Slashdot Mirror
Lower Your Insurance Premiums: Use Linux
Several readers who declined identification have pointed out that this "article over at Interactive Week discusses J.S. Wurzler Underwriting Managers, one of the first companies to offer cracker insurance, charging clients 5 to 15 percent more if they use Microsoft Windows NT in their Internet operations. As insurance companies live and die by their statistics, this is a pretty significant move. The article also has interesting information about tech turn-over in Windows vs. open source shops." However, note that Wurzler is not the only company offering anti-cracking insurance, and the Big Names haven't yet followed this lead, even though they're apparently watching intently. Maybe "treating employees nicely" is at least as important a factor to consider.
...by the fact that this report about an insurance company charging a premium for use of NT gets turned into a headline that says that if you use Linux, you will pay less?
Of course there is much more to security then the operating system. But insurances are always based on statistics. They cannot really represent reality for every single case, but for the average case. That's why you pay more car insurance if you are a male, young driver, than an old woman even if you drive one day in a week and never passes the speed limit. What this article shows, probably, is that they gathered statistics and Linux servers had less security problems than NT. I think the credit is not only to the operating system, as you even say, the personel is also very important. But probably they are linked to the operating system as a statistic, that is, people who run Linux servers tend to be more security conscious sysadmins.
Just wondering.
Hmm, sounds like he should have used the hotfix tool off Microsoft's website instead of Windowsupdate.
Windowsupdate isn't meant for servers.
No they didn't. They subcontracted content caching out to Akamai in order to make their internet services much less prone to DNS attacks.
Sigh... Your the type of person who gives MCSE a bad name. :(
I also have an MCSE I obtained a couple of years ago, and it's really quite simple to secure an NT box:
#1. Subscribe to NTBUGTRAQ.COM
#2. Read www.microsoft.com/security
Microsoft has provided tools which will notify you when security related hotfixes are released. They have provided tools to automate the installation of hotfixes, as well as automate the configuration of servers.
The DNS issue wasn't a bug in Microsoft's software. They suffered a DoS attack on their web servers, so they subcontracted with Akamai to protect against this. If you don't know who or what Akamai does, that's another problem with your paper MCSE.
What security through obscurity argument? Do you even know what that means?
I don't disagree that the lack of qualified admins is the problem. But the documentation and tools are out there, you just have to use them.
But my main point for responding... You shouldn't consider yourself a qualified admin, because you clearly are not.
I don't know if the insurance price difference is justified or not.
But I think that part of the problem isn't with NT/W2K per se, but with the culture that surrounds MS sys admining. MS tries to make things simple -- and they often seem simple. It's easy to throw stuff up without thinking about it first. And one of the selling points that MS uses in comparisons with Unix/Linux is that W2K is easier.
On a certain level, that means that you get a sysadmin that went to Windows because Unix was too hard. That's a harsh overgeneralization, but I think there's some truth to it.
The problem is that security is hard on any platform. The issues are pretty similar. But if you keep telling people that all of you have to do is click on an icon to set things up, it's not surprising that people click on the icon, take the defaults, and don't think about locking things down.
Excellent points, however the fundamental of my position was that saying that the primary decision of the security of a firms infrastructure is what operating system they use is like (and I'll bring this up because there are several other car analogies) giving car insurance based upon the diameter of the tires. I am absolutely certain you could draw a correlation in some bizarre way between different tire sizes and insurance claims, however to use that as the foundation basis for insuring would be quite silly. Just because there is a correlation of something doesn't mean that it's a relevant correlation, or the most pertinent correlation, especially in something as complex as security.
If I read "...and furthermore shops that had installed the latest 2000 hotfixes had their premiums dropped 60%" then it would be credible. The security difference between a shop where the admins keep on top of the systems and one where they don't is huge and decisively paints a picture of the organization. The OS chosen does not (despite the patting on the back by the Linux community it's amazing how often I see scans for Linux vulnerabilities...).
What a ridiculous concept. The security of an infrastructure is far more the people and dedication to keeping on top of issues more than it's the operating system. The recent Solaris/IIS worm took advantage of a year old hole to compromise IIS 5 servers, just as the portmapper/BIND/RPC/POP2/etc. Linux exploits take advantage of ancient (in computer time) and long since fixed holes. Of course it takes a grossly incompetent sysadmin to fall prey to any of these, but unfortunately there are many of those out there.
If there is such a thing as "cracking insurance" (I mean by real insurance firms that aren't just trying to get headlines by making a ridiculous policy) it would be based upon the manpower skills, policies, and possibly the use of outside agents to test the security. The idea that Linux=Secure and NT=Insecure is absurd and simplistic.
