Skip

Gartner's opinion proliferates
September 25, 2001 8:24 AM   Subscribe

Gartner's opinion proliferates into the mainstream Internet news sources. any further thoughts?
posted by tatochip (10 comments total)

 
gartner cracks me up. as was stated in the article, if i'm writing a virus or worm, i'm coding for whatever system most users are on. i really don't think there is invulnerable software so much as there is less popular software, floating below the virus creator's radar.
posted by mich9139 at 8:41 AM on September 25, 2001


Then again, when was the last time a critical security vulnerability was found in Apache? (Unix may not be the most popular desktop OS, but Apache is the most popular web server.)
posted by waxpancake at 8:48 AM on September 25, 2001


true dat, true dat.
posted by mich9139 at 8:55 AM on September 25, 2001


Gartners opinion always turns up in mainstream news. That's because they bombard journalists with millions of press releases with ready-written headlines from their research. All the journalists have to do is jiggle the words about and there you go, a story. 'Canadian tundra leads the world in wireless applications' or some such rubbish.
posted by Summer at 9:18 AM on September 25, 2001


agreed, but let's pontificate one small notion - there's a lot more m$-haters out there than there are unix- or apache-haters. its become something like a "right of passage" to write m$-targeted hacks these days, something that's joked about more than taken seriously. if you've got a million hackers tearing away at server A and 3 or 4 tearing away at servers B, C, and D, chances are server A will get the holy crap kicked out of it more often.

that, coupled with the fact tha m$ does a great job of documenting every possible "undocumented" secret in most of their applications, and you've got a ticking bomb of frustration.
posted by tatochip at 9:23 AM on September 25, 2001


I've been trying to get rid of IIS in favor of Apache ever since I took my current job, and we've been planning to make the switch for quite a while — there was just no sense of urgency. This Gartner report isn't earth-shattering stuff but, combined with the recent virus/worm attacks, it might be just the tool I need to convince the upper management folks that now is the time to switch to Apache once and for all.
posted by barkingmoose at 9:25 AM on September 25, 2001


Given that Apache's source code is easily examined, someone could easily just grep through the source (including older versions) for vulnerable system calls to exploit. But of course, someone looking to plug those holes could do the same. But that sort of cat and mouse game (exploit, fix, exploit, fix, ...) is happening with IIS not Apache. Odd, isn't it?
posted by tommasz at 9:26 AM on September 25, 2001


tommasz, if the code has been reviewed or audited enough times by different people you won't have to play the cat and mouse game you described. I don't think its much of a secret that MS's 'integrate everything' approach and its lax attitude on security is what drives all these exploits.

Toss in a userbase that doesn't even know what a patch is and you've got an unhealthy combination.
posted by skallas at 9:42 AM on September 25, 2001


According to the Register, Microsoft is already working on a re-write for version 6.0.

I think the main problem is not just at the code level. All software has bugs, but Microsoft is hit hard due to their overall product philosophy. A big part of the "Microsoft experience" is the ability to stick in a CD, and instantly have not only an operating system, but a web server, text search engine, application server, database abstraction layer, a bunch of sample apps, etc. installed and running right away. The learning curve for new users is fairly low, as they can experiment with only the pieces they're interested in and slowly learn the rest of the system as needed.

The majority of the exploits have to do with the interactions between all these services (ie the IDC bug, the MDAC bug); services that most people don't need and likely aren't even aware exist. However, Microsoft is reluctant to disable these services, because it will reduce the ability for non-technical people to get up and running as quickly as possible.

The bottom line is a bit of learning curve is probably not a bad thing.
posted by kaefer at 12:48 PM on September 25, 2001


Joel said it best:

Gartner seems to suffer the common but moronic falacy that new or "completely rewritten" code is somehow less buggy than old code. IIS has been publically tested, for about six years now, on millions of web servers and with thousands of hackers trying to find bugs. Completely rewriting it would just introduce another set of bugs that would take another few years to find. Chances are that nobody on the current IIS team even remembers the bugs they fixed five years ago, even if they were on the team that long ago (unlikely), like the $DATA$ one and adding an extra period to the end of an ASP URL.

Completely rewriting code is a big-time mistake common of immature developers with no real software experience. I would say that "Gartner should know better" but I don't have very high expectations of them.
posted by dansays at 2:07 PM on September 25, 2001


« Older Bookmark Sync   |   National identification cards Newer »


This thread has been archived and is closed to new comments



Post