Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Linux Software

PCWeek Summarizes hackpcweek.com Test 174

Posted by Hemos from the getting-the-full-story dept.
Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus. "
This discussion has been archived. No new comments can be posted.

PCWeek Summarizes hackpcweek.com Test More

PCWeek Summarizes hackpcweek.com Test

Comments Filter:
  • I think it's appropriate to suggest the extent to which one might have to go to really maintain a fairly secure system.

    I also think it's appropriate for them to re-run the test on fairer ground, in light of claims that installing these 21 security patches is not a whole lot different from installing NT service pack 5.

    Not to suggest that this test is all that useful as any sort of security benchmark. High-profile anecdotal evidence is still anecdotal evidence - if a famous person's Audi blows up that doesn't mean it's more prone to explosion than Joe Blow's Pinto.
  • Here is the thing that irritates me about this article. The statement about no central repository for updates. What about Red Hat's errata section, how about Freshmeat and Linux Today?

    I have also spent the last two days trying to download Service Pack 5 for NT. Sure Microsoft has a "central repository", but you are stuck with a 25-75mb file to download and Microsoft's site by itself is slow without having to try to download from Conxion. The farthest I've gotten is 10mb before the connection hung and I cancelled. We have 6 channels of a T1 here, and I'm only getting 3.2kb to Microsoft and on the download.

    I think it it pretty obvious from the last two-three weeks that PC Week has done little or no research on anything they are trying to do or write about. It is my personal opinion that we should just ignore them. If they aren't going to take the time to research their articles and statements (think Journalistic Integrity) I'm not going to take the time to read their magazine.

    Matt
  • ST no?

    Anyway, ZDnet blew it on this "test" of Linux vs. NT Particularly amusing was the quote "...21 security fixes published by RedHat that have only been out a couple of months..."

    A couple of months? Come on give me a break! I check the RedHat Errata page at least once a week, and I'm not even running a contest.
  • > there is no central repository for testing or approving patches to the Linux system.

    So, what about getting updates from RedHat, your vendor.

    So, how is any other OS different. I go to Microsoft for WinNT updates (good luck finding them though). I don't go to MS looking for updates for third party utilities.

    Linux is only the core kernel, most system utilities are from the GNU project and all other software is from third parties.

    So how is this different again?
  • I was present at the PC Week/Mindcraft setup^H^H^H^H^H"rematch", and met Pankaj. Let's just say that we have a difference of opinion when it comes to Linux and Free Software. I think it's a great thing. Pankaj thinks it's wrong to write Free Software. I'm not suprised to find the deck stacked a little unevenly in this 'experiment' as well.

    Mark "Young Turk" Willey

    BTW, if you're concerned about Linux security and Free Software in general and want to help do something about it, drop me a line. I've decided to dedicate the next part of life to this endeavor.
  • What amazes me the most about this guy is his arrogance. He knows he was dead wrong here; downloading RH RPMs and installing them is work a blind chimp could do. To imply that it's too difficult is just a cop out. It disgusts me that this guy simply refuses to come out and say "Okay, I didn't do everything I could have done because it seemed like too much work and I didn't know enough. My bad." He doesn't. Instead he BSes and makes up excuses. Forgetting his skills as a journalist he's a priggish bastard in my opinion with no more spine than your average amoeba. The best, most objective journalists are the ones who aren't above admitting they were wrong. From what I've read here this guy obviously is not one of them.

  • Even, back in the day, Novell Netware 3.x had patch lists several pages long.

    How much you want to bet there's quite a few of these PC Week editors and "IT Managers" with an old Novell CNE tie-tack somewhere in their desk drawer. They know the routine - they've just forgotten.
  • Actually you know EXACTLY what the service pack is installing, if you read what the service pack fixes and updates. There's a txt file that tells you exactly what is being updated, and why. I completely agree that the test should of had all patches installed, but I also agree that service packs are a good idea (and if you don't like service packs, all the fixes are available as hotfixes prior to the services, which can be installed singlely)
  • cgi let him on the machine as nobody, cron (1 of the 21 unpatched holes) let him become root.
  • Oh Get over it! They clearly state that both NT and LINUX have many services turned on by default, and any administrator trying to operate a secure server should have these features turned off. This is not biased, no matter how much you want to think it is.
  • Yes there was a patch that could stop him. I seem to remember when the first notice of the crack was posted here the details where that he got in via the bad CGI script, but did the damage via a security hole that had a patch up on the RedHat site for about a month before the test began. I forget what the patch was for so I don't know where the hole was, but there was one, that is why the issue of them not installing patches became such a big topic.

  • What's with every ZDNet writer thinking they're a pundit lately?

    You missed the last page where they have the "PC Week Labs recommends ..." chart. The second to last recommendation is "Install all vendor-recommended updates: Assign this task to a specific person within the organization. Allocate budget for it. Also subscribe to hacker magazines such as '2600' and patrol hacker Web sites. Read all CERT advisories."

    After saying that a corporation wouldn't want to install patches as they were released, they certainly have a funny recommendation for NT adminstrators. Allocate budget? Subscribe to hacker magazines? All that, and all we asked for was 21 measly patches.

    Sorry, PC Week. Get your act together, or step aside. I've got work to do...

    -Brent
    --

  • 21 patches? Come on, I'm not even a systems administrator and check Red Hat's errata section all the time. I run one box. It's at my house. I am the only one that uses it. I STILL check apply security updates. If ZD doesn't think a normal sysadmin would apply "21 security updates available for Red Hat 6.0, which had been out for only (My note: only a couple of months? Damn. I check the RH errata site once a week, and I am not even a sysadmin) a couple of months" then that is not a sysadmin I want even breathing on my box. Just my $.02.

    Charlie


    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • Believe it or not, this is *good* for Linux (Score:3)

    by Anonymous Coward on Tuesday October 12, 1999 @08:20AM (#1620186)
    RedHat has the equivelant of a Service Pack available-- the updates. These updates contain a number of bug fixes, etc. And RedHat encourages users to get the updates.

    So why don't people do it? Because none of the bugs are "well-known", i.e., they don't get news coverage on ZDNet, with headlines screaming "Sky Is Falling, LINUX Insecure!"

    But Microsoft tends to get that. Partially because they write shitty software (let's be honest), and partially because it's a name that people recognize and will relate to. It makes for good sensationalism.

    My solution, offered with tongue firmly implanted in cheek, is to sensationalize every exploit for Linux. "crond Found Insecure at 8:00 AM, Bob Young Not Answering Phone at Lunch Time!"

