Linux.com

It just goes to show you that military intelligence need not necessarily be an oxymoron.

#

I would be surprised if the NSA site isn't a *NIX/Apache box sending out modified headers, banners, etc.; or proxied by such. Or they could be masochists.

#

Or why not FreeBSD, NetBSD, or Solaris or like alot of gov places.. macintosh It's sad when the worm fix was released back in july and we see people freak out and default to an linux.

Nothing bad about Linux but come on..

cx

#

It is the license.
GPL , lgpl stops embrace and extend.
Everyone want's out from under Softy's thumb.
As Bill said to Steve,
It is not about being better.

#

or like VAX/VMS at a lot of government places ?

the point is is that we don't know why they switched to Linux. the article speculates. as with any OS, there are pluses and minuses for whatever environment you have.

most of the scientific computing at government labs use fortran...that doesn't make it

#

I suspected a year ago that big govt contracts like this were at stake when Gates announced the trustworthy computing initiative. That probably bought them a few month's extension that just ran out for one customer at least. Somebody better start kicking more butt over at MS.

#

Yes, government contracts are at stake. That's the only way that Microsoft can survive, barring getting a monopoly on network connections.

Look, the revenue that Microsoft has comes *only* from Windows and Office, and these are profitable only because they pull in about 5 times what the free market price would be. Everything else loses enormous sums of money. As competition brings the price down, these too will be money losers.

It's too late to "kick butt" at Microsoft, there's not time to rewrite the code before the cash flow stops, let alone redesign the code. Much of the security, stability and compatibility problems in Microsoft's products are the result of flaws in the design.

Bill Gates tells us this in almost so many words with his comparision to the U.S. Apollo program. if we take the metaphor, he's signalling Bush that Microsoft needs $25 billion over 10 years to catch up to and pass the competition. That's just not going to happen, it would hurt the economy to bad to allow Microsoft to continue to stifle the U.S. IT sector.

Google, IBM and hundreds of thousands of U.S. businesses make good money from the Freedom part of FOSS. The best thing that Gates and Ballmer can do now is cash out and go trout fishing for the next few decades.

#

Well, they supposedly do have $43B cash on their balance sheet, growing at nearly $1B a month, thanks to the Windows and Office monopolies. What they don't have is time. And you can't think of throwing 5,000 programmers at overhauling or rewriting Windows without a mental picture of Fred Brooks popping up and wagging his finger. There's always the "Microsoft will move to BSD like Apple did" theory. Somehow I doubt that will happen. They'll just keep coming up with new security/robustness initiatives and marketectures.

#

I am a big advocate for Linux. My company uses all Linux servers internally, but we work extensively with Microsoft platforms for customers. That being said, I think Mr. Beale's comments show a great level of ignorance.

Mr. Beale commented:

"It's far more likely that it was a planned switch to an operating system that they know they can more easily lock down..."

An experienced sysadmin can equally lock down Windows Server and Linux. Just because you have more experience with Linux doesn't mean that the same amount of security cannot be achieved in Windows. Windows is the target of many more attacks because of the huge installed base.

Another comment from Mr. Beale:

"An experienced sysadmin can just do so much more to lock down a Unix-based operating system, especially Linux".

Again, this is not true. An experienced Linux sysadmin can, while an experienced Windows sysadmin can do much more to lock down a Windows installation than a Linux installation.

I really am disappointed with the Linux community when I see comments like these from individuals who are supposed to be knowledgable and not biased. People, Linux will never obtain the install base that Windows has as long as ignorant comments such as these are made!

#

Since a windows machine with all ports firewalled is just as "hardened" as a linux machine with all ports firewalled, let's presume the relevant ports cannot be firewalled and must have a particular service running on them:


  - In linux (any UNIX, as far as I know), you can run that service in a chrooted environment. Even if a hacker somehow gets root access via that service, they will only be able to touch stuff in that chrooted environment. However, that would have done nothing to stop the recent SQL Slammer worm.


  - You can use user-mode linux, which is similar to a chrooted environment, but also protects against vulnerabilities in the kernel itself. You can only do what that particular instance of user-mode linux (which running on top of regular linux) can do. Unfortunately, this probably would not have done anything to stop the SQL Slammer worm either.

Even though the above two methods won't completely stop people from attacking a particular service, they really do stop serious destructive damage from being done to other parts of the system, as long as they are set up intelligently.

Now I'm not a windows expert by any means, so if there are similar mechanisms under windows, please reply, and I'll never make this argument again.

#

MS has no chroot.

#

It does allow you to run a service under different credentials (and that login can be restricted to certain folders/resources), but most lazy admin's just run services under LocalSystem, which is the equivalent to root under Unix. More often than not, these security risks happen because people are too lazy or do not know how to secure their environment.

