ZDNet Admits Mistakes in Recent SecurityTest 313
drsparkly writes "Linux Today is running this
story claiming that the recent ZDNet Linux vs NT security `shootout' was biased against Linux. Apparently ZDNet had neglected to apply 21 available security fixes. They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point? "
Re:Devil's Advocate (Score:1)
ZD Full of It - only need 3 or 4 of the 21 patches (Score:1)
My recent (re) installation of Windows NT (Score:1)
I started by booting off my Windows NT 4 Workstation CD. This put my into the base operating system install. It copied all the files and rebooted.
After installing the base operating system, I had to apply Service Pack 5 which has some 600 fixes in it. After that I had to upgrade all of my drivers for SCSI card, my NIC, my Sound card, my video capture card, my video card, and my Zip drive.
After that I had to install IE 4 because the copy of Windows NT I have only comes with IE 2 which cannot be used to download IE 5. After installing IE 4, I installed IE 5. After installing IE 5, I had to goto windowsupdate.microsoft.com and install half a dozen fixes beyond the initial IE 5 installation.
Then we have the whole virus issue. I had to intall Norton AntiVirus and upgrade that with another 4 or 5 MB download.
Then, when this is done, there are a total of 17 post Windows NT Service Pack 5 hotfixes that have to be applied. These fix bugs ranging from file system corruption to dialup security.
As I said, 21 RPM packages would have been far more enjoyable then installing Windows NT.
Lets not even get into the myriad of patches and upgrades for the applications I have installed. (MS Office, MS Visual Studio, etc, etc)
Even easier... (Score:1)
Small correction. (Score:1)
Even latest service pack leaves IIS exposed! (Score:1)
Download the directory, and rpm with wildcards, how hard is that?
Re:Parity (Score:1)
RPMs or patches (and source) (Score:1)
Here's were Sun/Solaris gets is right... (Score:1)
...you can download and apply individual fixes if you want - or you can download a "patch cluster" that includes a collection of patches (making it easier to get a lot of patches installed in one hit). Sample clusters generally include:
If something like this was available, then just as they'd installed SP5 on NT they would have been able to install the latest patch cluster onto Linux so as to ensure that all the latest patches were included - nice an' easily.
Even Debian has it over Red Hat in this regard (fire up package management and say "install the latest stuff", which downloads the packages over the Internet and installs them - can't get much simpler).
Re:Kidding? (Score:1)
Just because it's from MS doesnt mean it's bad...
What?! EVERYTHING that comes from Microsoft is EEEEEVILLL ! Haven't you been reading your Linux users handbook? Praticality has no place in the computing world. Everything must be as difficult as possible to use in order to keep out the "stupid" people.
DOWN WITH EASE!
Yeah, this might be flamebait, but enough of you seem to think this way.
why did they install that cgi script anyways? (Score:1)
zdnet is NOT about technical matters... (Score:1)
A more poorly written article about two
OSes can't be found...
--------------------------
Your Favorite OS Sucks.
^D
21 patches vs 21 hotfixes? (Score:1)
I don't think so. They'll do more than one, any good admin will do whatever is nessecarry to secure his servers.
They do have a point.. (Score:1)
windows update site? (Score:1)
Re:Kidding? (Score:1)
In fact, I believe there have been several pieces of software that does this already.. like Oil Change or something like that. Just because it's from MS doesnt mean it's bad...
Re:Linux Packs? (Score:1)
Re:Security Patches were not the problem! (Score:1)
No, they do not (Score:1)
Now, back to practicality: Is it really that hard to do rpm -Uvh *.rpm? I just can't imagine this being difficult in any way whatever. Except for someone wishing to slant the outcome in a particular direction. Anyone who's ever been within 100 meters of a unix system knows better.
Re:Security Patches were not the problem! (Score:1)
Everything below this line is a lie
CGI security through chroot? (Score:1)
/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
*
*************************************************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own
* risk.
*
*************************************************
*
*
*/
#include "ap_config.h"
#include
#include
#include
#include
#include "suexec.h"
#undef LOG_EXEC
/*
*************************************************
* There is no initgroups() in QNX, so I believe this is safe
* Use cc -osuexec -3 -O -mf -DQNX suexec.c to compile.
*
* May 17, 1997.
* Igor N. Kovalenko -- infoh@mail.wplus.net
*************************************************
*/
#if defined(NEED_INITGROUPS)
int initgroups(const char *name, gid_t basegid)
{
/* QNX and MPE do not appear to support supplementary groups. */
return 0;
}
#endif
#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
#define AP_MAXPATH MAXPATHLEN
#else
#define AP_MAXPATH 8192
#endif
#define AP_ENVBUF 256
extern char **environ;
static FILE *log = NULL;
char *safe_env_lst[] =
{
"AUTH_TYPE",
"CONTENT_LENGTH",
"CONTENT_TYPE",
"DATE_GMT",
"DATE_LOCAL",
"DOCUMENT_NAME",
"DOCUMENT_PATH_INFO",
"DOCUMENT_ROOT",
"DOCUMENT_URI",
"FILEPATH_INFO",
"GATEWAY_INTERFACE",
"LAST_MODIFIED",
"PATH_INFO",
"PATH_TRANSLATED",
"QUERY_STRING",
"QUERY_STRING_UNESCAPED",
"REMOTE_ADDR",
"REMOTE_HOST",
"REMOTE_IDENT",
"REMOTE_PORT",
"REMOTE_USER",
"REDIRECT_QUERY_STRING",
"REDIRECT_STATUS",
"REDIRECT_URL",
"REQUEST_METHOD",
"REQUEST_URI",
"SCRIPT_FILENAME",
"SCRIPT_NAME",
"SCRIPT_URI",
"SCRIPT_URL",
"SERVER_ADMIN",
"SERVER_NAME",
"SERVER_ADDR",
"SERVER_PORT",
"SERVER_PROTOCOL",
"SERVER_SOFTWARE",
"UNIQUE_ID",
"USER_NAME",
"TZ",
NULL
};
static void err_output(const char *fmt, va_list ap)
{
#ifdef LOG_EXEC
time_t timevar;
struct tm *lt;
if (!log) {
if ((log = fopen(LOG_EXEC, "a")) == NULL) {
fprintf(stderr, "failed to open log file\n");
perror("fopen");
exit(1);
}
}
time(&timevar);
lt = localtime(&timevar);
fprintf(log, "[%d-%.2d-%.2d %.2d:%.2d:%.2d]: ",
lt->tm_year + 1900, lt->tm_mon + 1, lt->tm_mday,
lt->tm_hour, lt->tm_min, lt->tm_sec);
vfprintf(log, fmt, ap);
fflush(log);
#endif
return;
}
static void log_err(const char *fmt,...)