    Seriously, though, maybe we need to put just a little more emphasis on getting the updates. Now we have an example-- "Hey, Joe, did you download the RH updates? They say that if PC Week had done that, they wouldn't have been cracked!"
  • In the discussion that followed the successful crack, there was mention of AutoRPM as one solution for staying up to date. So PCWeek jumps in and says "AutoRPM is the only solution." Um.... ok. Or you could just subscribe to the Red Hat mailing list...?

    They complain about how hard it is to remember "secure" passwords such as "[Athl!g" and how they had to keep a list (in cleartext I suppose) on a laptop. Try something like "TcIoOtLtWeD" which is nice and easy to remember.*

    And of course, as everyone has mentioned, first they say that Red Hat had 21 security updates available, and turn around and lament that there's no place to go to see which security updates are available... durr....

    Overall, they just sound clueless and/or heavily influenced.

    *"This contest Is one Of the Lamest things We've ever Done."

  • Re:Inconsistancies in the article. (Score:2)

    by Anonymous Coward
    I totally agree with your assessment.

    I will go further and say that it is obvious that this whole test was simply a horse and pony show to prove that Linux is just inheirently insecure.

    One can only wonder at the motivations of a company that runs a security test without installing Linux security patches and goes to the length of installing unauditted CGI scripts.

    I believe that this test was paid for and ran by Microsoft. Any objective tester for an operating system would have gone to the trouble to install the security patches and report how difficult the task is.

    That PC Labs is still claiming that "Linux" doesn't have a central site for its security updates is clearly FUD directed towards those who do not read forums like these.

    Linux does have a kernel site that is a central repository for all fixes. But it wasn't a kernel security problem that we are talking about here.

    The security hole that allowed a breakin was three fold. An insecure cgi script allowed a person to try to write a file. Wrong directory permissions allowed a file to be overwritten. A know security hole was exploited.

    Audit all scripts before you put them on your box. Use the -T flag and use strict option even though they make programming a real pain. Get all updates from your software company and install them. Ensure proper directory permissions for all directories and files. Go to your distribution vendor and download all security patches.

    PC Labs only had to goto one place on the whole net to get updates for their Redhat software. All the software. The site is http://redhat.com/support

    That's right, not only do you get hundreds of software packages, but you only have to go to one place to get updates on all of those fixes.

    Imagine how many sites you would have to visit to upgrade all the software on a Windows box that has an equal amount of software as a Linux box. It wouldn't be one site, that's for sure.

    Sounds to me like Linux would be much easier to maintain.
  • I run Windows NT (ducks throw vegetables and fruit), and I have the benefit of using (according to PC Week) the only OS which has a centralized patch distribution place.

    Yeah. Ok.

    So, why isn't this obvious? If it weren't for the Ars Technica NT Tweak site, I wouldn't have known that SP5 was out. Hell, I wouldn't have known about any of the hotfixes currently available. Go centralization.

    Speaking of which, MS's "patches" are a joke. The warnings on those things remind me more of quantum mechanics jokes than installation warnings: "Due to an effect called 'tunneling' your computer may blow up after you install this patch, and if it does, that's the will of the cosmos, not any problem on our part."

    Makes me feel all warm n fuzzy, like. Especially the fact that I have to reboot after each one, which means 3 patches = 30 minutes.

    I have friends who use Debian, and they just slap a key, wait a few minutes, maybe restart a service, and they're done.

    Me? I, uh... wait until the fact that I'm using obsolete and insecure software becomes painfully obvious and I have to avoid public shunning by seeking out the latest patches.

    I think it's interesting that they point out percieved "flaws" in Linux out while comfortably ignoring similar flaws in NT.

    God, I love objective journalism...

  • Come now AC, don't hold back. Tell us how you really feel! Anyway, I totally agree with the general sentiment. This just isn't right. First the article is sort of apologetic for their failure to stay updated and then they bounce the blame right off on there not being a central repository for updates.

    Which is just plain silly. The hack could've been prevented if they'd just checked Red Hat's web pages sometime, or the updates ftp directory, or been on the proper mailing list. Or configured autorpm to deal with this for them. Exactly what is a company required to do to get heard by PCWeek's system administrators, perhaps sending out a fripping press release would help? Hmm, makes me wonder if they have found the repository for Microsoft Hotfixes yet. Maybe they just stick to Service Packs?
  • They are just sooooo wrong. Not applying 21 security patches to the Red Hat System (and those patches were readily available from the Red Hat errata) because that was something "a real life sysadmin would never do" but still they applied the SP 5 for NT... as if that's something a sysadmin would do? This is just way bad... I smell another Mindcraft here
  • Raptor does it? It just goes to show you, you can't make a decent firewall with one machine. I thought it was humourous that they felt they needed to put it on a dual pentium 450. I guess thats what happens when your "security experts" are really salesmen.
  • How about a response to the criticisms of the fairness of the test? Or are they still sticking with the 'Enterprises wouldn't apply 21 little patches' whining?

  • A Centralized Linux Bug Database. (Score:3)

    by kevin lyda ( 4803 ) on Tuesday October 12, 1999 @07:43AM (#1620198) Homepage
    They're correct, there isn't one. But there is a central place to get updates for RedHat Linux:

    ftp://updates.redhat.com

    They can't make it easier then that, and unlike Microsoft's update site you don't need to click through gobs of advertisements.
  • In all the hoopla about this challenge, the party that is most culpable for the break-in has been the most silent. Neither PC Week, /., jfs, or anyone else involved has heard from the company that wrote the buggy perl scripts. Are they notifying their customers? Though their web site is suprisingly quiet on the matter, they do list their customers, which are presumably still running this buggy software! Will hoffice release a fix? Will they warrant that future versions have no new security holes?

    I don't begrudge a company for releasing buggy software, rather how they handle buggy (especially security related) releases.

    Legal liability is another interesting issue. If I was running hoffice's software, and lost millions of dollars because of a hacker, how liable would hoffice be, shrinkwrap licenses notwithstanding? Would PC Week be liable at all? jfs?

  • You mean like:


    Also contributing to the hacker's success were incomplete security updates on our test site. At the time we began the tests, Red Hat Software Inc. had 21 security updates available for Red Hat 6.0, which had been out for only a couple of months. (PC Week Labs will apply the patches to the Linux server and update the scripts for further testing.) While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.
  • Is it just me, or are they complaining that there are too many distinct patches for software that has only been out a couple of months, making it difficult to find all these patches? If an admin is willing to refresh his software for a .1 version within months after it comes out, I'm going to say that admin should be able to apply patches when he does so. This is still getting under my skin.

