flynn23 wrote:
] Thirdly, I've been very impressed by MS's ability to patch
] things on a timely basis. Granted, they have not been the
] perfect example of admitting to certain things, nor have they
] the optimum toolsets necessary to patch things up (Windows
] update is not very well designed for managing large
] installations or automated operations). BUT, they don't suck.
] It's hard to blame MS on things like Slammer when the damn
] patch was available for 6 months.

This is the only point I'd really care to dispute.

In the case of Slammer, they had a patch out already. And I am willing to bet that if Microsoft patches didn't break Microsoft system on a regular basis, it would have been applied in more places. Just about every MS admin I know takes a "wait and see" approach on MS patches. They are almost never to be trusted. That attitude even takes place within Microsoft, which is why a bunch of their systems got nailed too. Their systems lack real package management, IMHO, hence they have an update QA problem thats unsolvable.

And how easly it is to patch your systems, and the quality of those patches are a very very very key thing. On that particular issue, all the other OS vendors slay Microsoft. With the exception of Sun, who's patching system hasn't changed much in the past several years, but they got N1 on the way to fix that and other things I'm told. You can pratically get automated with your software patching with RedHat these days, and I have been pretty impressed with the quality of their updates since the pre 6.x days when _everything_ sucked.. I have not had a RedHat update break my system in a while. I've had MS updates break systems way too often to attempt to quantify it.

This has always been my biggest complaint about Microsoft systems. They are designed for dumb end users.. But they require dumb end user to be on top of their shit to keep them up to date, and they offer no way for centralized "clue" to mind the herd. Its a flaw in their overall security strategy that no matter how on top of their security shit they get, it will always be what damns them in the end. They are getting better with this, but still not good enough. Still not even up to the level currently attained by the OSS crowd, and the OSS crowd can do better too.

Exploits come out for services like OpenSSH, which pratically every linux users has on, (I'd argue that there are more copies of OpenSSH running open on the net then MS SQL) and it never becomes an issue for even %5 of the usebase because the patching tools are effective, and it gets eliminated quickly.

Granted, Slammer was a pretty special case because it was a UDP one packet exploit, and it propagated uber fast. But what it really comes down to, is that you are going to be hard pressed to find a high number of Linux boxes with a remote exploit thats been published and fixed for _six months_. One reason for that, effective package management tools.

They do suck. Its only been recently that they have been making a concerted effort to not suck in terms of security. Their userbase had to bitch for years to get them to make the efforts they are making now. They would have _never_ done it on their own. In the past they lead the pack in recess days. I wish them success in their new security push. For the sake of our global IT infrastructure, I hope they get it together.

RE: Bush Approves Cybersecurity Strategy (TechNews.com)