{
#ifdef LOG_EXEC
va_list ap;
va_start(ap, fmt);
err_output(fmt, ap);
va_end(ap);
#endif
return;
}
static void clean_env(char *cwd,int len)
{
char pathbuf[512];
char stripbuf[1024];
char **cleanenv;
char **ep;
int cidx = 0;
int idx;
if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
log_err("failed to malloc memory for environment\n");
exit(120);
}
sprintf(pathbuf, "PATH=%s", SAFE_PATH);
cleanenv[cidx] = strdup(pathbuf);
cidx++;
for (ep = environ; *ep && cidx pw_dir);
p=strstr(newroot,"/.");
if ( newroot[0]!='/' || p == NULL ) {
log_err("$home (%s) has no
exit(102);
}
*p=0x00;
if (getcwd(cwd, AP_MAXPATH) == NULL) {
log_err("cannot get current working directory\n");
exit(111);
}
uid = pw->pw_uid;
gid = pw->pw_gid;
actual_uname = strdup(pw->pw_name);
target_homedir = strdup(pw->pw_dir);
* Log the transaction here to be sure we have an open log
* before we setuid().
*/
log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
target_uname, actual_uname,
target_gname, actual_gname,
cmd);
* Error out if attempt is made to execute as root or as
* a UID less than UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid UID_MIN)) {
log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
exit(107);
}
* Error out if attempt is made to execute as root group
* or as a GID less than GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid GID_MIN)) {
log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
}
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
log_err("failed to setgid (%ld: %s)\n", gid, cmd);
exit(109);
}
/* now we chroot */
if ( chdir(newroot)!=0 ) {
log_err("cannot chdir to newroot directory %s\n",newroot);
exit(112);
}
if ( chroot(newroot) != 0 ) {
log_err("failed to chroot to %s\n",newroot);
exit(113);
}
if ( strlen(cwd) strlen(newroot) ) {
fprintf(stderr,"chroot not below docroot cwd=%s [%d] newroot=%s [%d] \n!",cwd,strlen(cwd),newroot,strlen(newroot));
exit(114);
}
if ( chdir(cwd+strlen(newroot)) != 0 ) {
log_err("warning: cannot chdir after chroot %s | %s \n",cwd,newroot);
}
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%ld: %s)\n", uid, cmd);
exit(110);
}
clean_env(cwd,strlen(newroot));
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
* automatically when log_err is called. Note that the log
* might not actually be open if LOG_EXEC isn't defined.
* However, the "log" cell isn't ifdef'd so let's be defensive
* and assume someone might have done something with it
* outside an ifdef'd LOG_EXEC block.
*/
if (log != NULL) {
fclose(log);
log = NULL;
}
* Execute the command, replacing our image with its own.
*/
#ifdef NEED_HASHBANG_EMUL
{
extern char **environ;
ap_execve(cmd, &argv[3], environ);
}
#else
execv(cmd, &argv[3]);
#endif
* (I can't help myself...sorry.)
*
* Uh oh. Still here. Where's the kaboom? There was supposed to be an
* EARTH-shattering kaboom!
*
* Oh well, log the failure and error out.
*/
log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
exit(255);
}
Automatic RH Fixer-Upper (Score:1)
--Threed
I like apt (Score:1)
I like how i can run "apt-get update; apt-get upgrade" and have the latest security updates I need automatically downloaded, installed and configured on my system.
Or, if I want to review the changes and decide for each package individually if I want to upgrade them or not, I run the "select" method in dselect first.
I can even get told within minutes of a new critical patch being posted by subscribing to the debian-announce mailing list.
There are a couple things that I really like about it:
1) The advisories sent out to the mailing list contain enough information to know what problem the updates are fixing. The changelog files in the packages (which I *can* read before installing the package, if I unpack it somewhere else) contain a list of all changes. And if this is not enough for me, I can go and get the source package, and diff it to the previous version.
2) Debian potato will contain the apt-zip package, a set of scripts that simplify the process of downloading updates to removable media (e.g. zip drives, though you could probably also write them to a CD-R if you needed or wanted to). I can apply them to as many machines as I want to by inserting the medium, mounting it and typing "dpkg -i
3) dselect, console-apt and gnome-apt as well as kpackage are applications that provide me a list (sorted by anything) of Items I have installed so I can check off the one I want to uninstall.
I think everyone agrees that individual patches would be better since it allows ultimate user control. And the way they are organized in the Debian system is really great.