    I feel I should also point out that "The hacker bypassed the firewall..." is a horribly ambiguous statement. Was his passing by the firewall authorized, or not? I honestly can read that sentence either way. If I bypass the security of a museum to steal the Jewels, that doesn't mean that I chose to steal the Jewels INSTEAD of attacking the security, does it?
  • They put both servers behind Raptor firewall
  • Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

    No central infrastructure, as in you *have* to get patches to Microsoft OS's from Microsoft, and you can get patches for Red Hat's product from, none other then, Red Hat!

    Of course, you can *also* follow freshmeat.net, or other freely available "portals" to also keep Linux up to date. Then again, NTBugtraq is just as good a resource for keeping up on Microsoft issues as anything.

    Microsoft has a "central infrastructure? Yeah right! How many times have you heard of a security problem from Microsoft first? The difference is not the infrastructure, it's that with MS OS's you have to *wait* until Microsoft responses before *you* can do anything about it.

    -Brent
    --
  • Have a look for the Linux Administrators Security Guide (LASG), has info on chrooting most of the services which can be chrooted.

  • BFD (Score:1)

    by rde ( 17364 )
    It's all very well to come out with explanations, etc, but there's still no excuse -- except cheesy publicity seeking -- for running a head-to-head contest like this in the first place; it does nothing except betray the cluelessness of the ZD journos.
    The impression I got from the story was that if someone as knowledgable as Ziff Davis can be hacked, so can anyone. Whereas the 'hackable anywhere' bit is true, it's simply ass-covering on the part of ZD.
    What did this test prove? That Linux is less secure? That ZD haven't a clue?
    "The bottom line is daunting: don't let your guard down. Ever." And don't ever trust ZD.

  • "linux" does not have services enabled by default (it can't, it's a kernel). redhat, however, does ship with unneeded stuff enabled.
  • "..these rediculous(sp), unprofessional.."
    ridiculous

    "...these feascos(big sp), point..."
    fiascos

    other than that, PR would be a great think for Linux to have. But your other point, that where they say Linux, they should be saying Redhat, applies to that point as well. Redhat should be pumping out some of those IPO dollar signs to push some PR. At least some. A good press release, perhaps. The quiet period is over, isn't it?

  • Something someone else said kind of crystallized this for me - it didn't occur to PCWeek, and it wouldn't occur to a Windows Admin, that an OLDER system could be more secure, would it? I mean, if I'm going to put up the most secure Windows machine I can, I'm going to use the latest Windows, because it fixes what was wrong with the older versions of Windows. The idea of fixing an older version while developing a new version is anathema to MS development. This shows through in the fact that many of their patches represent the addition of new features as well as the correction of issues. There is no separation between "Works Better" and "Does More" like there is for the Unix world.
  • Yup. What they are basically claiming is that IT managers wouldn't want to apply those patches. C'mon, there is nothing at all of value on any of my three systems, and I keep them up to date on a daily basis. If I were paying someone to do IT for me, and they refused to do something I could do myself (rpm -ivh *) I'd personally clear their desk into the street. To claim that it wouldn't be done because autorpm "doesn't let you know what is going on to your system" is completely disingenous.
    ~luge
  • One Of the Many ACs writes:

    I don't think so. For any operating system it is impossible to track all of the patches for every single program for that one operating system in one place, but a good place to start would be:
    http://www.securityfocus.com/ (aka: BUGTRAQ)


    ZDnet has a point here. I have they same problem they have when keeping my boxen secure. (Of course nothing is more secure than off (Hey, it would be left on if I wasn't on dialup.)) BUGTRAQ is very good, but what they (and I) would like to have would be a freshmeat of security patches. (Call it rancidmeat (it all about bugs, get it? Oh I crack myself up sometimes (but not this time).).) It could be run just like freshmeat, nothing actually there, just links to the patches. Have it summerize BUGTRAQ and several other official and "unoffical" security sites, and provide links to the patches. Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)

    M$ Propaganda^H^H^H^H^H^H^H^H^H^H^H^HZDnet writes:

    The hackpcweek.com site also showed us that some simple security
    measures, such as complex passwords, are great in theory but nearly impossible in practice. The hackpcweek site comprised six servers. Imagine how difficult it was to remember passwords such as [Athl!g. We couldn't...


    Ahh geez, and they wonder why they had security problems. I"m sorry but this is just stupidity on their part. I have a minimum of 12 different passwords each as arcane as theirs and I have no problem. (For "added security" none of them are based on any sort of mneumonic phrase). Of course if they actually used the passwords on a daily basis, then they would remember them and wouldn't have to have them written down. (Eventually you'll "forget" the password when typing them in becomes automatic. ("What's your password?" "Uhhh... *goes to a keyboard and types* apparently Ghj3$/f ."))

  • (off the "PC Week Recommends" [zdnet.com] image...)

    "- Install all vendor-recommended updates: .."

    A little hypocracy?

  • Dunno. Works just fine for me...
  • Scanning through the list of recomendations at the end of the mindcraft article they mention Carefully examine all software being installed on the servers. There's one thing they missed in this direction. When you are designing/writing a web based application, start thinking about security when you start building the app. You need to consider:
    • any known flaws/holes in the technologies you are going to use and how you can circomvent them if necessary,
    • how the new app. will interact with your existing secure infrastructre, and
    • how your app may get recycled in the future to do something slightly different that could impact your site's security.
    These days I figure that any app. written, thats going to go online needs to be checked for security impact before the design is finished. Otherwise it shouldn't make it to a production server. I'd rather do more work up front, and save myself the trouble later when I can't take it down to fix it -'cause its already being used.

    locust

  • What were they going on about with AutoRPM?

    Clueless as usual, they didn't do the research, but assumed (probably based on the feedback they got) that the *only* way to patch Linux was to use autorpm and that the process went something like this:

    • # autorpm

    • Checking current installed packages....
      Downloading new packages....
      Installing packages....
      Done...

      Your server is now secure.
      Please do this at least once a day.
      Please note that this will *not* run from cron.
      #

    Of course, a few minutes on Red Hat's site would have shown that they could download the patch manually and verify what it did. *Then* they could use autorpm to automate the process of getting the patches on all the servers

    So, how does running "setup.exe" to install a service pack provide you with any more ability to see what's being done the the server then PC Week's idea of AutoRPM?

