flynn23 wrote:
] I will agree that M$'s update system is definitely not the
] best. It's geared for single user use, even for server
] updates. Dumb. But I can't say that things are breaking
] systems. In the over 10 years that I've been admin'ing M$
] servers, I've only had ONE patch go bad, and that was SP2 for
] NT 4. It only took about a week before they had that fixed.
] And you were mostly safe if you checked 'backup files' during
] the upgrade and then rebooted using the emergency floppy (if I
] remember correctly). I don't know a lot of other admins who
] have dissimilar experiences to my own. It's just as easy to
] patch an M$ server as it is to patch a Linux server.

Most of my windows admin experience comes from the NT4 days... And I clearly remember having to reapply the service packs every time I did anything remotely signifigant to the machine or I risked re-introducing vulnerabilities and bugs. Even with Slammer, many articles referred to the user perception of patching problems. I'm sure I'm not the only one who has had that problem. Patch machine, machine magicly develops weird bug.. Chances go up higher the older the install. Maybe black clouds just float over head whenever I'm touching an MS machine.

Even with XP, very recently.. After applying patches that windows update automatically downloaded, Photoshop started crashing on me. Reinstall Photoshop, everything is fine.. Clearly the patching system crushed something Photoshop was using.. Nothing else was done to the machine. Weird stuff like that. I run into it _every_ time I spend any time using an MS machine. I also find myself having to reboot after almost every update with XP. Rebooting after patches is really lame. And patching MS machines remotely is a royal pain. I have had nightmares about being responsible for a farm of windows boxen..

Where its important, they fail. Its that simple.

] see my other meme. End users *are* dumb, but the machines
] should be smart enough to take care of themselves. We have the
] technology. We know how to do it. This priesthood of techs is
] bullshit.

I agree.

] As for M$, they will likely implement a .Net based system for
] system management. So it's going to take years, and have to
] reach version 3.0, before it's worth a shit.

MS is not going to be the one who brings us a workstation that requires zero attention to keep up to date.

] I dunno about this. I will agree wholeheartedly that package
] management and update management on OSS type systems is
] better. But even RHN falls down in terms of managing a large
] installation with any type of control, audit, or failsafe. You
] still have to manually select packages that you wish to be
] updated. And application is to individual machines; there is
] no grouping. And there's no facility for updating none core
] packages, like if I want the latest version of ethereal on all
] my IDS machines.

You have many options for systems management once you get outside the windows world. On the low end, you can setup autoupdate to keep your systems up to date, and all your admin has to do is keep a directory of RPMs up to date. RHN has an enterprise version that has grouping capabilities and other much needed features for large scale machine management.. Ximian has Red Carpet and the Red Carpet Daemon.. Etc.. You have options. Many of them. All under development, and all designed to fit different situations. This is something MS will never have. Everything you mentioned is currently possible, and cheaper to make happen then with MS.

Several times now, I have implemented solutions for keeping systems up to date myself.. Using the tools of others, and tools I've written. The more time passes, the easier it gets. At this point, it dosen't even require writing code for it. There are more then enough tools out there to use. I've built solutions for workstations, servers, clusters, firewalls, etc.. Capable of being installed with no user intervention, over network and off CD. Booting over network, cd, and floppy. Including update/install management of custom packages, software, and configurations.. And every time, I have never, ever, even once, been in a position where the windows counterparts would have had more features available to me to use, more flexibility, lower implementation time, or anything that would translate to lower TCO, management overhead, or having a better security stance.

Being able to manage your machines easily is _key_ to security. You have to be in a position where you can act fast when a problem happens that requires unique attention, and act easy as the normal flow of bugfixes and secutiry updates fly by. You are always dealing with updates, computer are good at doing repetitive tasks, they should be good at dealing with updates. MS is not, linux is. I would rather manage 500 linux boxes doing 20 different functions then 6 windows machines doing 3 different functions.