Sorry, but I don't think the whole eight employees of Wurzler has much of a say-so when it comes to reality.
Besides, why is Slashdot still fighting over Windows NT, the focus of this article? It's about 5 years old now, I'd think that Slashdot would be more worried about Windows 2000.
Also, it doesn't seem the article's author has done much comparing of security patches offered for holes on company web sites, since he chose to only mention NT's, even though there are a lot more for Debian 2.2 and RedHat 7.x, when you take into account how long they've been out. Oh well, what can one expect from Ziff Davis journalism?
Cheers,
There's yet another aspect to lowering insurance premiums in business by switching from Microsoft products to Linux or BSD. As Microsoft moves more and more to coupling your software license registration with particular hardware, that could mean that if your hardware is stolen, you may have to buy another copy of the OS and all the applications, when you buy a replacement PC. If you expect the insurance to cover that added cost, you can expect the premiums to go up with it, too. And if you think Microsoft will readily make exceptions for stolen hardware, then I think businesses will catch on and claim hardware as stolen when in fact it is just sold off to recyclers or employees (who will likely continue using the software if it's from Microsoft).
now we need to go OSS in diesel cars
> Despite what these people say, most of the crap that they've been flinging around is just plain baseless. I'll be called a "Microsoft shill" or an "astroturfer", but truth is truth: Microsoft's latest server offerings are extremely secure, scalable, and reliable.
Not to imply that I believe you or anything, but you fit the stereotype to a 't': once MS finally does produce an OS that's stable, scalable, and secure, they'll brag their asses off over finally providing the most rudimentary services that an OS is supposed to provide, and that they should have been providing since day one. They'll probably even claim that they invented those concepts.
--
Sheesh, evil *and* a jerk. -- Jade
This isn't about 'which OS is better' or 'which is more secure'.
Its about statistics, and about more than just the OS.
They found, in their studies, that linux-based shops tended to have less security problems than NT based shops, due to a combination of software, better trained and happier employees, etc.. so they did what insurance companies do.. they said 'if you use linux, we will give you a cheaper premium'.
A real-life example of the same thing.
Auto insurance in Alberta, Canada. If you are under 25, and especially if you are a male under the age of 25, insurance is expensive.
Once you are over 25, it gets much cheaper.
Now... I've been driving since I was 16, and never had an accident. Does this insurance policy imply that I am somehow incompetent? Certainly not... they're just playing at statistics. 80% of their costs come from male drivers under the age of 25, so they make those drivers pay more. Period.
Now pretend young male driver = NT shop, you get the same sort of thing.
I think that the human factor is much more important than the choice of OS. Anyone can put up an insecure box. A secure box takes vigilance to keep it secure.
If I was an insurance company what I would want to know is what the maintenance procedures for a site were, and see documentation that they were being followed.
The point about the technical competence and turnover rates is crucial given these issues - a shop that has low training and high turnover is just not going to have the adherence to proper maintenance methods that a shop with low turnover and skilled employees.
To respond to your points in order:
Linux is harder to keep up to date. This is blatantly untrue. The truth of it is, that when MS released these monolithic SP's and hotfixes, many of them did more harm than good. W2k SP2 and Exchange server are a good example, as well as the still undocumented effect of running the March hotfix on a W2k machine running IE 5.5. While the SP2 problems were at least fixable with a paralell install, the march hotfix is non-fixable without reloading the OS. (Maybe this is why MS will still not claim it as a bug.)
The truth of it is, many shops WILL NOT install a service pack unless there is a specific bug they are looking to quash. Otherwise, the machine will stay at the service pack level that was available when the OS was first installed. Our SUN machines, on the other hand, are regularily patched without a reboot. (or a 2 hour frikkin' download) If the patch causes a problem, It can easily be removed. I could say the same for our SUSE servers, and our AIX servers.
And, while NT bug updates get more press coverage, is because the release sparingly, and then ask that you download a 105 MB patch. In addition, Microsoft will not document a Bug until it has the solution. This has led to severe holes going unpatched for months while it's customers are in the dark. *nix generally releases patches for individual files and programs, their patches are more timely, and much easier to install.
So, to keep it simple, patching an NT server means:
15 committee meetings to decide if we should really do this.
Full back-up of the server.
Install Service Pack and pray.