    -Brent
    --
  • From what I understood, there were two "essential" parts to this exploit: getting regular user access to execute a cron job, and the easily available crond exploit. Honestly, had it not been for PCWeek's unaudited CGI script, he would have never been able to execute the crond attack.
    And what's this BS about not installing the updates from RedHat? It would have taken them 10-15 minutes, compared to ~45 minutes installing NT service packs. Administrator stupidity does not make one O/S inherently less secure than another. It's that simple.

    -- Kameron Gasso (kgasso@blort.org)
    --
  • We all know that SP5 is a cumulative fix pack - containing many "hot fixes".

    Compare these "hot fixes" to RH "updates" and its the same thing.

    Microsoft releases a Service Pack every 6 (?) or so months, so in between, they release hot fixes. Any competent NT administrator would install these hot fixes, just like any competent Linux administrator would install RH updates.

    PC Week have clearly contridicted themselves, - its just plain *stupid*.

    As for "no central repository" - another contridiction, what makes an update from Microsoft more "trustworthy" than an update from RH? What makes a file downloaded from ftp.microsoft.com more "verified" then one from updates.redhat.com?

    nyeah.
  • www.rancidmeat.com is already taken.

    www.rancidmeat.org isn't. Any takers? :-)


    Chief Prosecutor
    Advocacy Department
  • Originally I was going to say things like how brain dead you are (especially since your running windows and haning out at /.) But then I remember:

    "never argue with a fool, people might not know the difference"

    So I won't bother arguing with you.


  • "Also contributing to the hacker's success were incomplete security updates on our test site."
    Aside from the incorrect use of the term "hacker" (a fie on thee for thy misuse!), this snippet is excellent highlighter fodder for PHBs.
  • RedHat does have a patch repository, but has anyone actually had to LOOK for a particular security patch on Microsoft's site (ex. not followed a link directly to a particular patch)? Good luck.
    sounds about right to me :+)
    I have currently been on hold to M$oft tech support for thirty minutes ("We are sorry to keep you waiting, your call will be answered by the next available operator"). This was after ten minutes of tracking down MS Q document Q182671, following the link to Novell's site, following the link BACK to Q182671, finding the section marked "patch available, but not tested, contact MS pay-support for the patch". First guy cut me off after giving me a telephone number (after a mere 10 minutes on hold) which turned out to be for a Sales guy tasked to send out SP2 and nothing else. Got put back to first guy, who finally figured out that it might not be something I could download from the web (or else why would I be phoning?), gave me a "case id" and put me on hold. that was half an hour ago..........
    now this is for a minor patch to a spreadsheet - what would it be like for a major security loophole in NT?
    --
  • Sorry, Bill, but the rules have changed. You can't kill Linux with FUD any more than you can buy it.

    This was recognized by Microsoft itself in the infamous Halloween document - at least, some clueful person at MS recognized it. Not Bill, apparently. hehe. "Learn by doing". hehe. Go ahead, Bill, make our day. hehe. Hmm... I'll stop now - too many stupid jokes to write in this small space. The bottom line is: the attempting Fudding of Linux just turns into more free advertising. Hmmm. "Linux: even the advertising is free." hehe. OK, I promised to stop, I'll stop now :)
  • What I find funny in this explanation, and in that regard it matches the guy's own description, is this:

    They take two pages to describe how he painstakingly went through the process of scanning the Perl scripts, trying to squeeze in an executable under the exact right size, and ultimately gets to a dead end.

    And then, in one line, they tell you he got an exploit off Bugtraq and got root access.

    They're very quiet about that last bit... Yet it seems to me like it's the essential part of the exploit. Yes, accessing online resources and security websites is one of the main tools in the cracker's arsenal. Far from me to say that these sites should be banned! What I mean is, they should be read as much by the admins than they are by the crackers.

    "There is no surer way to ruin a good discussion than to contaminate it with the facts."

  • Only an idiot administrator would expect there to be some magical command to "fix my computer and make it secure" (yes sir, right away, sir!)

    How true... installing OpenBSD takes a few commands ;-) Seriously, though - a central resource is fairly difficult to maintain, and I think that the efforts at BUGTRAQ have been well above par - I can remember severeal instances where patches came out in record time for security holes, as opposed to the normal M$ - wait for the SP theory.

    UNIX people prefer to pay attention and take responsibility for their own security.

    Then there's the continuing trend for Windows hot fixes and service packs - they install, without telling you what they do, or offering any version checking - I know a couple of NT admins who have "fixed" security problems by adding an older hotfix that may have kept the one bug they were worried about closed, but re-opened another one that was fixed later. There's a good reason that DLLs, etc. all have verion info. There's something to be said for proper revision control, and doing a little bit to prevent people from backtracking...

    Just my $.015 (I always come up a little short)
  • Actually you know EXACTLY what the service pack is installing, if you read what the service pack fixes and updates.

    Yes, but I figure if administrators don't want to take the time to read the README with the patch under Linux and check out the RPM, they probably don't bother with the effort of reading the txt file with the service pack under NT.

    -Brent
    --
  • From reading the way the cracker finally got in, does anybody know if one of the security fixes that were available would have actually stopped this exploit? It seems more like the CGI was the culprit, and the lack of security patches, while an issue in general security, had nothing to do with this particular break-in.

    From what I remember it was the Cron hole that allowed him to exploit the CGI scripts hole, so without the Cron hole he wouldn't have been able to do it, and yes there is a patch out for that.

    Kintanon
  • If you're working admin on boxen, and you're not skimming Rootshell, Bugtraq, etc. you're just asking to be "owned".
  • Well, yes, there were some good points, and you have made some good points as well. :)

    But - saying something like "it's too hard to remember secure passwords, so we stored them on a laptop, and if it had been cracked the whole network would have been vulnerable..."

    I mean, come on. That doesn't make them sound terribly professional.
  • > C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest.

    But is that the message the PHBs will hear? Is that what ZD wants them to hear?

    The whole art of FUD or any other sort of propaganda, if you're good at it, is to say things that you can defend in their surface form, but which bear a between-the-lines message that twists the truth to your advantage.

    If they had merely wanted to evaluate the difficulty of securing systems, they didn't need a shootout. A single system would have sufficed.

    Printing such loaded messages is inexcusable, particularly from a rag that is subject to reasonable charges of conflict-of-interest.