21 fixes too hard? (Score:1)
--
Think Debian. (Score:1)
then answer some questions to get everything updated to the latest (at least, everything that's installed as a package - and Debian has a package for most everything out there).
If you really need a more stable system, go for Slink (aka Debian v2.1, Potato is being actively developed), but for all the latest updates, go with Potato.
Re:The explanatiion is not relevant (Score:1)
Sounds something like Debian. apt-get is your friend, and an ncurses frontend is being developed as well. (Don't know about the status of the gnome apt frontend tho.)
Re:Debian has had this for ages... (Score:1)
Re:Parity (Score:1)
If it were only that simple...
That works fine on your NT workstation that only has user applications installed. If you have SQL server, Site server, SMS, or any other server package that does anything useful you have to install service packs in a special order or risk breaking all sorts of strange dependancies. And it's not just sweeping service packs that need to be installed; most SPs require a myriad of smaller fixes (MDAC etc.) in order to work without bringing things crashing down around you.
To top it all off, you'll need to make several registry changes, IIS confguration changes (I don't believe there's ANY service pack as of yet that fixes the vurnerabilities in the .HTX script mapping problem in IIS), etc. etc. ad nauseum before your system is safe.
Bottom line, without spending a decent amount of time and energy on either platform you're not going to have a secure box. I completly agree that your average corporate group would fail to do this under either platform since your average corporate machine is a festering bag of comprimises waiting to happen.
Why was a third party script installed on the linux box to begin with? It's not like they took advantedge of anything intrinsic to Linux? It was a perl script that just as easily could have lived on the NT box.
Devil's Advocate (Score:1)
--
Redhat FTP install doesn't install updates (Score:1)
--
Re:I do NOT like the WindowsUpdate idea (Score:1)
How scriptable is BO2k? Chances are it is nowhere near as scriptable as Linux is right out of the box.
Re:I do NOT like the WindowsUpdate idea (Score:1)
If you were using something like Debian Linux (or any distro with a decent packaging system) it would be pretty trivial to implement something very SMS-like. The administrator could _easily_ see what software was installed on your machine, what hardware you were running (I have seen software that makes very pretty text files of the hardware), who had logged on recently, etc.
Heck, they could even archive all of the software that you had run, and other such esoterics like what websites you have visited.
If you have root on someone's desktop Linux box, you _own_ them. This is not necessarily true of Windows machines.
nt service packs (Score:1)
so easy, you have to reinstall them if you add a component from the NT cd.
And so easy when some application (usually MS) takes it upon itself to upgrade files that are also upgraded by a SP. Which version is the correct one? The one from the SP or the one the application installed? And maybe the app can't work with the version from the SP? So how do you install the SP? Or reinstall it if you've changed some vital config, eg changed the NIC?
And this kind of thing has infinite permutations, leading to hours and hours of NT admin fun. And hey, if it wasn't for NT admin's would never be able to claim overtime! Damm those Unix boxes that just purr away for months and months without a glitch. How can you ever earn money from them?
Yes service packs... gotta love them. you really do. {God, Allah, prefferred deity} bless NT!
This is a poor excuse (Score:1)
Re:Automatic updates are a Bad Thing(tm) (Score:1)
It would be very bad indeed if RH released an update package that would break data when applied. Haven't seen that yet. They're usually (probably for the reasons you state) very careful about warning you of any implications an update might have. Usually the're no implications except for the fix of the hole.
Re:3 questions and a rant (Score:1)
I don't know about the 120 exploits you mention. If you look at the updates directory for RH6, there's far from 120 packages to upgrade. So there might be 120 holes, but they're all fixed by applying a far smaller number of upgrades (so either 120 is a little optimistic on someone's part, or some packages just have a lot of holes (I'd doubt that so many packages had so many holes though)).
Really, redhat has the erratta page, and you can already point'n'click upgrade. In the security updates that redhat release, they even give you an entire command-line you can just cut'n'paste into a root-shell, to have the upgrade retrieved from the 'net and applied. I'm having a hard time seeing what you think the problem is.
Re:I work enterprise - multiple patches are the pi (Score:1)
*) ssh (using
*) rpm --freshen ftp://
and eventually
*) at
There you have your shink-wrapped enterprise management patch package distribution scheduling parallel system [feel free to add more buzzwords]
Really, with rpm (and I'm sure with dpkg too) it's really _so_ easy. You need a very small amount of imagination, and then you have your management system that you can customize in anyway you please (hell, you just wrote the main routine of the application yourself - even though it's a one-liner).
Useless test (Score:1)
I do NOT like the WindowsUpdate idea (Score:1)
At work I have to use NT on my desktop. I ran the task manager and decided to try and kill some tasks. Heh, I could not kill the smss.exe. Gee, I wonder what that is for?
I bet many companies fear the penguin because they will lose the ability to snoop on you, much they way WinozeUpdate probably does as well.
Ken
Re:The CGI script (Score:1)
I found the page you linked to very informative. I had no idea security-conscious NT admins worked so hard.
--
The CGI script (Score:1)
--
Re:I like the WindowsUpdate idea (Score:1)
Re:I like the WindowsUpdate idea (Score:1)
Re:Should it matter? (Score:1)
autorpm (Score:1)
* A priority FTP server for registered users
* It comes with RH standard. Not everyone knows about autorpm.
I work enterprise - multiple patches are the pits! (Score:1)
These machines are mission critical which means that the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights. Sure a single large patch still has to install the same amount, but you could start patching the system and then move onto another one which means you could do several in parallel. With individual patches, you would have to keep coming back to each system to start the next patch.
