IIS Security issue makes web service useless

[m.yang]

Microsoft's new development tools are great from a developer's view. However,
my company, and many others do not allow developers to use there new tools,
especially web service because of the potential security problem in IIS (some
bias against MS may exist). It is a shame that Microsoft does not have good
reputation in IIS and other product security. Microsoft should understand
that no matter how great the .NET development tools are, they are simply
trash if companies do not want to adopt them due to the IIS or other security
problems. I hope Microsoft will realize the securuty issue and invest much
much more on product security from now on. I would predict that Microsoft
will defeat both Sun and Oracle in ten years if Microsoft does correct the
security issue and re-build the reputation.

What do you think?

[Kunle Odutola]

"m.yang" <myang@foxinternet.net> wrote in message
news:3c490c30$1@147.208.176.211...

> What do you think?

That you should find some other venue for your lameass troll?

[Steve]

On Sat, 19 Jan 2002 11:32:48 -0000, "Kunle Odutola" <kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:
>
> "m.yang" <myang@foxinternet.net> wrote in message
> news:3c490c30$1@147.208.176.211...
>
> > What do you think?
>
> That you should find some other venue for your lameass troll?
>
>
I guess you've been appointed deputy sheriff for the weekend. Are Phil and Zane, et al, away?

Let me guess: you don't see any problems with IIS. Security or otherwise. And you don't think IIS and its perceived faults will have
any effect on .net?

It seems that anyone posting questions as to the viability of .net is immediately shouted down, ignored or relegated to idiot status on this ng.
I have to admire Mike Mitchell; seems you can't drive him away. I like "stick-to-it-ness".

steve

[Jay Glynn]

> > What do you think?
>
> That you should find some other venue for your lameass troll?
>

Nothing lame about those comments. He has hit the nail on the head. Security
is MSFTs number one problem at present. If it doesn't get fixed, they will
never become a major player in the enterprise. Some of the security issues
are percieved problems, some are because of difficult to use tools and
inexperienced admins and some are just plain open holes in the system, but
as long as MSFT considers security as an afterthought, they will have an
uphill battle that they may never win.

[Kunle Odutola]

"Jay Glynn" <jlsglynn@hotmail.com> wrote in message
news:3c49860d$1@147.208.176.211...
>
>
> > > What do you think?
> >
> > That you should find some other venue for your lameass troll?
> >
>
> Nothing lame about those comments. He has hit the nail on the head.
Security
> is MSFTs number one problem at present.

Ho-hum! We've all read the news about BillG's "leaked" e-mail and nothing
has changed - yet. IIS is used daily to run some of the largest web systems
successfully. It should be more secure out of the box but it is no more or
less secure than any other comparably targetted product.

> If it doesn't get fixed, they will
> never become a major player in the enterprise.

They already are. In most "enterprises". There are outstanding issues with
people who believe that "really big enterprises" aren't serve well by MS
products since they only run on the Win2K/XP platform that is inherently
unscalable (hardware limitations). They should know better - max CPU-per-box
count isn't generally a meaningful measure of scalability. And there is
security.....hence the BillG memo. Of course it (the security wars) all
began before .NET and last I heard, it (.NET) was still considered a pretty
secure platform.

> Some of the security issues
> are percieved problems, some are because of difficult to use tools and
> inexperienced admins and some are just plain open holes in the system, but
> as long as MSFT considers security as an afterthought, they will have an
> uphill battle that they may never win.

OK, agreed. Now that we have BillG's memo, can we get back to [VB].NET
please (and the evergreen .NET/J2EE mudslinging of course).... ;-)

Kunle

[Jay Glynn]

>> Nothing lame about those comments. He has hit the nail on the head.
>> Security is MSFTs number one problem at present.
>
> Ho-hum! We've all read the news about BillG's "leaked" e-mail and
> nothing has changed - yet. IIS is used daily to run some of the largest
> web systems successfully. It should be more secure out of the box but
> it is no more or less secure than any other comparably targetted
> product.
>

It is used daily and it has been shown a number of times that it can be
brought to its knees without a lot of effort. Ho-hum all you want, security
is MSFT's achilles heal.