#

Chrooted doesn't mean credentials. This is a powerfull mechanisme that lock application under sub-system as far as I know windows can't do that.

#

1 -- chroots can be broken, and do all the time.

2 -- chroot DOES exist under windows, just not native

#

running services under different credentials is NOT the same as CHROOT. It is just a different user running the service. As most services have the equivalent of root access (system access), if the service is compromised the box is compromised. End of conversation.

#

"Windows is the target of many more attacks because of the huge installed base."

I'm afraid you are wrong here. Whilst Linux may not have as large an install base, the various UNIXes do. UNIX has a reputation for security and stability for a reason. Plus, Apache is running on twice as many machines as IIS (source: <A HREF="http://www.netcraft.com/survey/">Netcraft Survey</a netcraft.com>), but IIS has far more intrusions.

"An experienced Linux sysadmin can [do so much more to lock down a Unix-based operating system], while an experienced Windows sysadmin can do much more to lock down a Windows installation than a Linux installation."

That's true. But the point the author was making is regardless of the expertise of the sysadmin, the maximum amount of "locked-downed-ness" achievable on a Windows system is less than that of a Linux system. For example, it is not uncommon for a UNIX bastion host to function without a usable shell executable from the webserver [the webserver runs in a chrooted environment]. Can you imagine a Windows machine without cmd.exe?

#

Correct me if I'm wrong, but that actually should say "Can you imagine a Windows machine without explorer.exe?"

#

Mr Beale is included in the article to speculate WHY they changed to Linux. He's offering suggestions to why they switched, and all of his points, although vague, could be taken to be true.

what do YOU suggest is the reason for the switch ?

why would anyone use Linux over Windows for a webserver ?

#

it seems to me your last comment has been proven false. Linux is to MS as MS was to IBM.
just do the math.. Its about the money. You can't beat FREE. the rate of growth is still rising. IDC and others demonstrate that every year. I bet you didnt believe goggle runs on linux too.

#

"Again, this is not true. An experienced Linux sysadmin can, while an experienced Windows sysadmin can do much more to lock down a Windows installation than a Linux installation."

Care to back that up? How can you say that you can lock down an OS when you can't even see the code? You don't know where the holes are...

#

Wow...talk about ignorance...
Do you honestly believe there are enough point-and-click check-boxes to allow a Windows admin to configure security that is equal to what can be achieved through Unix/Linux/BSD conf files? You might be able to fool yourself into believing that, but, c'mon...you're posting on NewsForge.

#

There are plenty of settings you can change in the Windows registry that there are no checkboxes for. In fact, it's pretty common to _need_ to change some of these hidden settings on a server environment.)

But at the same time, with Linux, you have the source, you can change _anything_you_want_. Until Windows comes with source, it's configurability is more limited than Linux's by design.

#

I agree that "Windows can't possibly give you enough list boxes for configuration" is not the greatest argument I've heard for Linux administration.

#

The argument wasn't about Linux administration. It was about the granularity of security settings. I don't think anyone would argue that wading through conf files is easier than pointing and clicking. The point was that Linux provides more options and settings that can be configured by the admin.

#

"....big advocate for Linux..." Indeed. You might be.
But you seem<nobr> <wbr></nobr>,..." disappointed with the Linux community<nobr> <wbr></nobr>.."
The comments of ONE person makes you ' upset ' with ALL persons,...hummmm!

Okay, " disappointed " go to this company, whereby you are employed. Install a Windows Server partition on the machine of your choosing. Add MS SQL and all the patches and fixes you know. Expose it to the WWW. I mean- donot even make it useful to local users. Shut off services, no FTP,..... the works!
Post a reward for anyone who hacks into this test machine,...just offer the machine itself. Okay?! Huh??! What have you got to lose??! Hardware is cheap,...I could sure use another box to help build my Linux distribution,...c'mon. It will be great advertisement for Windows and I could sure use the promo and the hardware and we can keep all of this friendly and legal. What do ya say? Just respond to this blurb or " disappointed " one.!

#

Don't be silly. Considering the FUD and misinformation that gets passed out about Linux on a daily basis, you'll excuse the quotes here which stretch the truth a tad. Your acting like the quotes said things like "M$ is teh suck". It is not a black and white world and there everyone has some sort of bias. If you were looking for a linux expert to claim Windows is just as secure, your dreaming. Beyond any bias, linux has just proven itself more secure than windwos.