On top of this, due to the mission critical nature of the boxes (they are used nation wide), we have extensive change management controls. Any patch that we apply would have to have a corresponding backout procedure. It is much easier to consider a patch as one big patch than 21 individual patches. Sure, us tech people know that they are really one and the same. But try telling the change managment people that.
When you are dealing with a small site, individual patches are probably preferable - I would prefer them myself.
But on an enterprise level of any decent size, there is no way I want to have to deal with individual patches.
This is not intended as an insult to those who are contributing to this topic, but how many of you guys actually work in the enterprise area? Or are the majority of you making comments based on what you think happens in the enterprise arena?
Okay, I shot my mouth off without thinking (Score:1)
In my haste to post my reply I overlooked the mot obvious way to handle multiple patches - yes, I look stupid.
I should have known better because I just performed 5 patches to the machines two weeks ago - hence my post on this topic - and yes, I used scripts then.
I do stand by my argument on red tape though.
Re:I work enterprise - multiple patches are the pi (Score:1)
I too have been in that situation. The GUI nirvana kinda falls down doesn't it when you have to push buttons a-l-l t-h-e t-i-m-e!! I synpathise with you.
My post was more about comparing a single patch for Unix to multiple patches for unix.
No they don't have a point (Score:1)
Then they might have a point.
If you think that good system administration involves: Understanding your system; Understanding the problem; Understanding the solution, then of course you don't want to blindly install hundreds of megabytes of new code...
It really is a question of mindset. Given a handful of servers it is far easier to do
ftp some site
cd update directory
mget *.rpm
quit
rpm -Uvh *.rpm
And then telnet to another server and repeat the same. Without rebooting your machine.
[That's if you really wanted to of course, and weren't that bothered in working out what the impact of each RPM is].
Re:They do have five points ;) (Score:1)
ZD were testing RedHat Linux. This is a distribution. This means that it is put together by (the evidence suggests) some knowledgable people. So you DO have one trusted source, and one set of files. This is why it is worth paying RedHat for their distriubtion - because it relieves your of the burden (but not the responsibility) for continually monitoring and updating your system.
It is far, far, far easier to maintain a few RH systems (especially remotely) than it is the same number of NT servers.
Re:No they don't have a point (Score:1)
Some keywords to help you: "perl", "cron", "bash", "at", "expect", "init".
Try searching for these either using the web or the "man" command.
So it was sys admin test not a security test (Score:2)
If your source is correct, then this was a sysadmin test NOT a security test. If it were a security test the patches would have been applied.
As to the "real world" conditions this is BS. If they want to test real world conditions, get a statisically significant sample of sys. admins, give them all the same hardware and software and see how many boxes are secure in two weeks.
Either the people who ran these tests had a preconceived result or they are complete idiots (or both).
Re:CGI security through chroot? (Score:2)
Something like this would have been able to contain the ZDnet script in a tight environment, probably making the exploit much harder.
BSD wins here. (Score:2)
Re:Parity (Score:2)
Just click on the .exe, reboot, and that's it.
Run dselect, select install, don't bother to reboot. Or, download all of the rpms, and run rpm over all of them at once. OR, download the latest service pack, decide if you prefer a security hole in file shareing, or a broken print service and who knows what else.
Re:I work enterprise - multiple patches are the pi (Score:2)
Speaking of enterprise environments, though, I think it would be unfair to leave out Solaris 7. It has 22 security-related patches as listed here: ftp://sunsolve6.Sun.COM/pub/patches/Solaris7.Patch Report [sun.com] Do you run Solaris at your site? If so, did you install all of those? Here, we've got scripts that install those patches on the Solaris boxes. Of course, change management is involved, too.
Sure, it would be nice if Red Hat paid more attention to security and quality control, but that's why I tend to stick with Debian & FreeBSD when feasible. :)
Managers vs. IT guys. (Score:2)
The usual "manager vs. IT dude" problem, I suppose:
The average enterprise manager could probably easily be persuaded to order their IT guys not use Linux for that reason. They always scare easily for things that are not their area of competence.
If the IT guy take the OS decision himself, it probably doesn't matter whether it is one fix or many. If he already selected Linux, then he probably also like the power and control it gives him.
Re:Linux (systems with rpm anyway) easier to maint (Score:2)
That aside, I prefer having several small updates, which allows me a finer granularity of which patches I install. Take for example a Sun patch cluster. Each patch is a in a subdirectory all its own, and the order in which they are to be installed is listed in a single text file. While the current recommended patches are available as a single tarfile, there is a fine level of control available.
Re:They do have five points ;) (Score:2)
Sigh. You don't have to track down security fixes from different sources, and you don't have to recompile anything. Just go to Red Hat's updates page, download everything and do rpm -Uv *.rpm
Re:Small, isolated patches better (Score:2)
On Windows a typical application ships its own version of some of the *system* DLLs, thereby rendering the whole platform insecure if one of it's libraries has a flaw.
Thus the need for a huge service pack on NT. You need to re-ship updated versions of all libraries, and you need to re-install the service pack after each installation of a (seemingly unrelated) program, because NT DLLs are touched by *applications*.
Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem. And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.
Yes they have a point (Score:2)
Hire someone with a clue, and go back to writing articles.
Seriously though, if you tried applying NT service packs, and tried rpm --freshen, you know who's got the lead (and for those who haven't tried, here's a hint: it's not the redmond guys).
With NT, you apply one huge service-pack that (somewhat) fixes the problems known at the time of the release of the service pack. Whenever you install a new piece of software, you have to re-install the service pack if you want to be sure it's effective.
With rpm you do the --freshen trick, once. If you install another piece of software, well fine, no worries. If another fix becomes available, just get them all and do --freshen, or get the one fix and --freshen. It's as simple as it gets.