>> If it doesn't get fixed, they will never become a major player in the
>> enterprise.
>
> They already are. In most "enterprises". There are outstanding issues
> with people who believe that "really big enterprises" aren't serve well
> by MS products since they only run on the Win2K/XP platform that is
> inherently unscalable (hardware limitations). They should know better -
> max CPU-per-box count isn't generally a meaningful measure of
> scalability. And there is security.....hence the BillG memo. Of course
> it (the security wars) all began before .NET and last I heard, it
> (.NET) was still considered a pretty secure platform.
>

I didn't say a word about scalability. That isn't the question. Security is
the question. It can scale to a 1000 cpu box, but if it isn't secure, it
will not be used.

[Kunle Odutola]

"Steve" <steve@spam.me.not.ruraltechnologies.net> wrote in message
news:1103_1011453224@news.devx.com...

> I guess you've been appointed deputy sheriff for the weekend. Are Phil
and Zane, et al, away?
>
> Let me guess: you don't see any problems with IIS. Security or otherwise.
And you don't think IIS and its perceived faults will have
> any effect on .net?
>
> It seems that anyone posting questions as to the viability of .net is
immediately shouted down, ignored or relegated to idiot status on this ng.
> I have to admire Mike Mitchell; seems you can't drive him away. I like
"stick-to-it-ness".

Steve,

There are better groups for the original poster's query. E.g.
security.webservices
dotnet.web.services

and a number of MS public newsgroups and other third party
newsgroups/mailing lists/forums too. And there is always the off.ramp...

Kunle

[Kunle Odutola]

"Jay Glynn" <jlsglynn@hotmail.com> wrote in message
news:Xns919B74C7A5D76jlsglynnhotmailcom@147.208.176.211...
>
> >> Nothing lame about those comments. He has hit the nail on the head.
> >> Security is MSFTs number one problem at present.
> >
> > Ho-hum! We've all read the news about BillG's "leaked" e-mail and
> > nothing has changed - yet. IIS is used daily to run some of the largest
> > web systems successfully. It should be more secure out of the box but
> > it is no more or less secure than any other comparably targetted
> > product.
> >
>
> It is used daily and it has been shown a number of times that it can be
> brought to its knees without a lot of effort. Ho-hum all you want,
security
> is MSFT's achilles heal.

So why didn't Code Red and other similar automated attacks wipe out ALL IIS
servers?. Why just a few? Perhaps just the few that are run by people not
qualified (or diligent enough) to run anything at all?

Visit http://www.kb.cert.org/vuls and you'll find numerous vulnerability
report on any of your favourite IIS-replacements.

> >> If it doesn't get fixed, they will never become a major player in the
> >> enterprise.
> >
> > They already are. In most "enterprises". There are outstanding issues
> > with people who believe that "really big enterprises" aren't serve well
> > by MS products since they only run on the Win2K/XP platform that is
> > inherently unscalable (hardware limitations). They should know better -
> > max CPU-per-box count isn't generally a meaningful measure of
> > scalability. And there is security.....hence the BillG memo. Of course
> > it (the security wars) all began before .NET and last I heard, it
> > (.NET) was still considered a pretty secure platform.
> >
>
> I didn't say a word about scalability. That isn't the question. Security
is
> the question. It can scale to a 1000 cpu box, but if it isn't secure, it
> will not be used.

I mentioned scalability (and why not?). Security is the issue that bugs you
the most (or so you say), not so for many, many others. If PalmOS was 100%
secure, would you run your company on it (limited as it is to unscalable
hardware platforms)?

The real qustion is, "Is it secure enough for what I want to do with it?"
<vbg>

Kunle

[****, now the self-named poster "Jay Glynn" has got me participating in
this troll thread]

[Mike Mitchell]

On Sat, 19 Jan 2002 17:45:50 -0000, "Kunle Odutola"
<kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:

>The real qustion is, "Is it secure enough for what I want to do with it?"
><vbg>
>
>Kunle

Tell you what, Kunle, write a memo to Bill and say you reckon it's
sorted. He doesn't need to worry any more about trustworthiness and
security, because you reckon it's secure enough for what you want to
do with it.