The way your reacting to these very mild statements makes me really question how much of a "linux advocate" you really are. Especially when you give this standard MS defender quote "Windows is the target of many more attacks because of the huge installed base." When it comes to web serving Linux/Apache is the one with the huge installed basis and MS/IIS is the minority. Yet IIS is the one constantly getting nailed with worms that cause billions of dollars in damage each year. Why is that?

"People, Linux will never obtain the install base that Windows has as long as ignorant comments such as these are made!"
One has nothing to do with the other. If your line of thinking was correct, based on their constant FUD and lies MS by now wouldn't have a single user left by now.

#

Of course, it can easily be argued that IIS is more exploited because more end-users and script kiddies can easily install IIS on their Windows PC and use it to test their exploit.

Yes, they could get and install Apache (on Windows, Linux, or whatever) and craft an exploit for that, but it's easier for them to get IIS, and exploit that. They may even be so naive as to be unaware of the non-Windows world out there.

#

Now you are truely talking out of you ass.

#

Script kiddies do not create exploits. They just run the script that performs the exploit. That is the defination of a script kiddie.

#

Microsoft can't lock down their own systems (and they have the source), so what makes you think that you can do better? What a troll post.

#

Well are u saying that no UNIX/Linux/BSD servers have ever been hacked? Those who manage those NIX servers have access to their source codes as well. So their servers should be bullet-proof right?

As with Linux, Windows admins need to be pro-active when it comes to security. My company uses Linux servers but Windows 2000 on clients because of Office (sigh!).

I am no troll just being fair here.

Just understand that sometimes we use Windows not because by choice but are forced to use it because of the amount of apps and data generated over the years have been on Windows/Office. The cost of and time taken for converting/recoding apps would have been astronomical.

You have a right to disagree but get your facts right first.

Eric

#

Actualy he has got his facts right. Its true to say that nix has been hacked in before BUT

what he is saying that microsoft themselves have the source code and yet they don't seem to ever care about security. When has RedHat MAndrake or any of the companies distros ever been hacked????

The diffrence is that the linux community is more proactive in securing their product, m$ is not! It is that simple!

And as for running ms apps, you say your from a corperate areana so why don't you run VMware?

#

"Just understand that sometimes we use Windows not because by choice but are forced to use it because of the amount of apps and data generated over the years have been on Windows/Office. The cost of and time taken for converting/recoding apps would have been astronomical."

The first rule of holes is that when you're in a hole, stop digging. It's a known MS tactic to hook users on proprietary document formats so that breaking the addiction is painful. Continuing to use Office because it's too difficult to switch is like continuing to use heroin because it's too difficult to kick the habit. The sooner you switch, the sooner you'll be free.

#

The most important aspect of securing the system doesn't have anything to do with Operating system choice anyways. What really counts is how good the security policy and administration of a system is. That said, I would have to say that any comparison between the security of various systems is moot unless you're going to go into extensive detail to support claims such as those expressed by Windows/Linux/BSD fans.

#

Actually what he said is 100% true.

Any Unix can be locked down and monitored with much greater accuracy and precision than any windows box.

Using BSM and process accounting I can keep track of each and every command one of my users or processes runs.

Using chrooted environments I can jail my processes so that even if someone was to find a "root exploitable hole" only that one process would be compromised.

Using PAM I have complete control over my users password and login policies.

Using fake or restricted shells I can give users access to certain services without giving them full access to the machine.

Using TCP wrappers I can prevent users from obtaining remote acess to my box period.

Using SSH I can encrypt all of my traffic so no-one can snoop my passwords and setup VPNs.

Using crypt on Solaris or MD5/SHA1 I have much greater password security than the cheesy hash that NT uses. Ever wonder why you need such long passwords on windows?

Windows is so painfully open and such an easy target because it was never designed with the
network or multiple users in mind, that was an afterthought. Unix was designed from the begining with multiple users in mind so just from a structural point of view Unix is already more secure. Then throw on top of that the many free utilities/software available to me to secure my box as well a simple yet powerful environment that doesn't force me to use a mouse and fight with a gui that someone else designed such that I have to trust that the checkbox they put in this hidden window actually does something, you don't have a prayer in making you windows box as secure as an open Unix box. Unless maybe you turn it off, disconnect the network cable and put it back in it's box.
Just my<nobr> <wbr></nobr>.02

#

for the record, i hate windows. i have been a unix and linux veteran for years. but you're incorrect:

--PAM does exist for windows (it's called PAM_GINA)

--chroot exists for windows...part of the GNU tools

--same goes for process accounting

--so does TCP wrappers

--so does SSH

--so does crypt()

there are much better reasons to use unix over windows. these are rather dated reasons.

