DF=N%W=800%ACK=S++%Flags=U
PU(Resp=N)
Nmap run completed -- 1 IP address (1 host up) scanned in 202 seconds
Re:Damn (Score:1)
Try nmap 3.x. I think it has better OS recognition. I would advise against port scanning hosts you do not personally control. That is illegal.
not a major virus (Score:2, Interesting)
aaaaargh (Score:1, Funny)
Security predictions (Score:5, Insightful)
After all, why did linux inherit the Unix concern for security?
Enough old-school unix guys have been bitten by the bad security in telnet and NIS and a half dozen old world Unix services with big nasty security issues.
Sure Bastille linux or RedHat secure server makes decent choice and OpenBSD is locked pretty tight right out of the box. That does not mean that it is impossible to break into those boxes. Just that it is more difficult. All you need is a one-day lag between a security issue posting on Cert and the patch to whatever software you are using coming up for your distro or OS. It can happen to any of us. It will happen to many of us.
The over-confident are always the funniest to watch when their shit hits the fan.
The honeypot thing is interesting. I have always wondered if you really get enough useful information from the attacks to warrant the time put into the systems. Somehow it just smacks of a geeky wanking waste of time. On the other hand, maybe the information from such implementations really make this worth it.
Any comments on this?
Re:Security predictions (Score:4, Insightful)
Still, as Linux slowly gains desktop market space and the level of security awareness of the average user declines, it is conceivable that it will become more hospitable to Nimda/Klez-scale worm epidemics. Also Linux tends to run more services; a Windows 98 box is very difficult to compromise remotely because it has almost no interfaces to subvert. We probably won't be at the same level of susceptibility as Micros~1 platforms for a while, though.
Re:Security predictions (Score:2)
Except the keyboard and mouse.
--mandi
Talking about Linux security... (Score:3, Informative)
Someone who wants karma bad enough should reply to this with the advisory
Re:Talking about Linux security... (Score:1)
Re:Talking about Linux security... (Score:4, Informative)
--- begin cut & paste ---
To: BugTraq
Subject: Re: OPENSSH REMOTE ROOT COMPROMISE ALL VERSIONS
Date: Jan 6 2003 8:05PM
Author: Global InterSec Research
Message-ID:
In-Reply-To:
As some may have gathered, the advisory recently posted by mmhs@hushmail.com
was indeed a fake, intended to highlight several unclear statements made in GIS2002062801.
The advisory in question is currently being updated with more detailed information and will
be
re-posted at: http://www.globalintersec.com/adv/openssh-2002062
available.
Note that the kbd-init flaw described in GIS2002062801 was proven to be exploitable in our lab
although not all evidence to demonstrate this was provided in the original advisory. A mistake
was made in the original advisory draft, where chunk content data was shown, rather than the
entire corrupted malloc chunk. This will be amended in the revision.
Also note that to our knowledge there are currently no known, exploitable flaws in OpenSSH 3.5p1,
due to its use of PAM as suggested by mmhs@hushmail.com. It is almost certain that the posted
bogus advisory was also intended to cause alarm amongst communities using OpenSSH, through
miss-information.
Global InterSec LLC.
--- end cut & paste ---
The original advisory I was talking about can be found here [securityfocus.com].
Sorry for misguiding you, humble slashdot readers.
Re:Talking about Linux security... (Score:2)
This outta be "-1, Stupid"
Re:Talking about Linux security... (Score:5, Informative)
The posting appears to be a fake. (I wonder why your snake oil alerts didn't go off...)
Too many services? (Score:3, Informative)
Re:Too many services (Score:2, Interesting)
SuSE first flushes existing rules and then adds new rules. Thus, for a short time there are no rules but the default for each chain is ACCEPT. They are saved only because networking has not yet been turned on. I suspect that this is more of an accident than intent because the correct solution is to first set the defaults to DROP, then add rules, then change the defaults to ACCEPT if that is your desire.
There are other weaknesses in the current SuSE.