To patch the SUN boxen??
root# patchadd
Slick installers?? If that's how you choose an OS, you deserve what you get. While I'll admit that many of the Linux installers are nasty, I'll only use the installer once. (Insert rant about paralell installs and the sinking feeling that the 30th software package you installed is what's cusing the "Windows Protection Error")
And finally, if diamonds are in short supply, are emeralds as good?? Are the diamonds worth it? Yes, your usual Unix sysadmin costs more, but has also been in the industry longer, and stands a decent chance of actually knowing the system. Many NT admins are hired right out of the class and just thought, "Gee, computer guys make alot of money." And while many of them get past this stage, that's usually when they become Unix sysadmins. Also, UNIX sysadmins are generally asked to do more with the OS. Like shell scripting for starters. When NT admins have to know wscript, maybe we'll have better NT admins.
I mentioned securing port 139 about a month ago. I got "Port 139????"
Also, in closing, Win NT has too many "Script Kiddie" attacks suceed to be taken seriously. When a frikkin' Outlook worm is a billion dollar virus.... Unix may be vulnerable, but not to the average idiot. Look at the stupid Kornikova(SP?) virus. Two weeks into visual basic, and someone exploits the heck out of MS.
~Hammy
"Your leaving will fill the void that was created when you first came here."
For the Win2k boxes (6 of them, total - 3 x from end, 2 x database, 1 admin/directory), each is set for daily reboots.
But you don't see this as a problem... Having to do this means that something at a rather fundermental level is badly broken. It might be your setup, it might be your setup, it might be your sysadmin, etc...
It seems to me that Wurlzer has fallen victim to some of the FUD that has been spread by Linux advocates. [snip, a lot of linux bashing]
The problem is, that all statistical surveyes (for what they are worth) I've seen, all say that MS-based Internet servers, percentetwise are cracked more than their marked share would indicate. Much to my surprise, MS-Windows 2000 servers, are disproportionately more cracked, than even MS-WinNT 4.0.
Why it so, I really don't know; is it because; Sys-admins are insecure about applying hot-fixes (will the server come up again after the reboot?)
Skript-kiddies feels more at home on Win-servers?
Win+IIS are generally insecure products?
Windows servers, are generally runned by less competent/lazy people?
Companies running MS-solutions are to cheap to have a decent security policy?
A penguin ate the Hot-fix?
The insurance companies doesn't care why. They are just greedy bastards, who hates to pay out.
Look, if you want to use Linux or *BSD or some other non-mainstream OS
Take a look a www.netcraft.com : Linux is a mainstream Internet OS. Apache (OSS software) is by far the most dominating web-server around.
The way that America works is that people get together and work hard to put out a product, and then they sell it to people.
That exactly what this insurance company is doing; selling a product. Just be glad that it isn't a monopoly, so you can take your business elsewhere.
Go ahead and flame me
Ok. Flame, flame, flame.
[scorch-mode on]
You, sir - you are a MS zealot!!
[scorch-mode off]
Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.
;)
Reading sites like CERT, l0pht and rootshell is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.
At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.
That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.
All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation.
tough titty (as the kitty is reputed to have said.)
No, I'm not trying to be funny.
--
You want fair from an insurerer? Insurers do profits, not fairness.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
If you're running OpenBSD, you don't need cracker insurance.
Er, no. If you're running OpenBSD in the default install, which few if any people do you don't need cracker insurance.
On the other hand, say you forgot to apply the FTP globbing patch to your OpenBSD FTP server, then you probably do.
I believe that NT/Win2k's security problems come down to 3 issues:
Someone you trust is one of us.
First, I have seen this in real life, NT looks easy to administer. As a side effect the IT directory decide that anyone can administer it. Wrong. That was the case when I was working in some company as a UNIX and network admin. We did ourself an audit of the publicly accessible web servers and we found that most of them were just a huge security hole: no patch, nothing. When we reported this to the person in charge of the machine, the person didn't even know how to patch it, etc. Security holes ranged from traditionnal buffer overflow to Front Page extension and clueless passwords. That make NT a dangerous toy. Note that most of the fix required a complete reinstall of the system as well. By default, UNIX boxes are most of the time more secure, and since to set it up you meed to have some knowledge it is unlikely to find them administered by clueless users.
Second: security holes statistics shows that NT has more holes discovered. This is a fact. NT can be secured, but it require a lot of work and good skills. People that can do this are more hard to find and more expensive than a senior UNIX admin.
Wurzler does not want to punish people. He wants to optimize his business profits, and for this, like many insurance, raise price based on risks taken. Afterall, doesn't Microsoft do the same: maximizing profit ? Isn't this the American way of life ?