    BTW, but I'd be willing to wager that if you did a reader survey on this article, you'd find that more remembered the between-the-lines message than remembered the objective facts presented in the article. Such is the nature of the human mind (and that's why FUD and propaganda often works so well).

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Answer me this then. If WinNT is so secure, then why does it require very expensive virus protection? Or do rogue programs wandering around screwing up your system not count as security holes?

    You were asking PC Week, right?

    Personally, I would never use an OS where features are specifically added that allow you to do malicious things, and requires more software, not to "prevent" it, but to stop it ASAP after it happens.

    NT Security model is the worst that I could ever imagine. At least security holes in Linux and other Unixes rely on bugs that can be fixed without breaking a lot of legitimate stuff

    -Brent
    --
  • The Chowder-head writes something about "...Gibraltar, a place known as 'The Rock' because of its impregnability..." Oh yeah? I thought it was known as 'The Rock' because, uh... because it *is* a rock!

    (Yeah, so it's pretty impregnable, in military terms [or at least it was, back when fortifications still worked] -- but that is *because* it is a rock, not the other way around.)

    What a nitwit, that Pankaj.


    Christian R. Conrad
    MY opinions, not my employer's - Hedengren, Finland.
  • What does this tell you about NT, when they have to put all their security patches onto CD. NT's == consumption of resourses, ridiculous interface, lack of reliability etc... Though i does have one thing, ease of use, whenever I need to fix something in Win all i need to know is Crl+Alt+Del
  • is autorpm the same thing as the update agent in gnome that comes with redhat 6.1? I think it needs a registration key from a store version of redhat.

    Unless we get the source? ;)

    ---
  • Harping on ZDnet because they only had to do 1 patch to NT and 21 to Linux is unfair.

    Sorry, SP5 isn't all there is to it. Remember that Microsoft comes out with hotfixes all the time. You still have to subscribe to a list or check the ftp site to get 'em. I bet they applied all the hotfixes as well.

    This test had nothing to do with Linux vs. Microsoft. It was obviously about competence. Did anyone ever crack that linux PPC box? I don't think so.

    Monty

  • What is even more amazing to me, is that the author of this article then goes on to give his opinion of circuit proxies vs. stateful inspection firewalls. Wow! This guy knows everything and he can even work in 40 hours or less. As an analysis for the breakdown this guy is great, but since I work in network securty, no one is going to ask me for the next great advertising idea. It's unqualified opinons that have people all over the world afraid their money is just going to disappear on 1/1/00 because they fear, they have uncertainty now, and they doubt.

    I've got an idea... If you're working heavily in "E-commerce," why don't you hire someone (or a team) to work security full-time. That way you can take your $1000/month and get almost $5,500/month worth of work. And if your sysadmins cannot type rpm -Uvh, but they can click on an icon, I suggest you get new sysadmins.

    No one who is going to "do business" on the web should under-estimate security. That would be like doing business with a bank that had one of their tellers watching the door on a heavy-deposit day.

    "I've learned that it takes years to build trust and only suspicion and doubt to destroy it."
  • Yeah, that autorpm comment is pretty bogus if you consider the 'fact' (my opinion, really) that knowing what an NT service pack does to your system is probably trickier (sure, there's a list of fixes, but it seems there's always a 'numerous other minor fixes' item).
  • No, autorpm is a third party program. I've been using it since RedHat 4.2.

    You can get it from ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch
  • You guys aren't going to get Windows 2000 out the door by January 1st unless you stop spending so much time astroturfing on /.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • I'm using W95 and Netscape 4.61. I had trouble copying text also. It will work though. If you use your mouse to select the text, it will not show up as highlighted, however if you hit copy it will copy that text.

    I'm curious about why this happens.
  • ...but not that advanced. A truly advanced hacker finds his own exploits instead of going on to rootshell or bugtraq to find one.

    ZD says that they are going to apply the 21 rpms sometime soon and do the whole thing over again to make the matter more fair. Sounds like a good idea to me.


    emufreak
    www.kontek.net/pp
  • It's that simple and not mentioned anywhere in the article. OpenBSD hasn't had a security patch in the last year after its rigorous auditing. Hajo PS: http://www.openbsd.org/ "Sending Kiddies to /dev/null since 1995"
  • I've registered the domain linuxpatch.com (not hosted yet). I'm working on a centralized patch database/repository...complete with ratings by importance (ie security) and stability.
  • Speaking of which, at some point in the near future I'll probably need some help cataloging updates(I'll eventually start using bots to help). If anyone is interesed, e-mail me.
  • It is a real problem. I recently received a security bulletin at work that had new guidelines for selecting "uncrackable" passwords. The only problem is that the guidelines ensure that the password will be difficult to remember. I have to use three different mail systems, several networks and numerous computers. That is a lot of passwords to remember. Plus they are supposed to be unique, not written down and changed regularly.
  • Actually, it's good for Linux because other magazines will be publishing editorials saying:

    Windows only looks better than Linux when someone cheats.

    Micorsoft and its toadies (Mindcraft, ZDnet) still don't understand the internet. The rules of the FUD game have changed.

    Gone are the days when you could publish an article like this with impunity. Ten years ago, mostly only Windows users would have seen it to start with (due to the venue), and that small fraction of the readership who did spot the b.s. would not have a ready channel of spreading the word.

    But today, only one of the clueful has to see it. That reader posts it to /. or the like, and 10K people see it within a few hours. And a large fraction of those 10K are also clued in, so the b.s. has its odor pointed out in detail, and echoed all across the internet.

    FUD relies on treating people like mushrooms. But with the internet, that only works for people who limit themselves to MS-sponsored sites. The public at large does have access to the facts.

    Sorry, Bill, but the rules have changed. You can't kill Linux with FUD any more than you can buy it. You're going to be forced to innovate, however much you hate it.


    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Nobody should run publically accessible CGI scripts that don't have taint mode enabled. Just start off your scripts with

    #!/path/to/perl -T

    and fix everything that breaks.

    You will close off a lot of security holes that way...

    Ben
  • It's that simple and not mentioned anywhere in the article.
    OpenBSD hasn't had a security patch in the last year after its rigorous auditing.

    Hajo

    PS: http://www.openbsd.org/
    "Sending Kiddies to /dev/null since 1995"
  • as a sysadmin for a huge NT network (Server and workstation) applying 21 patches would be nice and easy! Let's see, each new pc that comes in..
    Apply SP-3 (no higher because sp4&5 are severly unstable) add 13 hotfixes and the Y2K hotfixes, patch I.E., patch Office, patch Outlook... That's a total of 23 things to do where most of these "patches" take 1-2 hours to download, force a fix to be applied because to fix what the fix broke.