It is exactly this mindset which has got Microsoft where it is today
(and most of Britain, too): It'll do! Why worry? Make do and mend!
It's good enough! Stick another Elastoplast on it!

Where's the passion for quality? Why only at this late stage, when
Bill obviously fears things have got out of hand, does Microsoft
address the problem of security? Surely that must mean that it isn't
"designed in", but added on, piecemeal, as and when a hole is exposed?
How can they have got this far without recognising the holiness, and
I'm not talking religion here?

MM

[Kunle Odutola]

"Mike Mitchell" <kylix_is@yahoo.co.uk> wrote in message
news:3c49c084.1707892@news.devx.com...
> On Sat, 19 Jan 2002 17:45:50 -0000, "Kunle Odutola"
> <kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:
>
> >The real qustion is, "Is it secure enough for what I want to do with it?"
> ><vbg>
> >
> >Kunle
>
> Tell you what, Kunle, write a memo to Bill and say you reckon it's
> sorted.

I will write the memo as soon as you've pointed out where I said that Mike.
Fact is that it stands up to abuse and attacks daily in [hundreds of]
thousands of organisations. It can be better [as can everything else -
including your sense of humor] but lameass trolls don't help to make it so.

Kunle

[Mike Mitchell]

On Sat, 19 Jan 2002 19:38:42 -0000, "Kunle Odutola"
<kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:

>I will write the memo as soon as you've pointed out where I said that Mike.
>Fact is that it stands up to abuse and attacks daily in [hundreds of]
>thousands of organisations. It can be better [as can everything else -
>including your sense of humor] but lameass trolls don't help to make it so.

So, what kind of security and trustworthiness do you think BillG could
be thinking of? I mean, if you see everything as hunky-dory and
standing up to abuse and daily attacks (despite the massive evidence
to the contrary in the incessant patches issued from Redmond, the down
time, the reboots, and the costs), why do you think Bill et al are
going to all this bother? Surely, if the bottom line is profit and you
reckon that the products are good enough and reliable enough as they
are, what sane person would risk threatening those profits by
undertaking unnecessary and superfluous measures? If you've already
got a clean car, it would be mad to clean it again, wouldn't it? What
it comes down to is standards. Most consumers know a reliable product
when they see one (like my Sony), and equally they know NOT to buy
other products. If a company making those other products suddenly
recognises that the profits are under threat because no one is buying,
then if they are taking the right steps to correct the situation, in
this regard they are being a responsible company.

And BillG has now recognised this.

MM

[Steve]

On Sat, 19 Jan 2002 17:33:31 -0000, "Kunle Odutola" <kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:
>
> "Steve" <steve@spam.me.not.ruraltechnologies.net> wrote in message
> news:1103_1011453224@news.devx.com...
>
<cut>
>
> There are better groups for the original poster's query. E.g.
> security.webservices
> dotnet.web.services
>
> and a number of MS public newsgroups and other third party
> newsgroups/mailing lists/forums too. And there is always the off.ramp...
>
> Kunle
>
>
Kunle:

That's only your opinion. I think the discussion of security should be an integral part of any discussion of vb.net. I monitor this ng to find out what people are thinking
about this new technology and to discover what possible problems it will face in enterprise deployment. To call a thoughtful post a "lameass troll" doesn't help to open
new areas of discussion. IIS is Microsoft's web server, web services is a driving force behind dotnet, vb.net is a tool for web services and vb.net apps will be deployed
using IIS. If I use these tools to create enterprise apps for customers and security is a problem, I'm the loser. Microsoft may be able to afford the losses, but I can't.

Let people post, let the ng respond or not, but don't appoint yourself ng censor. As for suggesting security be discussed in the off.ramp....the signal to noise ratio is bad
enough here.