#

Okay,.....I understand.
There is no sense in bickering, is there. We can write nothing you will regard/respect. Soooo,..I have an idea.
A) Build your Windows Server.
B) Put MS SQL on it.
C) Use all the tools, utilities and account management software you have listed above.

  D) Contact Microsoft to get your divine service packs and updates/fixes.
E) Audit yor source code as best you can.
F) Update your Norton Utilities software from their website.
G) Sprinkle the server with sacred charms and the ashes of all the other flamed-out SQL servers from the Slammer worm attack.
H) Go get a good workout at the gymnasium.
I) Quadruple your firewalls and turn off all, ALL services.
J) Put the server on the web with a live IP address.
and since I have allowed you some additional assistance, from Microsoft( you may have them ACTIVELY participate in this challenge,..have them on the phone at all times while the challenge is active, if you like):
I must kindly request that you use a cluster of no less than 16 nodes -32 is preferrable - the more the better, I really need the horsepower. Once the server is up, give me twelve hours. Once in,.... the box is mine,...we share advertisement, we are both better enlightened on some things,...no hard feelings,..since this is not personal, you are probably a nice person with strong feelings and great intelligence and character. Talk to the company you work for and well,...as Marvin Gaye said," Let's get it on."

#

hahaha...i wish i was the guy who you originally challenged, but i'm not. i just didn't want to see incorrect claim on windows security. i'm with you all the way on unix/linux being easier and more flexible to harden. being doing it for over 10 years, and i won't take a job even in this economy to manage win2k servers open on the web.

some better claims of why Unix/Linux is easier to secure would be:

--UML (user mode linux), better than chroot

--customizable source of all code, especially and including networking code, which parts can be safely removed without the whole machine breaking.

--100% pure headlessness. no resources wasted on running a gui. shit, while you're at it, remove all but 1 tty at a time.

p.s. i hope the guy takes you up on the challenge. maybe if there's 2 of us hitting it, it would take less than 12 hours<nobr> <wbr></nobr>:)

#

> --chroot exists for windows...part of the GNU tools

Does anything like a BSD-style jail or a Linux-style User Mode Linux exist for Windows that will work with closed source Windows programs?

The only thing that comes to mind are x86 emulation/simulation environments like VMware (excellent). No per-program or per-process support, so each program hauls along quite a bit of the environment just to wall it off.

#

UML for windows ? not that i know of. but chroot, yes...if only for running services under.

(actually, i don't think that even under the hood, it's *real* chroot. not that chroot is an end-all, it can be broken on BSD, too. but on win2k, i think that chroot basically can be used to wall-off applications that have the ability to take advantage of it...for example, compile apache under cygwin, then start apache under the chroot)

so basically, chroot only works under windows...sorta-kinda. not like it should. i take it back.<nobr> <wbr></nobr>:)

#

> --chroot exists for windows...part of the GNU tools

Really? That would be cool. But, chroot(2) can only work if it has OS support. MSFT's Unix for Windows may provide the chroot call, but does it actually restrict the process and all its children to a file system subtree?

What happens if they try to open, say "D:\Temp"? Or use any other drive letter? What about pipes or devices?

#

not quite. my experience has been that it will protect the service (i.e. daemon) that runs under it, and even then, i'm not sure how well. my point was that it exists.<nobr> <wbr></nobr>:)

seriously, tho...if you're relying on chroot to be your security, then you're not doing a good enough job. i assume that people who are using chroot know also that it can be broken. quite easily, in some cases:

http://www.bpfh.net/simes/computing/chroot-break.<nobr>h<wbr></nobr> tml

#

"I really am disappointed with the Linux community when I see comments like these from individuals who are supposed to be knowledgable and not biased. People, Linux will never obtain the install base that Windows has as long as ignorant comments such as these are made!"

Microsoft's install base was made through dishonest business practices. People understand that now. People also understand that Windows is the virus problem. Furthmore, they no longer take the FUD that Redmod dishes out as the truth.

What Mr. Beale says is true. All windows only types I've worked with don't understand that basics enough to lock down their systems. They rely too much on finding that certain software product that will do the job for them. Unix types on the other hand just do the work with what the tools at hand. They don't need third party vendor hand holding.

#

MS as secure as linux Ha Ha Ha Ha. Ditto to all the other MS slam posts.

Even if I were to concede that Microsoft could be secured as well as linux why would I not want free? After all the patches and other nosense MS still gets hacked + I'm out the bucks PLEASE!!!!!!!!!

#

You say you are a linux advocate, but your understanding of unix systems is highly suspect by your comments. While of course experienced sysadmins can do more to secure a system than a novice, your statement that a sysadmin can do much more to lock down a windows installation than a linux installation is utterly nonsense. Windows relies on a closed and hidden security model riddled with flaws.
Unix security models in general (not linux specific, but certainly applicable to linux) enable an order of magnitude better control over the system by their very nature.
Contrary to your comments, windows cannot achieve the level of security that unix systems can. Windows is simply over-integrated and too riddled with opportunities for problems.

