Archive

IIS vs. Apache, Reported Vulnerabilities

Published
by
admin
on February 21, 2007
in Apache, IIS and Web Server
. Comments

And round and round we go again: history repeating itself one more time.

So what’s the newest Microsoft FUD [Fear, Uncertainty, and Doubt] tactic these days…

Apparent, its getting a bunch of bloggers and security experts to regurgitate a statement containing the abstract fact that Apache has 33 reported “vulnerabilities” to IIS’ 3.

How exactly those numbers directly translate into a Web Server’s security mark, is of course left out.

Lets look at this issue a bit closer:

Apache serves 2/3rd of the internet. It has thousands of developers and companies around the world working with the codebase: constantly securing, improving, developing, and moving Apache forward.

This is considered to be a *bad thing* by the Micosoft camp? Vulnerabilities should not be looked for, nor reported and fixed.

So I have just one question: how many vulnerabilities would be reported for IIS if the source code was open?

I think it might also be prudent to…

  1. Break down the numbers of vulnerabilities for Apache core and specific modules.
  2. Reflect on the seriousness of the reported vulnerabilities… Is this just theoretical, of insignificant nature, has an exploit been developed [how about 3 years after the fact]?
  3. The time period between a vulnerability being reported and fixed.
  4. How many of the reported vulnerabilities did you actually needed to respond to?

Take a look for yourself…
Securina.com: Apache 2.0 Vulnerabilities
Apache.org: Apache 2.0 Vulnerabilities and Fixes

Throwing out abstract statistics has no purpose other than spreading FUD.

Instead, why not report on the merits of IIS itself… Specifically, on the improvements and features of IIS 6 and 7.

“Apache Performance Tuning” Article

Published
by
admin
on February 18, 2007
in Apache
. Comment

I’m ashamed to say that its actually been quite a long time since I have written a new article for DeveloperSide.NET… My time has been taken up with other work.

Time-to-time, I have been questioned on the specifics of increasing the performance of an Apache-based Web Server, specifically our Web-Developer Server Suite. Not that the Suite itself, or the end-users, *need* an extra boost; the term *want* describe this odd, yet very familiar, phenomena much better. And one of the things I have learned is that you have to give the people what they _want_, and not what they _need_…

Trying to correct this oversight, I have put up an article that’s ready to squeeze every last bit of performance out of a Server:
Apache Performance Tuning

As all our Articles, and Guides, are works-in-progress, expect for some changes and updates to occur [I even go back and update/rewrite old blog posts].

D-Wave’s 16-qubit Quantum Computer

Published
by
admin
on February 17, 2007
in Informative
. Comments

“The first commercially viable quantum computer.”

Not quite, but it does look cool…

DWave System

Live CD Shootout

Published
by
admin
on February 17, 2007
in Informative
. Comments

Pros and Cons of Using Linux and Windows Live CDs in Incident Handling and Forensics

And the winner is… Helix, for both Windows and Linux.

Windows, the Path of Least Resistance

Published
by
admin
on February 16, 2007
in Windows
. Comments

I was reading my copy of the Unix System Administration Handbook this morning, and came across this passage at the very end…

“We produced the first edition of this book with the UNIX troff package. For the second edition, we used a Macintosh. We produced this third edition entirely on Microsoft Windows 95, 98, and 2000. Oh, such delight! We’ll never touch UNIX again.”

I found the excerpt to be a bit humorous, considering the source [the bible of Unix Administration]. And how Linux is sometimes *pushed* on Windows users, by some. [guilty as charged... but I have changed my ways, I promise.]

Personally, I would rather use the tools that get the most amount of work done for the least amount of effort.

PHP Easter Eggs

Published
by
admin
on February 14, 2007
in PHP
. Comments

No, it’s not easter, just Valentine’s Day.

Append the URL of any PHP script with a “?=” and the following codes; to drop script output and display…

PHP Credits:
PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000
PHP Logo:
PHPE9568F34-D428-11d2-A769-00AA001ACF42
Zend Engine 2 Logo:
PHPE9568F35-D428-11d2-A769-00AA001ACF42
Another PHP Logo:
PHPE9568F36-D428-11d2-A769-00AA001ACF42

The PHP Logo is also replaced with an image of a developer’s dog when the date is the 1st of April.

Move over Apache, Here Comes Lighttpd

Published
by
admin
on February 14, 2007
in LightTPD and Web Server
. Comments

Perhaps in a few years that will be the headline.

In the mean time, lighttpd does look very promising…

“Security, speed, compliance, and flexibility–all of these describe LightTPD which is rapidly redefining efficiency of a webserver; as it is designed and optimized for high performance environments.”

“lighttpd powers several popular Web 2.0 sites like YouTube, wikipedia and meebo. Its high speed io-infrastructure allows them to scale several times better with the same hardware than with alternative webservers.”

The configuration file for lighttpd looks more like source code, rather than a typical ini file. One feature that I am particularly impressed with, that has no Apache counterpart, is the conditional configuration.

Lets hope this project stays afloat. Competition is a good thing, for the end-user.

Also, take a look at the LiteSpeed Web Server.

Choosing Apache or IIS? Use Both

Published
by
admin
on February 14, 2007
in Apache, IIS and Web Server
. Comments

Why settle on just one Paradigm when you can have the best of both worlds? Use each Model with what it does best…

  • One Linux Server for Apache and PHP.
  • One Windows Server for IIS and ASP.NET.
  • Have one common database backend with SQL Server, MySQL, PostgreSQL, or Oracle.

Place Linux/Apache up front and ProxyPass requests/URLs to IIS, or use some other proxy server to handle the redirects.

And if you would like, everything can go under one Windows system by using WAMP. Just make sure to disable socket pooling.

In a way, with this method, you can also secure IIS by using mod_security under Apache. Though the days of IIS 5 are over, and I have to admit that IIS 6 and 7 are okay to stand on their own.

AMP for Solaris, SAMP?

Published
by
admin
on February 13, 2007
in Web Server
. Comments

Sun Optimized AMP Stack for the Solaris 10 OS

Looks promising as Solaris 10 is a great OS with features that you do not see in other Operating Systems. It’s also free.

Do less, Not More

Published
by
admin
on February 7, 2007
in Books and Informative
. Comments

Getting Real, a book by 37signals.

It’s something that I have been thinking about for a while now… Will doing more work move projects like DeveloperSide.NET and DynamicSide.NET ahead?

Over time, with lots of mistakes, I have come to the conclusion that the answer to that question is “no”.

Doing more work will only make things more complicated, and will not increase the user-base. It’s all about ease-of-use, simplicity, and getting the end-users involved in the process [of working on the project] — that makes a project truly successful these days. [a hint of whats to come for devside.net]

80%-90% of the project time is spent working on 10-20% of the features. And it’s just not worth it, it makes the project too complicated, and does not particularly give you any returns.

Do the basics, and forget the rest. You do not need to match a competing project’s feature set. Just make it easy to use for the client, and let your competition self-destruct in complexity…

Here is an example… Take a look at the other dynamic dns providers. Setup an account, and try to figure out what that mess on your screen is. Now look at the DNS menu of dynside.net, pretty simple, right?