] I guess you can indict M$ for their shitty system because
] they've been doing it longer. There's been online updates for
] Windoze since 1996. Maybe even earlier. They should have their
] shit together on this, I agree. But you can't say that their
] security is more weak than any other platform, due to the
] reasons I cited in my first post.

My key point -- The security level of a given platform is defined by more then just how many exploits come out for it or how fast its patched.. Things like what stance it allows you to take in dealing with security problems as they happen, is a way more important peice of the puzzle.

Security is not about your targets. Security is about managing risk. Thats why your update systems are important. Thats why your security picture starts at the network. You are managing risk. You are not focused solely on your targets/systems.

] that's interesting. I would counter that with:
]
] o I think it's more than 5%, but you'd never know that because
] most OSS admin's would never ADMIT to being exploited.
] o if it's indeed 5%, then it's 5% of a much smaller number
] than 5% of M$ users, so less peripheral damage will occur. It
] will be less noticable.
] o if it's less than 5%, then it's because attacking an OSS
] system is not nearly as sexy as bringing half the planet to a
] halt by hacking an M$ system. Besides, who do you think is
] architecting the M$ exploits? It's not M$ supporters.

You are stuck solely on the issue of the platform's ability to be exploited. Of course, code is code, and bugs can be found. I would argue that OSS's peer review factor puts it in a better spot then MS for overall security. But this goes into an argument where points and views can only be proven with the passage of time. It could be argued all day, and is being argued all day, at any given time, in message bases, mailing lists, and newsgroups all over the Internet..

And I still think, that any way you cut it, you are in a better position with a *nix. You have options you don't on windows. Like chroot'ing daemons. Hardening servers. Mandatory access controls. Host based IDS. And you don't have to put out a few bens for each layer of additional security you add to your system.

] I agree with this. But the original idea was that people
] lambast M$ because of a perception of inferior security, when
] that's simply not the case. If there were 300M Linux servers
] worldwide, then you'd see the tables turned, even WITH effect
] package management tools.

I gotta disagree with that. I think management tools are going to be the key thing with secure systems, the desktop in particular. Security problems with programs are never going to go away. Coders are going to make mistakes from now till the end of time. Dealing with them is the key. Dealing with them must be easy. Its the best place to put effort in order to improve security. Security == Managing Risk. All the *nix platforms have the capability to slay Microsoft in the area. Most machines get exploited because they were not patched. Period. The number of machines exploited because of a new undiscovered & unpatched exploit is mostly non existant, and most likely a case of a targeted attack on someone with a very high threat profile.

As another example of this logic, I give you the virus. What do you do for viruses? Have a machine that somehow dosen't get them? Or use virus scanners? Obviously virus scanners. While Linux has not been the target of a large scale virus yet, its possible. Maybe harder because its over all security is a little tighter, but possible, and more likely as time goes on to happen in a big way. The same approach will be taken to deal with it.. Have some solution to deal with it. Scanning and updating. Manage risks.

] It's only been recently that every machine on the planet is
] networked with eachother. ;-)

The networked computer is the computer most at risk. If its on the network, it can have network based update capability. I don't think that even figure in, as the cause of the risk is the same thing that allows you to create a solution to handle that risk. Linux has been in existance about as long as the mainstream Internet. Its arguable that the mainstream internet Internet is what allowed Linux to happen in the first place. Microsoft didn't "see" the Internet at first, and they don't "see" their security as weak either. They don't "see" lots of things.

] Who would? You could say that the OSS community does this for
] the good of the community, but M$ is not a community (yet).
] They are a business. There's no profit incentive to do this
] unless it's going to impact sales.

Another issue that is a discussion in and of itself...

] They will only exert the most limited of effort in order to
] get by. That has always been their behavior, and I don't see
] how that will change.

Then their market share will erode as the OSS counterparts become more mature. They are maturing at a very fast rate. A few more years, the landscape will look very different.

They said that security has now got priority over new features, thats a _big_ thing there. If it has a positive effect, it will take a little while to see it.

RE: Bush Approves Cybersecurity Strategy (TechNews.com)