#

"People, Linux will never obtain the install base that Windows has as long as ignorant comments such as these are made!"

I am afraid that this is not an argument at all. Even MS started with a zero install base. One should not necessarily believe the FUD some marketing experts are spreading. 100 years ago the install base on motor based vehicles was pretty small as well.

just my 0.01

#

true, but it doesn't follow the theory that "if you build it, people will use it" as a function of time.

by your own theory, OS/2 (and multics) would have a HUGE install base right now.

(they don't)<nobr> <wbr></nobr>:)

#

That's true( with regards to OS/2). However it is not necessarily the best technology which succeeds.
Linux is gaining momentum because it offers the security the market wants to have. Nobody will ever switch because a new product has arrived. I believe that IBM is promoting Linux because they see it as a successor to OS/2 by means of giving the professional user an answer to the problems they currently experience. On the other hand MS is loosing momentum with each new alert as this does not match the FUD marketing concept of beeing the most reliable and performant platform opposed to others. I guess that TCPA/Palladium will be the last chance for MS to hold their monopoly. As some are saying "true men can wait".
Well that's 0.02<nobr> <wbr></nobr>;-)

#

remember that the 'marketing experts' that are spreading FUD, as you say, are turning around, and have been...it's not 2000 anymore.

Gartner Group has all but favored Linux and put MS down as secure and promising.

#

On the long run selling a mole as a watchdog can get pretty challenging.

#

Your company assists clients with Windows yet uses Linux internally? Doesn't that suggest something to you?

#

Microsoft has never been security-conscious. This switch is very wise. The only people who could question such a move are: a) people who don't know Unix very well, and b) people who have a vested interest in promoting Microsoft as an "acceptable" server platform. The people in the latter group often make money by supporting MS's bug-riddled products, so of course they want you to believe that Windows is comparable to Unix but it is not. That's the bottom line.

I've run comparable Unix and MS servers side-by-side and have 10+ years experience maintaining these systems and by far, Unix is much easier to maintain and secure in the long run.

#

MS had a fix out. The point here is that people responsible for patching their servers DIDN'T do so. Let's pretend for a second that Linux has taken over the world. There are Linux exploits out there. If those Linux boxes are not patched, it would happen to them as well. This has very little to do with OS and more with human laziness.

#

Microsoft chooses to have a single centralized approach to distributing updates and works hard to prevent people from running "local mirrors" of update files. This means to get an update really means going to one place and accepting each update on the vendors terms.

This means if I bring up a naked MS Windows machine, such as from a new install or newly purchased PC, I have to hope it can connect to their central site, and download all the updates and service packs in order in time, before it is hosed by a stray packet from a worm. On a Linux environment, I can setup a local apt-get repository and install and update all my machines before ever having any of them live on the internet shooting range.

Next, the problem is that MS updates are not just bug fixes but loaded with features being rammed down people's throats, usually to strangle some competitor out of the market. The problem here is that updates may and often do break existing systems in known configurations, and hence people are reluctant to use them, or at least to do so in any form of automated manner.

Hence, the problems are structural and unique to the business practices of Microsoft rather than to the admins. As such, it seems to me to be a simple case of vendor liability.

#

Corporate MS customers can do their own localised patch distribution, based on their own choices. You or I can't do that, but it's not in anyone's interest (not even Microsoft's) to have thousands of corporate desktops hitting windowsupdate.microsoft.com every day.

There is a huge difference between the Consumer OS you buy off the shelf and Corporate contracts.

#

make it even easier, have security.debian.org in your<nobr> <wbr></nobr>/etc/apt/sources.list and in crontab have it set to apt-get update; apt-get dist-upgrade; every hour/day/week your choice

now, i know if your running unstable, you will get tons of bugs having it upgrade constantly, some breaking the system, but if this is a server machine, it shouldnt be running unstable

#

The problem here is that updates may and often do break existing systems in known configurations, and hence people are reluctant to use them, or at least to do so in any form of automated manner.

Oh, is that why Microsoft doesn't apply their own patches?

If you want another laugh see <A HREF="http://zdnet.com.com/2100-1105-982305.html"> "Microsoft not immune to Slammer" </a com.com>

MS... what a joke!

#

Yeah, that's definately true but comparing the number of linux and windows machines on the internet I'd guess the difference in number isn't as large. Especially not ms installations being many more than linux. So either all that easyness of windows makes sysadmins dumb and lazy or they are not as skilled as linux/unix admins because most of the major worms that really caused trouble weren't Unix/Linux worms but winodws ones.