Hub
So what's the discount for running OpenBSD?
Oh wait, I almost forgot: If you're running OpenBSD, you don't need cracker insurance.
Tarsnap: Online backups for the truly paranoid
I know it's a bit odd to complain about my own post being moderated up, but...
That post was NOT informative. Funny, maybe. Insightful or troll, possibly. But there is no way that post can reasonably be classified as informative.
Tarsnap: Online backups for the truly paranoid
This article mentions:
Windows NT/2000
"Open Source" operating systems
What about shops using Solaris (available, but not open), HP-UX, AIX, IRIX, SCO, MacOS (pre OS-X), OS/2, and so on? Are they charged the same as NT or as Open Source(tm)?
My suspicion is that whoever wrote this article has no idea what open source means, other than 'not Windows.' I could be wrong, but it certainly sounds that way.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
One big problem is that many companies hate the intrusiveness of a machinery breakdown insurer. Hartford Steam Boiler won't insure something until their inspectors have been all over it and everything they want fixed has been fixed. Companies with well-run plants get great rates from Hartford Steam Boiler. Others get turned down.
The computer industry has succeeded in pushing failure costs onto their customers, rather than having to insure them. But that may not last forever. It was like that for boilers once, too.
A story about some company saying that Linux is more secure that NT right above a story about sourceforge.net being compromised.
Vintage computer games and RPG books available. Email me if you're interested.
Vintage computer games and RPG books available. Email me if you're interested.
Did not know insurance companies offered policies protecting against a hack attack.
Do they also offer insurance against a slashdotting?
"Old Rallydrivers never die - they just fail to book in on time"
Comment removed based on user account deletion
Comment removed based on user account deletion
and the story right below this one
Developers: SourceForge Server Compromised
When death looks you in the eye, smile. Someone needs to cheer him up.
from the shoulda-bought-that dept.
sulli
RTFJ.
I am a mcse (ok, here comes the flames) because I use to have a job supporting NT users and servers. I also know some linux and freebsd.
:-)
The problem is I really don't know how to secure an NT server. My mcse classes taught me nothing, other then how to setup a domain controller. I was told that NT was enterpise ready right out of the box unlike unix so it was already secure. I knew this was total bs. The thing is that there are a million resouces out there on how to secure Unix/Linux and all the configuration settings are stored in text files where you can edit them manually, but in NT its hidden in the registry. How many here actually know what the majority of the registry settings actually do? I found 1 or 2 books dealing with NT security at Borders so the situation is getting better as people discover what some of the settings are.
It would be nice to have future mcse or corporate training courses to have security methods in the circulum. Or even discuss several registry settings so we know a little more on how to customize NT. I believe NT may be secure if its done right. I believe the only time Microsoft's website was ever down was due to a linux(not NT) bug in their outsourced DNS servers. Microsoft uses a seperate company which uses linux for their DNS. I don't buy the security through obscurity arguement. Microsoft loves hiding things to make their products look easier and markets them to the average joe consumer. This may be good for home users but not bussiness users.
I remember a Microsoft semeniar where Bill Gates talked about non techie users installing NT to get work done and how great WIndows is because you don't need an admin to setup a server??
Perhaps thats the problem.
I can imagine the paper clip from MS word poping up whenever someone uses regedit in the WindowsXP.NET.
Basically the summary of problems are, lack of documentation, qualified admins, and the reboot problem is why NT is having some problems. The stability arguement is not that important considering bussinesses are using switches and clustering to make NT work. Got to love those clueless CIO's and phb's who insist on using NT over Unix. Well, if they want to pay 3x fold for an NT solution over a unix one, I guess thats their problem.
http://saveie6.com/
Somewhat a response to ergo98's 'Idiotic' post, but somewhat separate... :)
First off, I thought I read about similar action by a London-based insurance company a few months ago - darned if I can find the URL just now tho.
Nowhere did the article say 'NT=insecure, Linux=secure'. This insurance company is doing what all insurance companies do, which is analyze their claims data and make assumptions, inferences, and policy changes based on this data. Of course inhouse skill, training levels, etc. all play into how secure a box or network is. However, according to this insurance company, their numbers are bearing out that it's more expensive to insure companies using Windows NT. Windows may be merely a symptom of a company that is lax about security in general - hiring inexperienced people, cutting security budgets, etc. But they have enough data to make a correlation between NT and higher insurance costs. (more claims? higher $ claims?)
