Rattle wrote:
] flynn23 wrote:
] ] Thirdly, I've been very impressed by MS's ability to patch
] ] things on a timely basis. Granted, they have not been the
] ] perfect example of admitting to certain things, nor have
] they
] ] the optimum toolsets necessary to patch things up (Windows
] ] update is not very well designed for managing large
] ] installations or automated operations). BUT, they don't
] suck.
] ] It's hard to blame MS on things like Slammer when the damn
] ] patch was available for 6 months.
]
] This is the only point I'd really care to dispute.

[some stuff deleted]

] And how easly it is to patch your systems, and the quality of
] those patches are a very very very key thing. On that
] particular issue, all the other OS vendors slay Microsoft.
] With the exception of Sun, who's patching system hasn't
] changed much in the past several years, but they got N1 on the
] way to fix that and other things I'm told. You can pratically
] get automated with your software patching with RedHat these
] days, and I have been pretty impressed with the quality of
] their updates since the pre 6.x days when _everything_
] sucked.. I have not had a RedHat update break my system in a
] while. I've had MS updates break systems way too often to
] attempt to quantify it.

I will agree that M$'s update system is definitely not the best. It's geared for single user use, even for server updates. Dumb. But I can't say that things are breaking systems. In the over 10 years that I've been admin'ing M$ servers, I've only had ONE patch go bad, and that was SP2 for NT 4. It only took about a week before they had that fixed. And you were mostly safe if you checked 'backup files' during the upgrade and then rebooted using the emergency floppy (if I remember correctly). I don't know a lot of other admins who have dissimilar experiences to my own. It's just as easy to patch an M$ server as it is to patch a Linux server.

] This has always been my biggest complaint about Microsoft
] systems. They are designed for dumb end users..

see my other meme. End users *are* dumb, but the machines should be smart enough to take care of themselves. We have the technology. We know how to do it. This priesthood of techs is bullshit.

As for M$, they will likely implement a .Net based system for system management. So it's going to take years, and have to reach version 3.0, before it's worth a shit.

] But they
] require dumb end user to be on top of their shit to keep them
] up to date, and they offer no way for centralized "clue" to
] mind the herd. Its a flaw in their overall security strategy
] that no matter how on top of their security shit they get, it
] will always be what damns them in the end. They are getting
] better with this, but still not good enough. Still not even
] up to the level currently attained by the OSS crowd, and the
] OSS crowd can do better too.

I dunno about this. I will agree wholeheartedly that package management and update management on OSS type systems is better. But even RHN falls down in terms of managing a large installation with any type of control, audit, or failsafe. You still have to manually select packages that you wish to be updated. And application is to individual machines; there is no grouping. And there's no facility for updating none core packages, like if I want the latest version of ethereal on all my IDS machines.

I guess you can indict M$ for their shitty system because they've been doing it longer. There's been online updates for Windoze since 1996. Maybe even earlier. They should have their shit together on this, I agree. But you can't say that their security is more weak than any other platform, due to the reasons I cited in my first post.

] Exploits come out for services like OpenSSH, which pratically
] every linux users has on, (I'd argue that there are more
] copies of OpenSSH running open on the net then MS SQL) and it
] never becomes an issue for even %5 of the usebase because the
] patching tools are effective, and it gets eliminated quickly.

that's interesting. I would counter that with:

o I think it's more than 5%, but you'd never know that because most OSS admin's would never ADMIT to being exploited.
o if it's indeed 5%, then it's 5% of a much smaller number than 5% of M$ users, so less peripheral damage will occur. It will be less noticable.
o if it's less than 5%, then it's because attacking an OSS system is not nearly as sexy as bringing half the planet to a halt by hacking an M$ system. Besides, who do you think is architecting the M$ exploits? It's not M$ supporters.

] Granted, Slammer was a pretty special case because it was a
] UDP one packet exploit, and it propagated uber fast. But what
] it really comes down to, is that you are going to be hard
] pressed to find a high number of Linux boxes with a remote
] exploit thats been published and fixed for _six months_. One
] reason for that, effective package management tools.

I agree with this. But the original idea was that people lambast M$ because of a perception of inferior security, when that's simply not the case. If there were 300M Linux servers worldwide, then you'd see the tables turned, even WITH effect package management tools.

] They do suck. Its only been recently that they have been
] making a concerted effort to not suck in terms of security.

It's only been recently that every machine on the planet is networked with eachother. ;-)

] Their userbase had to bitch for years to get them to make the
] efforts they are making now. They would have _never_ done it
] on their own.

Who would? You could say that the OSS community does this for the good of the community, but M$ is not a community (yet). They are a business. There's no profit incentive to do this unless it's going to impact sales.

] In the past they lead the pack in recess days.
] I wish them success in their new security push. For the sake
] of our global IT infrastructure, I hope they get it together.

They will only exert the most limited of effort in order to get by. That has always been their behavior, and I don't see how that will change.

RE: Bush Approves Cybersecurity Strategy (TechNews.com)