I think it's much too common for clueless people to assume that it's hard to maintain a system they don't know (and haven't even tried to grasp), and assuming that the system with the most aggressive PR backing is necessarily much easier.
The only reason why we don't see more remote attacks on NT is because ``networking'' is somewhat alien to NT. Networking has always been an integral part of UN*X and Linux, so naturally a buggy networked application is almost bound to compromise the system in a cracker-friendly way.
Consider the incredible amount of local attacks on NT being posted weekly (almost daily) on Bugtraq, and you see why NT people should be really happy that NT is not a network operating system.
Re:Who is "corporate IT", anyway? (Score:2)
However, in deference to the long expertise of corporate IT managers, I hereby propose the following Industry Standard for Manageable Updates. Call it the RedHat Service Pack specification. I expect to see it hailed as a wonder of technological innovation and a great leap forward for the Linux communiy in providing security management:
Packaging (this part is proprietary, you don't need to even see it. avert your eyes):
Installing:
I expect news of this great manageability innovation to be trumpeted throughout the tech news industry. It should be referenced in the sales pages for Maximum RPM, but may require a separate publication of its own to explain this great technology to the world, especially the technology press.
Re:My Opinion (Score:2)
Re:Parity (Score:2)
Which presumably doesn't mean that they believe corporate IT to be a bunch of ignorant layabouts, but if I were a corporate IT person, and a reader of their publication, and also in the slightest bit competent with Linux, I'd be insulted. Perhaps they don't grasp the significance of a discrete package upgrade -- something MS has never really gone for. Root compromise hole in crond? Well, upgrade crond -- redhat publishes the bloody rpm -Uvh ... command to do that in every security advisory. It's a different methodology -- we usually have one upgrade package per main package -- and that, in the UNIX scheme of things, makes vastly more sense than clobbering all our package management systems (far superior to that offerred by poor NT) in favor of what they call "[making] fixes available in a more manageable manner."
ZD didn't do enough research while orchestrating this PR stunt, I suspect. Bring on the derision. ):
Re:I like the WindowsUpdate idea (Score:2)
In principle, this sounds like a good thing. In practice, enabling Windows Update opens a big security hole:
(from a mail to the RISKS mailing list by Steve Wildstrom ).
Debian's system doesn't rely on this sort of stuff - you have to actively ask for packages. However, it still relies on your trusting the FTP server you get them from. Official packages will be signed - but do you know that all Debian developers with the key will keep it safe?
Re:YES THEY HAVE A POINT! (Score:2)
$ rpm -Uvh ftp://ftp.mydistribution.com/pub/updates/*.rpm
Now that was such a lot of work wasn't it?
Consciousness is not what it thinks it is
Thought exists only as an abstraction
Your binary releases can also be pre-linked (Score:2)
Agreed, this is key. Perhaps even more important though is the ability to statically link, so that binary releases can be built, a la Netscape, with everything version-independent (except for kernel dependencies which are few & far between thanks to the efforts of people like Torvalds and Cox). So you can download the binary app and expect to have it work, as it nearly always does when built this way [ed note: and when declared stable
Another factor of crucial importance is for this linking process to be carried out by anyone who wants to do it, i.e., access to the source code is important just as you say, but not necessarily for the same reason. Also consider - it's possible to re-link a dynamicly linked app to become a statically linked app using a linkage editor... I don't know if Linux has such utilities because I'm a relative newcomer to these development tools. But if they're not they're, we need them badly.
And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.
(a) That and 1,000,000 other reasons
(b) It already does. (Check the situation as of last spring [leb.net])
Re:The CGI script (Score:2)
In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.
If you read the page [hackpcweek.com] where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.
They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums [hackpcweek.com]
-Brent--
Re:Just click .exe (Score:2)
Six months for Red Hat to be specific. Probably a lot faster then MS releases service packs. That's basically what RH 6.1 is, a service pack in MS terms for 6.0. There is only one difference. Red Hat replaces their old version with the new version. If I buy a copy of NT today, would I still have to install SP5? I imagine so.
Still though, I wouldn't want to have to wait until the next version was released to fix security holes. Not even on NT.
-Brent--
Do they have a point? (Score:2)
No.
Imagine you buy 21 different programs from 21 different vendors, but you buy them all in the same shop, with one single bill, maybe bundled in a single box.
It's obvious that each vendor will fix only their own part and you'll get 21 different fixes.
What you can expect from the shop is that they bundle the fixes in the same way they bundled the programs.
And this is what Linux distributions already do (Debian at least).
Cheers!
negligence, pure and simple (Score:2)
Do they think that if a business had its several-thousand-user network were compromised, the execs would accept the excuse that there were just too many vendor-supplied patches to apply?!
--
Re:Parity (Score:2)
Should it matter? (Score:2)
Most admins out there may not like doing multiple patches, but there are advantages. Some patches can open other holes, and using one of NT's service packs isn't guaranteed to fix everything either. And having them separated out allows an admin to more closely monitor what's been patched, rather than than NT's way of doing things.
It's like the NT vs. *nix discussion itself: each has its pros and cons. What it all boils down to is the competency of the guy/gal running the box.
Re:I work enterprise - multiple patches are the pi (Score:2)
Just copy them to an upgrade directory, cd, and type rpm -Uhv *.rpm on each system. How does that compare to installing one NT service pack on each of those same 200 systems?
> the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights.
Per above, except have a cron job run at 9pm every night to -Uhv whatever files you put there during the day.
Any patch that we apply would have to have a corresponding backout procedure
Just re-install --force your prior version of the RPM for the same package.
