Re: [seul-edu] Help, I need backup

[Felipe Bergo <bergo@seul.org>]

On Fri, 11 May 2001, Jason Mellen wrote:

> I am the only webmaster in my county that uses open-source software. A few
> months ago I put Zope on our school's server and it has worked great. Last
> week some hacker took down several Microsoft powered sites around the
> county. Now the county IT director wants to take control of all web servers
> (including) mine and install IIS on everything.

There are many generic arguments, but I'll write about your specific
Apache vs. IIS case here.

The first argument you stated above. "after Microsoft sites were cracked,
IT director decides to use Microsoft everywhere".

Security is more a matter of policy and personnel than really "what
version of what you're running". Choosing right software and applying
updates rationally (new enough to work, not so new to be running untested
code) comes naturally from having the right people running the network.

"Figures" argument: go to http://www.securityfocus.com, click
vulnerabilities on the side bar. Do this in two separate browser windows.
Select "Vendor=Microsoft, Product=IIS, version=5.0" on one, select
"Vendor=Apache Group, Product=Apache, version=1.3.9 (a rather common
version of Apache)" on the other. I'd choose Apache by 25 x 1 from the
results I see on my screen now.

Also, the mentality of Microsoft's commercial software model is likely to
allow vulnerabilities to come in. The Microsoft model comes from believing
that on a given date, usually chosen by Marketing people, not IT, every
developer agree that the current version of the software is perfect, has
no bugs, meets all customer expectatives so fine that the customer has no
reason to want to modify the code himself to fit the product to his needs.
This day they call the software X.0, bundle a CD and documentation in a
shrink-wrapped box and spend money on advertisement.

However, it turns out that there's no such a thing as a 'prefect, bugless
software' in the real world, bugs and vulnerabilities are found. If
Microsoft shipped updates everytime a bug was found, this would damage
their image ('if they are sending so many patches, then their software is
very low-quality, they should have checked this before shipping the
shrink-wrap version'), which would cause them to lose money, so MS
postpones updates the longest possible.

On the other side of the wall, there are developers who are not misleaded
by this 'perfect version' utopia, they do accept the fact that software
will have defects, live with it, and the best way to have those solved is
allowing the largest amount possible of programmers to check the code and
contribute. This is called 'open source'. When whoever changes the code is
obligated to give back to the community, this is called Free Software, and
this really enhances the feedback cycle (in the open source model the open
source version is taken by commercial companies, code is added or fixed
and the community never again sees any benefit from sharing the code in
the first place).

The acceptance of the existence of vulnerabilities permeates from
developers to administrators. Windows admins are easily misguided by
marketing-speak into believing that the software they are running is
indeed perfect, and it's usually tough to convince these to check for
updates and vulnerabilities on a regular basis.

Unix admins suffer much less from this illness.

You'll have also arguments of cost (running IIS requires buying the
operating system, IIS, possibly support from MS and a good anti-virus
software -- because the Windows architecture is crippled enough to
make viruses possible).

.........................................................................
Felipe Paulo Guazzi Bergo - Free Software Developer (bergo@seul.org)
Personal Info and GPG Public Key: http://www.advogato.org/person/khazad
Campinas - SP - Brazil - Earth

* Kirk: "Very funny, Scotty. Now beam up my clothes too!"