#

Human laziness has very little to do with the problem

Microsoft's security patches and upgrades are notorious for 1) breaking other functions and services, especially third party apps, 2) introducing new, additional security problems, 3) failing to fix what they claim to fix. Apparently even <A HREF="http://news.zdnet.co.uk/story/0,,t269-s2129418,00.html">Microsoft doesn't trust their own patches</a zdnet.co.uk>. Nor can Windows handle heavy loads, even Hotmail has to run on FreeBSD.

But as mentioned elsewhere, it's <A HREF="http://news.zdnet.co.uk/story/0,,t269-s2129418,00.html">Business as usual</a zdnet.co.uk>.

#

The point is this... People don't trust "closed source patches".

I know so many windows admins that insist after they apply MS patches they opened up a whole new can of worms... and just would rather wait until the next release and risk that one problem being left open, then creating new problems.

With linux you can see what is going on in regards to what is being patched.. There is much scrutiny in an open source environment, yes the code is open for crackers to see the holes, but it is also open to hackers, nothing is secret.. A few systems get compromised, and then the patch gets released right away, that is my opinion on what makes linux secure more secure, and also what the other gentleman said earlier about unix being around as a multi-user/network system, much before MS even existed. I mean the code to that has been around for decades and scrutinized.

The ironic thing is MS didn't even trust their own patch.... That is the impression I get. What is this telling you about MS and their patches, when they can't even trust to put it on their own systems? You think they were lazy? forgot? wanted to be ridiculed, by not installing their own patch????

BTW.. if you think was a problem, this was just a little inconvience, Childs play, a bloody DoS attack, tip of the iceberg. Wait until you see what is scheduled next for the MS line of OS's... There is a nightmare of a problem lurking, that is un-patchable, and very much going to be a serious threat to data, Look up "windows messaging". This is a serious problem under looked just like the SQL problem. But Very serious.. and MS is fully aware of the threat of this, and have they done anything like the open source community has? I don't even have to answer that.

And that is my 2/100 dollars....

#

Great scoop, Tina, but:

It would seem logical to switch to a more secure OS for which fixes appear almost immediately after security bugs are recognized, but most site owners across the country have not done that yet, unlike the savvy Department of Homeland Security.

The patch was available 6 months before the exploit, much like the Code Red patch.

The problem here is not MS, but sysadmins failing to apply patches, even when they have been available for 6 months.

I am not aware of any significant piece of Server software (Free Software, Open Source, or Proprietary) - for MS SQL Server is a piece of Server software, not a part of the Windows OS - which could be left unpatched for 3 years from its release without an exploit being available.

The difference is how much care the Sysadmins take over their systems. Failure to install a 6-month old patch is a sysadmin problem, not a Microsoft problem.

Granted, the bug should not have been there in the first place, but since July 02, MS have fixed their mistake. For the past six months, the ball has been in the court of the sysadmins.

#

Right, but the whole appeal of running Microsoft seems to be that you can hire unskilled laborers to run your systems, whereas *nix system administrators need to know what they're doing on a daily basis. Consequently it is more likely that the Microsoft systems will remain unpatched, since the admins don't have a clue about anything except resetting user passwords, restarting the computer and running the idiot-proof repair tools as needed.

#

I am a 10 year unix admin, and even *I* will say that your above generalization about windows admins is a bit too much of a blanket statement. Mistakes happen, and with the amount of unneeded ("crying wolf") patches coming out of microsoft, I can see how some are overlooked.

When Sprint has a 400+ server base running Win2k...believe me, they have more than just "skilled laborers" working on them.

#

'believe me, they have more than just "skilled laborers"'

Yes they have paper certified morons.

#

i'm a certified AIX 3.2.5 Administrator. am i a moron ?

while it's true that some people with certifications are morons, not all of them are. some of them are sent to get them because of their employer's choice.

#

3.2.5 is pretty out of date, isn't it?

#

Paper certified morons who can handle html formatting tags.

You edumacated foks sucxorszz@#%$^&!

#

Quote:
------------------------------------------------
I am not aware of any significant piece of Server software (Free Software, Open Source, or Proprietary) which could be left unpatched for 3 years from its release without an exploit being available.
------------------------------------------------

I thought qmail was a significant piece of server software w/o an exploit being available?<nobr> <wbr></nobr>:)

#

i love qmail. but it's install base....not "significant". i wish it was, but it's not.

#

Its not all the admins fault. With the track record of ms you would think they would take security more seriously.