Obligatory... (Score:1, Troll)
Re:Linux? (Score:2, Interesting)
hey i cracked grandma's PC with code red..... look birthday photos !!!!
thats what i would classify as a yawn.
then you have the --> i just cracked IBM's (insert corporate type.) desktop
not saying that either will or has happend. but which would you fear more as an executive at HP , Sun, IBM et al ? your consumer end products getting hosed because of microsofts boo-boo. or your corporate infrastructure getting hosed ?
and yes i happen to work at one of the above mentioned companies and we easily run 30% of our desktops on linux. (with plans to get 80% to linux by the end of '03) (the other 20% is being kept for R&D and support purposes)
and if you were talking about unix
Linux ain't so great... (Score:2, Interesting)
Is it really that much more secure? Not really.
The key to security is implementation. Solaris isn't inherently incredibly secure. Secure Solaris is. Linux? Nah. the NSA Linux? I imagine so!
FreeBSD (and the other BSDs even) was designed with the intention of being secure, and so it is far moreso. So is NSA Linux and Secure Solaris. That ha nothing to do with the inherent security of the base product, though.
Re:Linux ain't so great... (Score:1)
Especially this qoute:
"In 2002 Microsoft issued 34 advisories for Windows XP, and 37 advisories for Windows 2000. By comparison, Red Hat Linux saw 87 advisories for its OS and Sun issued 83 alerts for Solaris."
It says nothing about the severity of the alerts but on sheer numbers, it's thought provoking.
Re:Linux ain't so great... (Score:2)
Help net security: Toxen's Publicist (Score:3, Interesting)
Nope, seems to me Toxen's pseudonym is "Zorz".
Re:Help net security: Toxen's Publicist (Score:2, Informative)
Seriously, I have no business, financial, or other connection to Help Net Security. They had the idea for the book giveaway and contacted Prentice Hall, my publisher, to request the copies. If you write a book they consider worthy, I'm sure that they will talk about it and invite you to write articles. Zorz is not a pseudonym for Toxen. My only web sites are
http://www.realworldlinuxsecurity.com
and
http://www.verysecurelinux.com
Comment removed (Score:5, Interesting)
Sendmail server was broken into (Score:2, Interesting)
into and serving trojaned copies of the source
certainly does reflect badly on Sendmail's security.
If they can't secure their distribution machine,
how well can they code umpteen years of crappy code?
Of course, in spite of the OpenSSH bugs, I'd use them any day before the ssh.com code.
Re: (Score:3)
OpenSSH server not run by OpenSSH crew (Score:3, Informative)
Naturally, you should check the pgp signature and/or cryptographic checksums before trusting any code you download.
There are still bugs in SSH.com's version - mostly stability, but I bet there are several security bugs too. OpenSSH will be updated several hours after new bugs are found - can you say the same for SSH.com's versions? I don't think so, not if history is a guide.
Re:sendmail gets a bad rap again (Score:2)
SELinux? (Score:2)
Man Gets 70mpg in Homemade Car-Made from a Mainframe Computer [xnewswire.com]
Linux securty? Be more specific. Kernel | Userland (Score:3, Insightful)
Software that uses suid bit set will still be susceptible to leaving control to the "root" user after it crashes. Telnet and SSH still allows people to do bad things, as well as good things, to the hosted account's property.
Alas, the Linux kernel is a perfect angel...but hark, what do I see? A "Tux" http server in kernel space? That is quite dangerous. No matter what the performance benefits, leave those kind of user-services outside of the kernel because each and every bit of code in kernel land makes the Linux kernel that much more closer to an "unknown" exploit.
Re:Linux securty? Be more specific. Kernel | Userl (Score:4, Informative)
No, only suid binaries. You don't hack into something which runs in the context of your own account (your own level of access).
Software that uses suid bit set will still be susceptible to leaving control to the "root" user after it crashes
That's the difference between a secure configuration of common OSs like Linux, Free/Net/OpenBSD,... and really secure OSs like VMS or Trusted Solaris (yes, Unix can be a really secure OS).
Secure OSs don't run things as root, they assign privileges to certain users and/or binaries instead. For example, you don't want to allow Apache to override the Discretionary Access Control when it actually only needs 'root' to open port 80.
On Trusted Solaris you just do 'setfpriv -m -a -f net_privaddr
That's how the 'principle of least privilege' works.
There is mainly one thing wich keeps your system secure: Access restrictions (users must not load kernel modules, mount disks, access files which they're not allowed to access,
"Worldwide recession" (Score:4, Insightful)
There is a rationalization going on in business IT. This is not a recession at all.