Would you rather back out (say) one of 21 RPMs with rpm --force, or back out an NT service patch? And even if they were the same amount of trouble, do you want to throw out everything the SP offers, just because one of the patches on it sucks? Some of the other patches in the SP might accidentally fix something without breaking something else.
ZD doesn't have a case. Because they don't have a clue.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:Disclosed holes should be closed IMMEDIATELY (Score:2)
Are you saying you don't like the MS timeline?
Media reports the hole.
MS Months 1-3 : Deny that the problem exists.
Media reports an exploit of the hole.
MS Months 4-6 : Admit that there is a problem that can be exploited by people with esoteric knowledge (who wouldn't consider doing such a thing!) under rare conditions, but that isn't a problem for ordinary users.
Media reports a high-profile exploit of the hole.
MS Months 6-9 : "We're working on it."
Patch is delivered.
Your Months 10-12 : Sysadmins either wait to see what happens to the suckers that apply it first, or else spend these months trying to repair the damage and lock out the new holes created by the 'patch'.
Media reports the problems caused by the 'patch'.
MS Months 13-15 : Deny the problem exists...
Repeat until bankrupt. Season the above liberally with vaporware announcements about how the next new product is going to make all your troubles go away.
Meanwhile, who's been reading your mail?
--
It's October 6th. Where's W2K? Over the horizon again, eh?
ZDNet's credibility (Score:2)
But ZDNet (and Yahoo) lost much credibility with me when they couldn't figure out that Jesux was a joke.
My
Quux26
Does it matter? (Score:2)
There's no way am I going to make a decision based on what happened in a test like this. I'm not even going to take it into consideration. It was entertaining, and I enjoyed it, I enjoyed reading about it, I hope the ZDNet people had fun doing it, and I hope the people who hacked it had some jollies.
But the results are as meaningless as Bill Clinton's sworn testimony.
Re:Red Hat fixes wouldn't have helped (Score:2)
Re:Does it matter? (Score:2)
The people who don't know that it is an invalid security test cares about the details.
Time and again, some magazine, company, or other shows NT's supposed improvements over Linux. Then somebody notices how the "test" was intentionally or unintentionally rigged. While this is great for the Slashdot community, this is the sort of stuff that needs to be seen by those who make the buy decisions.
Now that you know, you can argue this where you work or learn; when somebody points to this test as a reason to install NT at your site, you have an effective counterargument--and URLs to back it up.
Re:Update Ease (Score:2)
I do agree that the *BSD way is a very good one, though.
---
Count the numbers... (Score:2)
(apologies for the funky formatting, it used to be a nice table but
According to this logic, Linux is cleary more secure than Windows NT, especially when you `weigh' the numbers with the popularity (or lack thereof) for the individual operating systems.
Of course, the really interesting number is the 0 for OpenBSD. Pity though I have no idea how many OpenBSD sites there are out there...
Re:I work enterprise - multiple patches are the pi (Score:2)
I worked for my college's computer services this summer; my job mainly consisted of applying patches to NT for 3 months. Admittedly, we have many more computers than you (I'd estimate 800+ or so in public labs and administrative offices, we are extremely wired for 1500 students) but with 5 other students and the college's professional staff we were unable to apply service packs to all of them. Why? because when installing that "one big easy install" not only do you have to kick the user of the machine off (they really don't like that) but you actually have to be there the whole time to click on those "friendly" buttons. NT's profiles (they are like home directories except they suck) aren't always updated correctly by the upgrade so the users have to fix and reinstall their programs. Computers that were running NT SP3 w/o IE4 a little bit slow now are completely unusable with all of the "improvements" that were "necessary". Not to mention differing support of hardware between the different service packs; SP4 broke some computer I worked on because of incompatibilities with the BIOS on some Compaqs which had no problems at all with earlier versions.
In contrast, if we had been using Linux, even if I hadn't created a script, I could have opened up a sh*tload of telnet sessions from the cold room and, without the user knowing or caring, updated each and every machine at the same time with only the packages necessary.
Windows NT Vs. Linux or why ZD is uncredible (Score:2)
1a. Certain clients that used third-party messaging, web server, or application server products made by competitors such as Sun or Netscape had serious issues when SP4 was installed. So did Samba in one of our test cases. Leads me to believe that M$ wanted SP4 to push the M$ products over the competing products.
2. The Install of NT itself on a bare box is abyssmal. It takes about 10 reboots to get everything installed right with the Hot Fixes and the Service Packs. Linux takes one with 6.1. By the way, the install is about 5x as fast as W2K even in graphical install mode of RH6.0.
2a. Plus, there's the monitoring of NTBUGTRAQ for the latest exploits. Sometimes they hit 5 a week. The MS people post fixes 2 weeks later.
3. Linux, on the other hand, is mostly stable. Fixes are out within hours. I don't have these issues.
4. Linux isn't tightly integrated with Apache.
If I want to change web servers for reasons of security or such then I can. Can I do that easily with NT? The answer is no, unless you run Apache for NT. Then you still have the issues of the operating system.
4a. IIS is the biggest security hole of a web server I have yet seen. The bugfixes hardly fix anything. Doubt me and think NT is god? Read NTBUGTRAQ or actually run an NT server connected to the Internet. Microsoft and their COM objects are causing a whole mess of havoc.
5. Security hole in a Perl script on the hackpcweek site? I wonder why nobody tried to do the same with COM objects or the numerous buffer overflows on NT? Better yet, let's see how long it takes Redmond to come out with a fix! IF anyone wanted to not follow the rules of that contest, I am sure something like that would easily take down the box.