    This "contest" was a huge joke. PC mag has never EVER had any clout with me or anyone I know, 90% of the time they either do basic things like an article on "how to turn on your computer" or " the mouse really isnt a foot-pedal" basically a useless mag except for the inept that really shouldnt be using a computer to begin with.

    This test proved one thing to me.... they wanted to scream "MEE TOO! MEE TOO!" with the ranks of other real mags.
  • Also contributing to the hacker's success were incomplete security updates on our test site. At the time we began the tests, Red Hat Software Inc. had 21 security updates available for Red Hat 6.0, which had been out for only a couple of months.

    Okay, wait a moment ... if I understand the hack correctly, the security patches wouldn't necessarily have made any difference anyway, because this person got in through a flaw in the CGI, not the OS itself. While I agree it's completely foolish for a large company to skimp on easily available security updates directly from the vendor, we'll never know what affect installing them would of had on this contest since that's not how the site got hacked.
  • Yes, there have been (21) "security" fixes for RedHat v6.0, but how many of them apply to their setup ??

    For example:

    Two of the updates are Netscape fixes. Is their server running a copy of Netscape ? Not likely ! Therefore, we're down to (19) fixes.

    Two more are updates for XFree86. Well, they probably are running X ! You know, they are used to pointy-clicky administration!

    Another is an update for "mars-nwe". Isn't that a client type program for logging into Netware servers ? Again, probably doesn't apply to their setup.

    A fix for KDE...okay, that can make Linux look like Windows, so, they probably are using it!

    A fix for gnumeric, a Gnome spreadsheet program.

    How many more of the RedHat updates don't apply?? If I don't have the RPM for "pump" installed, I certainly am not going to install the "fix" for it!

  • AutoRPM info incorrect (Score:4)

    by kaybee ( 101750 ) on Tuesday October 12, 1999 @09:15AM (#1620269) Homepage
    I was happy with the article in general... especially the detailed log of how the hacker broke in. It is true that CGI scripts can potentially be security holes in an otherwise very secure system. My only problem with the article, however, is the treatment of the Red Hat official updates. You mention that there is no central place to find "linux" updates. Well, there is. Red Hat provides a central source for all of their official updates. This is the same thing as Microsoft providing its Service Packs. Red Hat guarantees that these security updates are okay to apply to your system... and, in fact, they don't release them unless you *should* install them on your system. You mention the program "AutoRPM" (I'm the author of this program). The best way to use this program is to have it regularly (i.e. every night) check the official set of updates from Red Hat and apply them if new ones come out. What you do, however, is configure AutoRPM to check the PGP signature of the updates before it applies them. When Red Hat releases security updates, the patches are signed with their private PGP key. If you configure AutoRPM properly, it will use Red Hat's public key to check this signature. In other words, with only a few changes to the default config file, you could have setup AutoRPM to automatically install *official* and *verified* security updates from Red Hat. The only reason this isn't the default configuration is that PGP doesn't come with Red Hat (due to US export restrictions on cryptography). If you would have spent the 5 minutes to properly install and configure AutoRPM, the Red Hat Linux machine would *not* have been hacked (at least not in the way it was) because the cron security exploit would have been automatically patched by AutoRPM. - Kirk Bauer
  • I agree with the "But no administrators..." part. I do not agree with the "The only option..." part.

    I, for one, had the cron patch installed. I'm not a security guru. I'm not a bona fide sysadmin. I'm just a desktop Linux user who likes to take care of the easy stuff.

    And easy it was: I am subscribed to Red Hat's mailing list, and they send me a message whenever security updates are available. I read the message, and fetch the update if it applies to me. The elapsed time is usually about 30 seconds + download time.

    Autorpm is not the "only" option.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • | I'm the sysadmin for a small ISP, and no I
    | haven't had time to apply the 21 patches on
    | all of the redhat boxes, the various BSDI
    | patches, updates to all the '98 boxes, etc.

    This is a good point, though I don't personally believe that security should be as low of a priority as a lot of people seem to think it is.

    For example, the ISP I use runs its systems on Redhat Linux. They provide shell accounts, which is good - and one of the reasons I chose them. However, I've noticed that they're quire far behind on security issues, and it'd be essentially trivial for someone to root their boxes, if it hasn't been done already. (Now I've done it ... mentioning it on Slashdot. ;) )

    I also notice that they're behind on versions of sendmail *despite* having been warned about it several times. Thus, all the mailservers they run (and there are several) are wide-open relays just waiting for a malicious spammer to start spewing out junk mail.

    As for the 21 patches, not all of them would be appropriate for a server machine - particularly if the service isn't installed (for example, if you have no FTP daemon, why do you need an FTP patch?).

    Did you *see* all the stuff that they did to the NT server? Heck, even installing all 21 RPMs sure looked easier to me!
  • What were they going on about with AutoRPM? I'm sure that selecting a package to install and going to the Package-Info option tells you were the RPM comes from. And it has a PGP verification option...

  • What I Want to Know ... (Score:3)

    by Col. Panic ( 90528 ) on Tuesday October 12, 1999 @07:52AM (#1620286) Homepage Journal
    What I want to know is how they can in one breath say they took all reasonable security procedures that any sys admin worth his/her salt would take and the next say they are going to add the 21 security patches and test again ,,,

  • Missing the point of peer-reviewed software (Score:3)

    by __aaswyr5774 ( 66534 ) on Tuesday October 12, 1999 @07:53AM (#1620287)
    They claim early on in the article that security is tough stuff, absolutely true. Then they claim that it's only going to get tougher. Absolutely wrong.

    If you keep using the latest and greatest stuff then yeah, of course you're going to need someone on staff auditing your system's security all the time. The point they miss, though, is that code matures from people looking at it, fixing holes, and changing the packages to be distributed in a default tightly-locked state. (When was the last time you worried about a vulnerability in finger?)

    Admins will always need to be aware of security. But it's getting more and more to the point that you can set it and forget it. Especially if you spend the ten minutes to keep up to date with the new patches on updates.redhat.com.

  • I notice two statements off the bat that not only are both wrong, but they contradict each other.