Wow. Another uneducated whitehat. (Score:4, Informative)
http://online.securityfocus.com/bid/6247
Or, who can forget this unbeliavably idiotic mistake in their client from 2001
http://online.securityfocus.com/bid/3078
Yet he call's it more reliable that OpenSSH. Maybe he should look into the nice new privsep code in OpenSSH and comment on that. So called security experts make me wish public floggings were still a common event.
Re:moron evile stock markup FraUD ?pr? shillery (Score:1)
Bullshit.
Win 95 did NOT come with Internet support at first, you had to buy the PLUS CDrom seperatly to get TCP/IP and other Internet functions and connectivity features. Win95-B was distributed with TCP/IP built in..
Ways to improve Linux security (Score:2)
Hmm... (Score:2)
Kerberos in 2002: (Score:1)
recognized BSD developers, developers, developers (Score:2)
Toxic, indeed (Score:1, Offtopic)
Getting into recommendations, however... Saying that everyone should NMAP with OS detection every e-commerce site they go to is pretty unsound advice. Besides which, he's making a huge blanket statement that IIS admins all suck, and that any site using IIS/MS on the backend is a huge risk that no one should take.
He must not buy much on the web then, unless he keeps a root shell around to run with -O. Quicker to just use NetCraft [netcraft.com].
But even the characterization of all the Operations staff at Ebay, Staples.com and Barnes and Noble as being completely inept soup-fed-droolers, since they run IIS and therefore are risking their customers, is childish and whiny. Why should I trust a Linux admin over an NT admin, in the context of ECommerce? One would hope that if Barnes and Noble runs an ECommerce site, that they would have the foresight not to hire a wet behind the ears MCSE.
If Staples, bn.com, and Ebay all get owned, I might have to rethink my rant I guess...
The way towards security is not in me as an admin saying "Buy Linux servers, they're going to be 'secure'". The way towards security is in an admin saying "What you running, w2k? We can secure that". Security is not a product, and Linux does (clearly) not equal security.
Re:Toxic, indeed (Score:2, Informative)
I said nowhere in my article that "IIS admins all suck" nor any comments on their ability. However, with minor hardening and good practices, a Linux web server mostly is at risk for compromise due only to a vulnerability discovered every year or more. From reports I've seen, an IIS server is at risk from a new remote compromise almost weekly. This represents a ratio of roughly 52 to 1 in risk.
I made no claims about the Operations staff at eBay, Barnes&Noble, etc. It does appear, however, that B&N uses special content-based filtering in front of their IIS server. The NMAP scan will show such special filtering by its inability to determine the operating system. No doubt they also have people on the ready 24x7 to instantly apply new patches.
I also never said "Buy Linux servers, they're going to be 'secure". I do believe "Start with Linux, then harden it as per 'Real World Linux Security, Second Edition', subscribe to bug tracking lists, patch quickly, and you will be much more secure, spend far less effort, and spend less money than dealing with Microsoft". UNIX, Macs, and other platforms also have a good history of security if hardened.
Re:Toxic, indeed (Score:2)
I would certainly trust bn.com with my money. There is no reason for me to high-tail it to Amazon simply because bn.com uses IIS.
The Average User running nmap is another matter entirely.
The Average User would have to install WinPCAP. Unless the average user is running Linux in this case, where nmap must be run as root to use the -O switch.
Shortly, there is no reason for the average user to have nmap installed on their machine (linux or Win32). Same reason that the avg. user doesn't know how to use TCPDump, Ettercap, etc. NetCraft is easily accessible by anyone.
Of course, nothing's perfect. NetCraft goes by banners largely, so you end up with sites like Walmart.com, running IIS5 on Linux or Solaris.
Posting from work, I didn't have the time to respond past a quick rant. Nor did I ever expect a reasoned response. I really appreciate the fact that you took the time to read the article here and reply to posts, that says a
Thanks.
Re:Hullo, my name is TOXIN (Score:1)
Re:Hullo, my name is TOXIN (Score:1, Troll)
Re:Hullo, my name is TOXIN (Score:1)
Re:Hey Guess What? (Score:1)
BTW, don't you have some small countries to fleece somewhere? Imagine that, Bill himself taking time out to troll on