6. I hear too much from NT admins about "Wait until Windows 2000". Y'all can shut up about your vaporware. I interviewed two admins. One was a W2K freak. The other mentioned that MS should fix their products before releasing new ones. Guess which one got the offer? Shut up about how great MS is until I see stable shipping product or get out. Linux is right here, right now, and is constantly being updated. It's also open source and audited by thousands. Beat that, Redmond. Giving a closed source preview of a product doesn't make it like Linux. Open the source and show those API's like WNetEnumCachedPasswords.
6a. I have seen portions of that code, and it is MESSY. They probably won't release it out of embarrassment. I wouldn't.
7. ZD is advertising-driven. Guess who buys most of their advertising? Microsoft. Do you HONESTLY think ZD is going to bite the hand that feeds them? I think not. They are Microsoft's bitch. Anyone who reads anything from ZD should realize that. It's a PHB magazine, meant for people who choose not to pay attention to what is going on in IT. Until Red Hat, VA, Sun, SGI, and other non-MS companies advertise, then they will be continue to be the puppets of Redmond.
Until next time....
Re:Managers vs. IT guys. (Score:2)
Parity (Score:2)
I really wouldn't have a problem with this at all, if ZDNet hadn't made the blanket conclusion that NT was easier to secure. That's an overwhelmingly ignorant statement to make.
Just click .exe (Score:2)
Before applying SPs I wait at least a few weeks to see what people report as breaking under the new SP. There's usually something, and all too frequently (two NT4 SPs out of five!) applying an SP has a detrimental impact on system stability.
On top of that you may have to reapply SPs after installing new packages (particularly those from Microsoft) and you want to create a new emergency repair disk. These things are not necessary under Linux.
IMO, having adminstered both systems (and a bunch of others) for years, I much prefer the small patch approach where I can pick what I want to apply according to my needs: e.g. if I'm not running ftp I don't really need to apply an ftp patch.
But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.
Interestingly, ZD says "Imagine the work involved in integrating 21 separate fixes into a change process to be deployed across an enterprise." Actually that doesn't have to be a lot of work. You can set up a master system and use rdist to propagate patched software to everything all at once. This kind of environment is easy to set up (the software is stock) and allows the software to do the grunt work of upgrading systems. You need to buy extra software to do this kind of mass upgrade on NT.
Re:Small, isolated patches better (Score:2)
I'm not arguing that small, isolated patches are infinitely superior to mega-packs including both fixes and features.
However if a company like RedHat wants to provide support that people would buy, then making a patch or script available to fix all known security problems since last release might be a worthwhile product that new users would appreciate, especially those switching from Windows.
If you want to get into ease of use features, something with the functionality of Windows Update could also be popular. It should be done Unix style though. The update site sends the information about what is available to the local computer on request, which then compares it to what is installed and offers the user an opportunity to select packages to update or install. From this a script is generated locally that will download and install the required software. Category filters for "Security", "Bug", and "Feature" would also be nice.
Perhaps their new online update support in 6.1 addresses this. Can anyone describe it for me?
Nope (Score:2)
As I inderstand it it's automatic? is this correct? I have not had a chance to check it out.
How hard is this? (Score:2)
> bin
> get *rpm
> bye
rpm -Uvh *rpm
Now really how hard is that? This "enterprise" crap is making me sick. These enterprises are hiring people who have peanuts for brains? They would much rather go to Microsoft's website, find the latest patch, download it, sit through the update, reboot the computer AND do the update and reboot process again after they install a new application (This is recommended by most all NT service patches). How many steps is that?
Anybody who can use ftp will tell you that it will take less time and effort to update the Linux machine. Now the "ENTERPRISE" IT guys, they just have a small problem.
They have never heard of ftp.
But they are perfectly capable of maintaining the company mainframe. A a whole lot of them work at Ebay and ZDnet also.
You'd like Debian (Score:3)
Personally, I prefer RedHat, because it gives me more individual control, but Debian sounds like it would be far better for you, and get you away from the nasty broken Service Packs.
----
Re:I like the WindowsUpdate idea (Score:3)
I now have a completely up to date 3.3-STABLE FreeBSD installation on my trusty old P90 that used to run a crufty old RedHat 4.2 install. By watching the FreeBSD mailing lists, I can tell if there's something new I need. If so...
cvsup stable-supfile
make world [1]
make install
make kernel
mergemaster
reboot
Presto! Completely up to date system. Why isn't it this easy with anything else? Why are binary distributions/updates/patches/etc so popular?
[1] Okay, this step takes seven hours on a P90.
Small, isolated patches better (Score:3)
I don't mind upgrading an FTP or bind (or whatever) RPM on my servers, but I absolutely will not install an NT service pack on a production server until waiting at least a month to see what kind of problems arise. I made the horrible mistake of installing SP4 on one of our NT servers. Never again.
Jason.
How many current NT patches ? (Score:3)
So "most large companies would prefer the one large, sweeping-in-scope, fix" huh ? Quite right. Our corporate MIS has banned the application of hot fixes, patches or service packs beyond SP3 because ... wait for it ... it makes NT too unstable .
They only needed to install 4 (Score:3)
On NT they installed SP5, IE 4.01, option pack 4 and SQL server SP1. That is 4 updates.
gee, strikingly similar...
Red Hat fixes wouldn't have helped (Score:3)
I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.
In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.
I complained... (Score:3)
All I have to say about
http://www.zdnet.com/pcweek/stories/news/0,4153
is that you all are idiots.
I rarely write about things, but this is an outrage. Anyone who thinks that
MS distributes all it's fixes in one large patch is a fool. I should know,
I was engineering lead on www.starbucks.com, one of MS most prominent sites.
