Bruce Schneier: The Attacks. [via Tomalak's Realm]
Daniel Berlinger linked to my book. Thanks, Daniel. Nice site.
The Register: Experts demolish MS anti-Apache FUD. I feel that the only valid mainstream Unix Apache flaw mentioned was Apache Artificially Long Slash Path Directory Listing Vulnerability, which was fixed early this year but was of low severity only exposing additional information. The reminder were due to add-on programs and running on non-mainstream Apache platforms.
Although I agree that the Apache bugs listed are minimal (mostly listing directories) compared to IIS bugs (mostly giving up remote root access), they are real bugs. Apache has more to worry about because it works on several platforms. Whenever a bug is found, it must be tested on multiple platforms to see which are vulnerable. Whenever a report is issued, even if it only (for instance) affects Mac OS X, sysadmins everywhere must expend effort; maybe just enough effort to read that it doesn’t apply to them, but it’s effort nonetheless, and it adds some small amount to the cost of maintaining a secure system. This is not to say that IIS doesn’t have similar problems (there are bugs in ancillary-but-popular services like Index Server), but it is disingenious to say “well, who cares about that bug since it only affects [platform I'm not on].”
Upon re-reading the above paragraph, I’m not entirely sure what my point was. I do not mean to imply that Apache is a worse product because it runs on multiple platforms. The benefits of this far, far outweigh the costs of added complexity of the application itself (for the developers) and tracking the evolution of the application (for the system administrators). Furthermore, Apache (and the operating systems on which it runs) are easier to maintain than IIS and Windows, for a variety of reasons. In the long run, manageability is what drives down costs, not specific bugs or features.
Salon: This Modern World (comic strip). This week’s topic: We must dismantle our democracy in order to save it.
Netcraft survey. By far the most interesting news this month is an attempt at a new graph of operating systems of public web servers by physical computer, not by hostname. See, the vast majority of hosting providers run Linux/Apache, because, um, it’s free. There is also tons of open source hosting-provider-specific software. Hosting providers can’t afford to pay for software; it’s a nasty business, and profit margins are razor thin. (Much like distributors, actually, which is the field for which I was writing software at my last job.) There are a few providers who host on Windows, but you pay extra for it.
Also, since most sites don’t require the whole resources of a computer full time (for instance, my book only generates about 2 GB of traffic every month, a number I’m pleased about but which isn’t even a hiccup to my hosting provider), and Apache excels at virtual hosting, companies can run hundreds, sometimes thousands of sites on a single computer. All of this to say that while Apache has 60% marketshare and IIS has 30%, the share of operating systems is reversed: Windows has 50% and Linux has 30%, despite the fact that IIS is always run on Windows and Apache is almost always run on Linux.
I’m sure Microsoft will try to spin this as “running the majority of the sites on the Internet”, but all it really means is this: not only can Linux and Apache reduce your software cost, but they can reduce your hardware cost too. The total cost of ownership of Windows is even higher than we thought.