    First they say there is no single place to get all the updates. Since they are running RedHat, that is wrong, because they could get them from ftp://updates.redhat.com/

    Second they say that if you want to keep up with the security updates, your only choice is to run autorpm, but that's a bad idea because it installs software without you knowing what is going on. Leaving aside the fact that this contradicts the first statement, it's also dead wrong. If you set one configuration variable in autorpm, instead of installing the updates, it will just download them, and send you an email advising that they are downloaded. Then you can pick and choose which ones to install using "autorpm --apply", which will show you what the package is, where it got it from, all the rpm info, and let you choose to install, defer installation for now, or remove it from the queue. It doesn't get any simpler than that.

    Would you rather get your security patches the day after they are available, or would you rather wait for Microsoft to bundle several security patches up into a Service Pack CD?

  • Inconsistancies in the article. (Score:5)

    by Dast ( 10275 ) on Tuesday October 12, 1999 @07:57AM (#1620291)

    PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.

    Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *

    While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.

    Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html

    Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

    Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.

    The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them

    Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.

    The bottom line is daunting: Don't let your guard down--ever.

    Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.

  • True, but bugtraq is a good approximation, and freshmeat is a very good approximation of an updates site.

    Redhat and Debian have upgrade facilities, of one sort or another. (Debian's is semi-automatic, I believe. Just run a script, and newer packages are fetched over the net.)

    I'd say that bug reporting is more-or-less down pat, but could be done through bug-reporting scripts, to make it easier on newbies. Upgrades are almost sorted, but maybe need a bit of touching up for those same newbies.

    IMHO, the facilities all exist, it's that they're either not known to the unwashed masses, or not simple enough for them.

  • Just plain wrong (Score:4)

    by scumdamn ( 82357 ) on Tuesday October 12, 1999 @07:59AM (#1620293)
    What's with every ZDNet writer thinking they're a pundit lately? Check these two quotes out:
    Companies that don't keep on top of application fixes will be at the mercy of hackers who do.

    While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.

    If Pankaj was a network admin in charge of securing the system he'd be fired. 'Nuff said? No. To spread the FUD that Redhat is insecure because the patches are difficult to download is a disservice to anyone interested in an alternative to Microsoft. This definitely smells like another Mindcraft. I wouldn't be surprised if prominent members of the open source community refuse to even deal with ZDNet anymore because they recognize that whatever ZDNet is involved with is most likely a hatchet job.

  • A little bit defensive... (Score:4)

    by BabyP ( 93869 ) on Tuesday October 12, 1999 @09:33AM (#1620295)
    ...aren't we?

    C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest...saying what they did right, and what they did wrong. Notice in the "PCWeek Labs recommends" section they didn't say, "Don't use Linux. It's insecure." They give helpful recommendations to keep any system secure. Install all security patches, DUH!

    They note that they didn't apply the patches RedHat had. They are admitting that they made a mistake here. They're saying, basically, "Don't DO that!"

    They note that there is no central repository for verified Linux patches. Well, yeah...there isn't. There is one for Redhat's distribution...which of course is what they were using. Apparently they didn't know about the site. They do now, though, and are applying the patches to retest.

    The point of the article can be summarized in the first sentance: "Security is hard." Not "Linux is Bad, NT is Good."

    The only thing I can find wrong with the article is that they don't describe in enough detail what they did to the NT system (aside from disabling services)

    -partap

  • After getting severly lambasted for his previous flippant response to this hack, this Pankaj Chowdry character has the nerve to serve up more obfuscating, deflecting drivel.

    Once again he talks about the Linux server needing 21 patches for the RedHat 6.0 release which had been out for only a couple of months. Is he for real? Is this some kind of excuse for not doing his job and performing an adequate security check on the box?

    He goes on to say ...there is no central repository for testing or approving patches to the Linux system. My god this man is a boob. "The Linux system" in question here is RedHat, specifically version 6.0. Redhat lists the errata for each version that they release, complete with cross-referenced bugs and resolution comments. How is this any different than accepting a Service Pack from Microsoft (which Pankaj conveniently forgets to acknowledge were applied to the NT box by, guess who...Microsoft) ? Did Pankaj retest each of the bug fixes included in the Service Packs. I would suspect that he didn't. Yet, all of a sudden Pankaj wants to be Super Administrator and retest each of the bug fixes that Redhat has already certified.

    Pankaj then goes on to disparage the autorpm utility because no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their server.

    I would like to request that Pankaj release his testing methodology used to verify what was included on Microsoft's Service Packs and whether they a) fixed everything that was broken and b) did not introduce new avenues of exploitation into his system

    I don't understand how this person was able to get this past his boss. But then I forget that his boss is John Taschek who has lost any ounce of credibility that he ever had in his handling of this any other "independent" comparisions of Microsoft and Linux products.

    Keep up the good work Zdnet and Ziff-Davis. Just keep it up.

  • Alot of posts are focusing on the lack of patches applied to the RedHat box. While that is a big issue, nobody has touched on this yet:

    They are attacking Open-Source/Free Software as well. And doing it with blatant but subtle lies, no less. They go to all the trouble to point out that it's an Open Source CGI ad app, when in fact it's NOT. It's source VIEWABLE, and editable. Very important distinction. You cannot contribute fixes back, and cannot share those fixes with your neighbor. The community cannot collectively pound out holes and bugs in this package.

    As much as I appreciate OSI's work, the term Open Source is just a can of worms. How many people now have it in the back of their minds that Open Source is just less secure? Baseless FUD.

    ZDNet sickens me more each day. Sigh.

  • Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)

    I'm working on this. I registered linuxpatch.com (not hosted yet) last week. E-mail me if you'd like to help. I'm still in the very early stages, though.

  • Nice article, but the guy who cracked the box wrote up a detailed account of *exactly* how he did it, complete with code:

    http://hispahack.ccc.de/en/mi019en.htm [hispahack.ccc.de]

    Very interesting reading.

    -jason

    http://www.kottke.org [kottke.org]
    "home of fine hypertext products"
  • Seems to me that PC Week is leaving holes in their article large enough to drive a truck through. For example, their server CERTAINLY should not be running all the services that there are patches for on RedHat. So when you run autorpm or whatever your should even have an upgrade option associated with these services, right? How many patches are really needed for an http server? 4? 5? And look at all the configuration changes they made for NT! It's HUGE compared to what they did for Linux. It seems to me that admining all of these is far worse than admining 21 patches FOR WHICH YOU HAVE THE SOURCE CODE.

    These guys are a bunch of bozos. Sigh.
  • smtp.innova.net is 208.211.173.3 Check it out on ORBS [orbs.org] - it's already been abused by spammers.

