on 2/8/01 12:26 pm, David Freeman at david_freeman@rocketmail.com wrote:

Just out of interest how many security holes have been found in apache?

Thanks

Hi D,

I can't find that line, however.

two things have happened this week

1) I get very amusing emails from people who have the sircam virus and give a supprise Huh, when you say what is the attachment you just sent me

I use Outlook at work, and got Sircam twice (Norton AV did pick it up), another guy here got it 10 times from the same person... a record ? (all with different attachments so therefore I beleive 10 separate infections....obviously a loop going on there!) I have a little goodie installed on my work machine called JustBeFriends which automatically intercepts any calls to/from outlook via macros/vbs etc. Whenever anything 'naughty' is attempted it pops up a little message telling me and giving the option to terminate the culprit, which I always do. My question is... why can't M$ do this. Has anyone seen the ads for Office XP with the line 'stop that nasty virus spreading' or something similar, boasting of the greatly superior security features of XP. Superior to what? Well previous office releases of course. I mean come on... Win2k did the same, over NT. I'm sorry but 'improved security' is not a selling point, its a bloody requirement. Who wants a word processor that is a security risk. Could you imagine it. Yet people buy this crap from MS all of the time. I've just been forcibly (kicking and screaming) upgraded to Office 2k. Its alot bigger isn't it... doesn't do anything more though. So its probably full of crap as well.

2) Most of my email accounts have filled up with smug gits (read linux users) who aren't affected by Code red and are in serious gloat mode.

You've just found another. My boss phoned the other day from his Holiday asking if I knew about this Code Red and whether I had got our web servers patched. When I started laughing he said 'Its a Microsoft thing isn't it?'

Just out of interest how many security holes have been found in apache?

If you exclude things like mod_jserv very very few (you could get a good count by looking up all of the advisories for apache at securityfocus.com ... haven't got time today) but I'm sure its very low. The point is though that IIS is easy (to a good Computer Scientist) to find holes in despite its 'closed source' nature. Just attach your debugger and if you're OK with assembler you can start to find certain patterns of behaviour within the code which suggest vulnerabilities. Apache vulnerabilities have invariably all been patched within a day or two of discovery/report (usually b4 common knowledge / security advisories have been released). The other area MS lose out in this is that not only do they take ages to issues patches after they finally admit that a vulnerability is not an innovative functional addition!!! but that the general animosity held towards them from the hacker community means they receive less 'goodwill' from those who discover vulnerabilities. Thus exploits are usually in the wild and the vulnerability public knowledge before MS do anything about it. Which only makes me grin some more. Nice one David. see you soon. BTW cannot make the next meet as I'm going on Hol on Aug 12. (sorry, maybe sept.)

--- Adam Bower <abower@thebowery.co.uk> wrote:

On Thu, 2 Aug 2001, Earl Brannigan wrote:

What makes M$ worse in my opinion is that they don't appear to have a webpage dedicated to security with things spelled out clearly, what patches you have to apply to each bit of M$ software you have installed etc.

And the hisious licensing on the MS stuff etc... /me refuses to pay for software.

This is a good reason to use Unix and free software, people don't bury their heads in the sand like the Windows world.

Hurrah!

Adam PS I don't think I have any freinds as I havn't had any interesting Sircam docs sent to me :-(

Check your inbox, and be careful what you wish for.

maybe I should start the open source Sircam whereby you send me a couple of your private files and I add them to my home dir, and then I mail some people random files from my home directory, think of it as an alternative to freenet with much less software development required ;-)

This Reminds me of the Irish Virus, comes as content type:Text/plain and reads along the lines of "This is the Irish Virus, please could you delete the contents of drive c:" etc... Thanks D PS Again be very Careful what you wish for.

-- This message is Copyleft - all rights reversed Adam

_______________________________________________ alug, the Anglian Linux User Group list Send list replies to alug@stu.uea.ac.uk http://www.anglian.lug.org.uk/ http://rabbit.stu.uea.ac.uk/cgi-bin/listinfo/alug See the website for instructions on digest or unsub!

===== -------------------- "We all know Linux is great... it does infinite loops in 5 seconds." Linus Torvalds __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/