Pluse just downloading that patch could break other parts of the os. Pluse you got the licence agreement that says if you don't follow us we'll shoot you in the foot kinda deal.

The only thing you can do on any ms box is run a good virous scanner and firewall.

#

Finding and applying the MS SQL patch is not a matter of "hit Windows Update and say yes". The install is done by copying files to certain locations. Then you pray that it won't break anything which it usually does. Let me tell you when you propose applying another patch to your manager after previous disasters, you might get the answer "let's wait until there's an exploit, in the meanwhile I have this full 10-hour day planned for you...."

#

I am not aware of any significant piece of Server software (Free Software, Open Source, or Proprietary) - for MS SQL Server is a piece of Server software, not a part of the Windows OS - which could be left unpatched for 3 years from its release without an exploit being available.

Postfix SMTP server....as far as I recall...it's oldest versions still are unexploited.

#

close, tho:

http://online.securityfocus.com/bid/3544

postfix vulnerability. but about vulnerabilities...it's not whether or not they exist. they ALWAYS will. hell, OpenBSD has them (locally exploitable)...the point here is the ability to patch them yourself, or other people of the community to offer up security patches, and not having to wait for a private vendor to issue them.

#

the thing about windows patches is that they can bring more problems than that they fix(of course, with big version changes this is true in open-sourced stuff too, altough you can get usually security fixes for anything fairly recent).

"hey, everytime i return to the desktop(from a program) it freezes, it started after last update"

#

No kidding! We had a security company scan our servers for vulnerabilities. They gave us a list of Windows patches to install, we installed, then they scanned again to make sure the holes were closed. But guess what!! NEW HOLES WERE OPENED UP AFTER RUNNING THE MS PATCHES! Unbelievable, but true!

#

Just the fact that they switched speaks for itself, and is a major indictment on the most prolific distributor of wormware, virusware, and outright insecure OS code. Bad enough the latest "overlooked" QA problem wasn't found and patched for quite some time, and only the threat of exploit got it patched in the first place, but their own trained and certified (by MS) admins ignored their own security advisories.

 
Or maybe Mr. Ridge recalled reading this story:

 
http://news.zdnet.co.uk/story/0,,t269-s2123526,<nobr>0<wbr></nobr> 0.html

 
A small excerpt:

 
In presenting Microsoft's trustworthy computing initiative, Mundie defended the company's reluctance to follow through and accept legal responsibility for the security of its products. "If we took that responsibility, say for a big contract at Airbus, I would have to take out a giant insurance policy from Lloyds or another insurance broker, and pay a giant invoice," said Mundie. "The product would then cost not 50 euros, but 50 million."

 
In other words, if they took responsibility for their code, they'd have their asses sued off in no time.

#

I would guess it would be like this:
(note: I'm talking ONLY about popularity, not quality)

#1: Red Hat
#2: SuSE
#3: ???
#4: ???

What do you think comes next?

#

Mandrake, Slackware?

#

#5: Profit!

#

It probably looks more like this:

1. Red Hat
2. Mandrake
3. Debian (or some derivative)
4. SuSE

#

because the fix had been out for six months.....

I don't think this is good enough. I've been wondering what all these SQL servers (Symantec saw 20K infections at one point) are doing on the web, and the only explanation I can make up is that they're all default installations of MS Small Business Server 2000. These will have been set up on broadband (NB Korea) by the new hire who knows enough about Windows to follow the instructions for a default install, or the ISP engineer who's happy if the office can browse....

Can someone tell me whether Proxy Server in the default SBS exposes SQL Server to the internet? And if so, how rubbish is that? (And MS's fault after all!)

#

What amazes me is that considering that lack integrity that MS has and the willingness to be illegal as hell, that they do not use a bit of inguenity and simply put out a worm to close all the holes. They do not have to do it directly. It could be released from overseas so that it could not be picked up easily.
And before somebody argues that this shows that MS has integrity, this more likely shows the laziness that ms has or that they are not wanting to step on the toes of their expensive admins.
Finally, considering how much this admin has bent over to help MS, I am quite sure that another payoff by MS would get the government to look the other way just as easily as it has already done.

#

I don't get it.

All of the sample 'windows' sites run some
form of unix except for nsa and they are
hosted by somebody else who runs linux [so says
the footnote]. what are the windows sites?
I missed something!

#

isn't it *Better* if people like "Homeland Security", "RIAA" or "Microsoft" run IIS rather then Linux? Do we really need to make there's dirty businesses more productive?

#

no, it's not better. it's not about those sites working well, it's about them running linux because it then shows that they ADMIT to linux being a better choice. it's good for the long run, instead of them running IIS.

remember, the idea is for linux to WIN users, not make windows users LOSE. big difference.