In order to deploy a server, we would apply the latest service pack and then
between 30-60 hot-fixes. And that was just for the default software. Other
packages, like SQLServer, had at least two dozen hot-fixes.
A lot of times, these would conflict with each other in strange ways, and
uncover other bugs, which made it very difficult to deploy any fixes at all.
I would often try them out on my desktop (an NT Server) first so as not to
endanger the development environment. We even had one case where a hot-fix
wiped out our SourceSafe DB....
In contrast, the two Un*x OSs I use on a regular basis, Solaris and Linux,
have no such problems. Packages and RPMs are small, well-defined fixes to
particular problems, not some ubber-thing that has to itself be patched.
I don't know where you get your writers from, but I sure am glad I don't
read any of your publications. And with information like this (i.e. totally
useless and factually incorrect), it's doubtfull that I ever would.
Chris Maresca
Project Engineer, Organic Online, Inc.
ckm@organic.com
[/QUOTE]
I like the WindowsUpdate idea (Score:3)
This is, in my opinion, a good system and I compliment Microsoft for adopting it. I only wish that the *nix community would be willing to host similar update servers, particularly for the popular distributions.
There are just a couple things that I think should be changed:
1) Link to knowledge base and security alerts. When I see an item listed, I want more than just a one or two line blurb. And vice versa...if I get a security alert on a mailing list, or find a reason why I'm getting a certain bug, I want to click a link and see the fix added to my downoad queue.
2) Make it easier for it to work with secure or offline servers. I should be able to download an ISO image that contains an entire copy of the update website. So, all I have to do is pull down the ISO, burn it, pop it into the CD-ROM of the secure or offline server and PRESTO! I can browse a local copy of the same update site.
3) Download histories with option to uninstall. Right now my Windows Updates are buried under a half dozen items in some Add/Remove Programs control panel. I'd rather be able to see a list (sorted by date) of items I have installed so I can check off the one I want to uninstall. So, if I SWEAR it's a patch that is causing my problem (even if tech support doesn't agree with me) I don't have to reinstall to get rid of it.
Service Packs stink because I get a whole bunch of stuff I DON'T want just to get the one of two things I DO want. The only reason I install Service Pack 3 on stand-alone machines is so I can install MSIE...and the only reason I install Service Pack 5 on those same machines is so I can use 17GB hard drives. Sure, I could probably abort the install after it decompresses the files and just install the new ATAPI.SYS file...but then I'm skating on "unsupported territory". So I have cross my fingers and pray that this isn't another Service Pack 2 or Service Pack 4 or lose my support options.
I think everyone agrees that individual patches would be better since it allows ultimate user control. The only problem has been keeping tracking of where they are, what they do, and which have been installed. So, let's get them all organized...how about it?
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
ZDNet Car Security Contest (Score:5)
When Carsec proponents noted the discrepancy between the two cars, ZDNet replied that "the average car user would not want to lock 2 to 4 individual doors."
ZDNet, in response to the information that Carsec comes with power locks, stuck their fingers in their ears and starting humming "Ol' MacDonald."
Do they have a point? Yes, atop their heads.
Update - ZDNet admits using Real PHBs (Score:5)
In unrelated news, seismologists reported a strange disturbance, which they claimed was caused by thousands of sysadmins nodding their heads in agreement at the same time. The phenomenon has tentatively been titled "the Slashdot Effect".
No no no no no no! (Score:5)
Having been an NT admin for awhile... It is not just a question of installing five huge service packs. And I'm not talking about hotfixes either.
There are a number of pieces of software from Microsoft that require the service packs to be applied in differing order:
The place I used to work before used Site Server (extension to IIS). For the personalisation feature to work on this, a completely bizare sequence had to be followed:
Install (approximate - I think this was more complicated):
Service Pack 3
Internet Explorer 4
Option Pack 4
(some crucial DLLs have now been deleted/overwritten with incompatible versions)
Service Pack 3
Option Pack 4
Site Server 3
You can now install Service Pack 4 & 5 if you want more things to break or you can cut your losses and stick to things that you know work (even if they aren't secure).
The problem with this process is that it is badly documented, denied on Microsoft's site and unknown to most MS users. We got this process from someone who spent days installing and uninstalling the software until it worked. Therefore it takes *days* to install a "decent" version of NT.
This is not the worst bit. The worst thing is that we bought Site Server for all of those built in features (many of which simply didn't work). It wasn't cheap and we ended up just writing our own stuff due to the poor quality of the documentation, lack of speed (dual Pentium Pro, 128MB RAM) and general flakiness.
The problem with all this software is that Microsoft doesn't write applications anymore. Everything has hooks in the O/S which means that departments within MS end up writing software that messes with everything. Incompatibilites arise and no-one is willing to tell you how to fix it without charging you huge consultancy fees.
My new web server boxes run Linux. When fixes come in, thousands of users are willing to help you out with any problems you have. They actually know. The applications do not send tentacles into the O/S, choking functionality out of other applications. My sites run fast. I never need to write ASP in my life ever again. I'm happy again.
Other example? To get a certain feature of MS Visual Interdev running on her machine, a friend of mine had to remove Service Pack 5 & 4 from her machine (Then re-install SP3). Only then would database diagrams re-appear as a feature...
I sense that many people here have not actually really experienced the joys of NT first hand. It is much more of a nightmare than you think. And good NT admins simply don't seem to exist. I'm sure there are some out there. Maybe. The recent joys of the Windows 2k machine that MS couldn't keep up due to running out of disk space, etc indicate that there simply aren't any. Even at MS.
I also know of a well know a major UK hosting provider which is withdrawing the NT dedicated server hosting. Too many problems. Too many security holes. Really bad remote management tools. End of story.
</RANT>