Steve

[Kunle Odutola]

"Mike Mitchell" <kylix_is@yahoo.co.uk> wrote in message
news:3c4aaea5.2458117@news.devx.com...
> On Sat, 19 Jan 2002 19:38:42 -0000, "Kunle Odutola"
> <kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:
>
> >I will write the memo as soon as you've pointed out where I said that
Mike.
> >Fact is that it stands up to abuse and attacks daily in [hundreds of]
> >thousands of organisations. It can be better [as can everything else -
> >including your sense of humor] but lameass trolls don't help to make it
so.
>
> So, what kind of security and trustworthiness do you think BillG could
> be thinking of? I mean, if you see everything as hunky-dory and
> standing up to abuse and daily attacks (despite the massive evidence
> to the contrary in the incessant patches issued from Redmond, the down
> time, the reboots, and the costs), why do you think Bill et al are
> going to all this bother?

OK, I'll bite.

So why do you think BillG and cohorts bothered to invent VB.NET. As you very
well know, Classic VB was everything a man wanted and then some......and
despite six years of trying, Java was but an insignificant bean trying to
get into VB's jar. ;-)

> If you've already
> got a clean car, it would be mad to clean it again, wouldn't it?

Unless people kept throwing mud at it because it's the coolest around (or
they think you are Darth Vader reincarnated), while ignoring your
neighbour's banger.

> If a company making those other products suddenly
> recognises that the profits are under threat because no one is buying,
> then if they are taking the right steps to correct the situation, in
> this regard they are being a responsible company.

No one is buying/using Windows/IIS?
http://www.netcraft.com/survey/

>
> And BillG has now recognised this.

You think this is BillG's first "we must improve our product's security
initiative"?

Kunle

[Kunle Odutola]

"Steve" <steve@spam.me.not.ruraltechnologies.net> wrote in message
news:1104_1011534829@news.devx.com...

> > There are better groups for the original poster's query. E.g.
> > security.webservices
> > dotnet.web.services
> >
> > Kunle

> Kunle:
>
> That's only your opinion. I think the discussion of security should be an
integral part of any discussion of vb.net. I monitor this ng to find out
what people are thinking
> about this new technology and to discover what possible problems it will
face in enterprise deployment. To call a thoughtful post a "lameass troll"
doesn't help to open
> new areas of discussion.

It _was_ a lameass troll. And I pointed it out. YMMV!

> IIS is Microsoft's web server, web services is a driving force behind
dotnet,

Despite the best efforts of MS marketing to convince us all otherwise, that
isn't true at all. .NET is [currently] _the_ driving force behind web
services. Not the other way round. It's currently the easiest/quickest tool
for developing rich client windows apps, Windows services, multi-threaded
apps/servers, COM+ components and, erm....web services.

> vb.net is a tool for web services and vb.net apps will be deployed using
IIS.

VB.NET _can_ be used to develop web services. It is _not_ just for web
services.

_Some_ VB.NET apps - ASP.NET and Web Services apps plus some remoting apps -
_may_ be deployed using IIS.

> If I use these tools to create enterprise apps for customers and security
is a problem, I'm the loser. Microsoft may be able to afford the losses,
but I can't.

IIS predates .NET by a few good years, it is used by a third of the entire
web sites/systems/apps and by a much greater percentage of intranet
sites/systems/apps. Successfully. You can learn more from them - if that is
what you _really_ wanted. Or post a specific question that bothers you with
..NET security.

> Let people post, let the ng respond or not, but don't appoint yourself ng
censor. As for suggesting security be discussed in the off.ramp....the
signal to noise ratio is bad
> enough here.

I know what am I, what are you?

Kunle

[Steve]

On Sun, 20 Jan 2002 14:16:09 -0000, "Kunle Odutola" <kunle.odutola@<REMOVETHIS>okocha.freeserve.co.uk> wrote:
>
> "Steve" <steve@spam.me.not.ruraltechnologies.net> wrote in message
> news:1104_1011534829@news.devx.com...
>

<cut>

>
> > Let people post, let the ng respond or not, but don't appoint yourself ng
> censor. As for suggesting security be discussed in the off.ramp....the
> signal to noise ratio is bad
> > enough here.
>
> I know what am I, what are you?
>
> Kunle
>
>

Yes, you've made that real clear. Bye.