Salon: Anti-Trustworthy computing [via Slashdot: "Microsoft: Trust and Antitrust"] Normally I don’t read Salon, but this article is written by Paul Boutin, who is cool.
There is, however, no consensus on how exactly to improve security. For instance, one Slashdot poster writes:
Essentially, Windows.NET server ships with absolutely NOTHING enabled by default. This does present a problem to the typical Microsoft “its so easy just plug it in” sort of thing, but that is solved by an improved “configure your server wizard”. The first time the server boots up, the user can explicity select what to install and/or turn on, and ONLY what they select gets installed/turned on.
The individual components themselves have improved as well. IIS 6 by default will serve only static HTML files, and installs no sample files or other stuff. You have to manually run the IIS security wizard to turn on things like ASP, CGI, etc. If you install a new ISAPI filter or something of the like, you have to manually enable it. Nothing gets turned on unless YOU the admin turns it on.
The other thing is that IIS 6 is a complete ground-up rewrite; no code from IIS 5 was used in its creation.
I was totally with this guy until that last sentence. Contrast, for instance, Joel Spolsky on code rewrites (quoting a Gartner Group report which warned companies to investigate IIS alternatives if Microsoft didn’t rewrite it from the ground up):
Gartner seems to suffer the common but moronic fallacy that new or “completely rewritten” code is somehow less buggy than old code. IIS has been publically tested, for about six years now, on millions of web servers and with thousands of hackers trying to find bugs. Completely rewriting it would just introduce another set of bugs that would take another few years to find. Chances are that nobody on the current IIS team even remembers the bugs they fixed five years ago, even if they were on the team that long ago (unlikely), like the $DATA$ one and adding an extra period to the end of an ASP URL.
Completely rewriting code is a big-time mistake common of immature developers with no real software experience. I would say that “Gartner should know better” but I don’t have very high expectations of them.
In other words, Microsoft is damned if they do, and damned if they don’t.
§
I am no longer accepting public comments on this post, but you can use this form to contact me privately. (Your message will not be published.)
§
firehose ‧ code ‧ music ‧ planet
© 2001-8 Mark Pilgrim