#

I'm getting tired of people saying:

"Ahhhh, but Linux isn't hurting Microsoft at all, it's Unix that's losing out to Linux!"

What a load of trash!

How can I prove it? Here: www.wehavethewayout.com

Microsoft want people to switch from Unix to Windows. It HURTS Microsoft when they switch to Linux.

Maybe not so many people are switching from Windows to Linux, but why would they? Microsoft have spent years getting people dependant on their solutions, locking them in. Such a change isn't always simple.

But if companies who have always required the power of Unix (which isn't cheap) are now switching to Linux instead of Windows, doesn't this say something about the power of Linux?

Linux is hurting Microsoft, no matter how they try and pretend otherwise. It's just like going on a big game hunt and your rival shoots up all the lions. Oh wounded pride! (note: I was referring to Microsoft having a wounded pride, not shot lions).

#

Maybe the swtich is not JUST for locking down and insurance against ms-bed bugs.

Could be that this new dhs program, while getting buttloads of money and broad scope of power, just can't get enough "honeypots". Yeh, maybe they could set up a massive 'distributed farm" in many strategic site. OTOH, they CoULD just become the nation's bigges recycler of used school and business computers. After all, if they can save the taxpayer's BUTTLOADS of money by skirting the ms licensing crap, then KUDOS to Ridge and team (not that I am glowing about the PoWEr they get with the new cabinet level position...).

But, imagine ms giving the GOVErnmENT masses of free copies. ms may be rich, but somehow it think even if they gave away the copies to the government, the government still would have to say, "no thanks billy. We have our own bat and ball, and the threads are going to be stitched OUR WAY and aerodynamics are going go act OUR WAY, not yours".. Or, something to that effect.

But, as for honey pots and distributed stuff, it may be necessary to have a master Linux server remotely manage TONS of Linux boxen. Why use ms' servers to do that? Plus, MANY people think that USING Linux means giving up code to "diggers". Well, what's to stop the user (even the government) from modding the code as necessary and locking it down? Nothing, right? So, moral of the story is that it may be GNU, but if you mod and lock it and don't try to profit from it or don't redistributed it without code revision, you'll probably be ok, right?

So, whatever the reason for switching dhs to Linux while the former home/well of dhs remains on w2000 or whatever, another ruby or tick mark for Linux. Just more VALIDATION for Linux and more agitation at ms that can't stand sharing the play ground.

I suppose that if DHS DIDN'T go to Linux, they'd become basket cases staying on windoze, trying to keep ahead of virii on proprietary code that ms can't even unravel much of the time. The, the DHS would eventually add an "h" before the "sl", heheh DHHS (Dept of Health and Human Svcs, heheheh heheh<nobr> <wbr></nobr>....

David Syes.

#

On one hand it is heartening to see Linux being put to use. On the other, it is painful to see a Federal agency adopting Linux so they can do a better job of spying on their fellow citizens. Linux good, Bush bad. Ow! My head!

#

federal agencies already use linux. and that's GOOD! they will spy on people, no matter what OS they use.

the point here is that if it's "good enough for the government's most secure networks" then that shows a good amount of confidence in linux. it's not like the DHS just 'discovered' linux, or unix, for that matter. they've been using it for years. in fact, if one wants to be specific about it, then Unix (or Linux, for that matter) would not even exist without federal support and funding.

#

"they will spy on people, no matter what OS they use."

That's not correct. This administration has pushed the envelope in the field of domestic spying:

http://www.eff.org/Privacy/TIA/
http://www.wired.com/news/privacy/0,1848,57005,00<nobr>.<wbr></nobr> html
http://www.acm.org/announcements/tia.html
http://www.aclu.org/Privacy/Privacy.cfm?ID=11612&<nobr>c<wbr></nobr> =130

It is good that federal agencies are using Linux. This agency, however, is not one that will give us a good name.

#

Linux good and Bush good. You bad.

#

Linux good and Bush good. You bad.

But I'm not the one implementing an abomination like TIPS. I'm not the one effectively merging the CIA and FBI. I'm not the one who put Presidental papers behind lock and key. And don't even get me started on the war he's provoking with Iraq...

In some ways I *am* bad, but what Bush is doing to our civil liberties is very very bad.

#

Yeah, you'd rather that we do nothing and Bin Laden and others like him continue to kill us. And Saddam nukes Israel, gives nukes to Bin Laden, and Los Angeles glows for the next 10000 years.

You are probably a pacifist, therefore an idiot.

#

You are an obedient little doggy. Here's a biscut, go back to your kennel.

In the mean time your master is busy taking away our civil rights.

#

They just don"t want you hacking on them when they are spying on you.

#