  • Interesting comment buried in the text (Score:3)

    by BrentN ( 90935 ) on Tuesday October 12, 1999 @08:00AM (#1620314)
    I think the most interesting thing about this (incredibly well written) PCWeek article is the paragraph on the 1st page estimating the personnel cost of maintaining a secure site

    To quote the article:

    This comes at a cost that rises quickly relative to presence online. ... at least one person dedicating 20 percent or more of his or her time to Web security. ... this amounts to a little more than $1,000 per month for a base-package site to remain securely online. For sites with more servers, more software and more connections to the Internet, the costs rise quickly.

    Now, the interesting question is whether or not this should be considered to be an inevitable overhead cost of maintaining an internet presence?

    In general, I think that security measures are becoming more powerful and easy to configure and administrate. Of course, as the de rigeur features of internet services change and evolve, the number of potential exploits increase.

    Unfortunately, I think the "5% of hackers" the article mentioned will *always* be ahead of any automated security measures due to the nature of the security flaws being exploited - those which are due to new code that hasn't been "burn tested" in the real world. Thus, these costs seem to indeed be inevitable.

    I think this is actually a corollary to Eric Raymond's apt observation, "Given enough eyes, all bugs are shallow." Consider: a company may have 5 or 6 people testing new code for security flaws before release. There may be over 1000 people trying to find the flaws (to exploit them!) after release. Who do you think is going to have better luck?

  • They can't make it easier then that, and unlike Microsoft's update site you don't need to click through gobs of advertisements.

    You must have missed a paragraph half way done the first page.

    This problem is exacerbated by the distributed nature of today's enterprise and the need to test and verify any patch before it is installed on a mission-critical server. The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them. But no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their servers.
    Now the problem isn't *testing* the patches. They've learned that that won't fly anymore. Now they've done a 180 and decided that you *can't* test the patches. Of course, number 1, the claim that you *have* to use autorpm which doesn't allow find out what you are installing is ludicrous. And 2, when you click on the executable to install an NT service pack, and it's grinding away for 30 minutes, you really don't know what exactly its installing, do you?

    I am sorry. I was willing to give PC Week a chance when they announced their project. But it's obvious that not only is it very biased toward who pays the bill, but they'll keep changing their "story" to keep Microsoft looking better.

    -Brent
    --
  • They claim early on in the article that security is tough stuff, absolutely true. Then they claim that it's only going to get tougher. Absolutely wrong.

    It certainly does get tougher as your demands increase. The intricate the network services you're providing the harder it is to keep them secure.

    Assuming that the site you are maintaining remains free of growth, things will become more solid. However no corproation wishes to even consider this possibility, and reasonably so.

  • I agree totally. Truth is, this all depends on how you define "a real live sysadmin". I certainly would never hire a "real live sysadmin" who didn't install security patches. What kind of sysadmin would that be? For cryin' out loud...the only way to do this test is to apply all Red Hat errata that relate to security at all, AND to apply NT-SP5...that's what REAL sysadmins are already doing all over the world for both OSes.

  • How can they reconcile these two statements:

    "PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement."

    and

    "Also contributing to the hacker's success were incomplete security updates on our test site."

    As other articles about this topic have pointed out, they deliberately only did half the job, but here PCWeek is trying convince us that they did a great job. Personally, I think "any IT manager worth his or her salt" would try to keep up with the latest patches on a weekly basis. This was not an objective test, this was using the buzzwords of the moment to sell magazines and generate page views. Considering how many PHBs read PCWeek, I can't see this article as being anything but damaging to efforts to convince managment that Linux is "as good or better" than NT.

    Dirk
  • The point they miss, though, is that code matures from people looking at it, fixing holes, and changing the packages to be distributed in a default tightly-locked state.

    They don't miss this point because it doesn't exist. NT *never* matures. Everytime it gets a chance Microsoft tears it out and replaces it with newer, better code.

    We see that though, because our code does mature. We see no need to replace code that works, just because it was written more then a year ago :)

    Ah, I can just imagine PC Week debunking the "mature code" claim by saying that because Linux has thousands of developers working on it, the code must be being continually rewriteen and replaced for no need at all ;)

    -Brent
    --
  • A real-life sysadmin would know how to run Debian's automatic update script, or how to download Red Hat's upgrade directory.

    I've known a lot of lazy & stupid admins, though. One place I've worked at STILL used Sendmail 8.6.12 - a version long-since stamped "Do Not Use - EVER!" by the people who made it. Their version of BIND was no more recent. SSH? Nah! RSH, with .rhost entries for every machine! They eventually set up a firewall, but deliberately left all the ports open. It was a security disaster waiting to happen. Given the company deals with classified and commercially sensitive information, it =had= to have been an out-take from a Geek's horror movie. (And, no, I won't say where it was.)

    Admins like that would probably spit on those 21 security patches - if they had the energy and dexterity. They would likely neglect NT, too, though.

    I agree that this stinks of picking the conclusion and fitting the data to it. Either they should run a fair test, or not run a test at all.

  • Re:BFD (Score:4)

    by A Big Gnu Thrush ( 12795 ) on Tuesday October 12, 1999 @08:10AM (#1620338)
    What does this test prove?

    If you look at this test as a contest between NT and Linux, then it proves nothing. Also, it's not an accurate test of ZD's abilities to secure a web server vs. another company.

    It does provide a behind-the-scenes look at how both sides (for lack of a better word) work. Details were provided on how the system was secured and how it was compromised. An admin reading this article might see parallels to his own situation. A clueless newbie might find the details of the crack amusing.

    I thought the article was well done. Both NT and Linux can be secured, but most aren't... at least not against a determined and skilled attacker.
  • Am I reading this right???

    "At the time we began the tests, Red Hat Software Inc. had 21 security updates available for Red Hat 6.0, which had been out for only a couple of months."

    and in the same parahraph

    "...there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure."

    Is that not just a little self-contradictory? They're running a redhat machine, redhat has 21 security updates available, but wait.. there's no central infrastructure! I guess going to the vendor, creator, and supporter of your operating system isn't the central place to get updates for said operating system.

    Either they're totally clueless, or just a bunch of microFUD spin doctors.

    No central infrastructure??? Maybe not across distros, but each distro has its own, unique infrastructure for realeasing fixes and updates to the users. They should have used the resources given to them BY REDHAT, and they know it. They just dont care, dont want to lose M$ advertising, and dont want to admit they fscked up.

    Welcome to the wonderful world of online journalism.

Slashdot Top Deals

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Close