Auto companies insuring cars will rate a sports car as a higher risk, even though it shouldn't happen that way. It's COMPLETELY down to the driver - just because I drive a red convertible sports car doens't mean that I *ever* speed, but statistically people driving red sports cars have higher accident rates, so they charge higher premiums for that car, because it's an indicator of risk. (Not sure on the specifics - I seem to remember red sports cars being higher, but could never afford one anyway, so it's a moot point for me!)
Interestingly, I was doing some work with an auto insurance company a few years ago that was looking at using people's credit ratings as a premium indicator - apparently, a credit rating is as good, or sometimes better, indicator of an auto insurance policy risk. Dunno if it's being phased in anywhere around here (Michigan) but I seem to remember the initial interest was stemming from research in California.
Back to the point - it's not idiotic at all that an insurance company would use something like software choices to base premiums on. Those choices, statistically, will point to other info about the company that is relevant as well. There will always be exceptions to the rule, but statistically, these will prove out - if they don't, insurance companies won't adopt these. If the numbers work out, they'll move in this direction. It's simple numbers.
creation science book
You do know how insurance works, right? Odds are, this is an "at-fault" type of insurance, which means that it is probably very carefully delineated what the insurance company will pay off for. If the "minimum security standards" are met, and they still get cracked, the insurance company will pay out an amount dependent on the damages done.
However, if it is the fault of the company that is paying for the insurance, then the insurance company doesn't have to pay.
To liken it to car insurance, you would get paid if you were in an accident that was not your fault (someone else hits you, mechanical defect in the car, whatever), but you wouldn't get paid if you deliberately smashed the car into a tree.
Regardless of any of this, the rates that the insurance company sets (even regardless of what OS you're using) are based on actuary tables governing the chances that a system will get cracked. Odds are that most systems will never get cracked to the extent that an insurance settlement is required. Just as, odds are, most people that have auto insurance will never be in an auto accident. But they still have the insurance in case they need it.
Kierthos
Mr. Hu is not a ninja.
1) How frequently do you have a paid security audit from an outside firm? 2) What sites do you check for security patches and notices for your operating system, database, server software, and management software? 3) What internal risk training does your firm undergo? How frequently do non-IT people have to be refreshed? Are there live exercises? What is awareness within and outside of IT of social engineering attacks? 4) Can you please name the last five major published attacks that targeted a similar OS to yours? What have you done to secure against those attacks? 5) What do you do to keep your IT people pleased to work for you? Who are the people who do your data backups? What background checks were done on these people? What are you doing to keep them happy in their jobs? 6) What is the physical security of your servers? What prevents any person, even "authorized" from walking off with the actual server machines? Any company that can answer these questions will be much better prepared, and deserves AAA* rates.
Dear Customers,
.NET +40%
In order to enhance our services and better serve you, we will adjust the insurance fee a little bit if your company is using the following:
1) Windows 2000/NT +5%
2) Windows 98/ME +10%
3) IIS +15%
4) Exchange +20%
5) Outlook +25%
6) MSN services +30%
7)
8) DNS server on Windows +60%
9) Continue the Windows subscriptions - you must be an idiot, but also our premium customer +100%
Best Rgds,
Your savior
P.S. all % accumulative, per license.
You get this reply:
Sorry, we won't pay.
There is a fix for the problem for which you've been hacked, and it was published before you were hacked, therefor, you've been hacked for your incompotence.
Keep on paying the insurance, though, you never know when you might need it.
Your truly,
Dogbert.
--
Two witches watched two watches.
Which witch watched which watch?
In my experience, lots of Windows Admins tend to be non-geeks that took a course because getting into computers is a good way to make money. Knowledgable Windows users tend to go into programming/consulting.
;)
OTOH, almost everyone who uses/admins *nix (and especially Open Source) is a computer geek who really likes and is generally interested in computers. So the level of sophistication, on average, for Linux admins would definitely be higher.
In my mind, Windows is just a version or two away from being truly adminstrable by non-computer-geeks... they've got most of the usability down, they just need a few more setup wizards and (most important) security wizards and an MSCE will be able to run a secure shop. And then the people with the computer smarts can do more thought-provoking activities instead of setting up identical workstations, setting up accounts, and fixing printers...
Linux is much further away from being accessible to people that just want to do their job and go home without thinking about it too much. And the non-thinkers are quite a large portion of the workforce.
--
Convictions are more dangerous enemies of truth than lies.
Convictions are more dangerous enemies of truth than lies.
- Nietzsche
Well, in a totalatarian system, the government is business. So, in a sense, Big Brother was also business.
Anyway, I have some major issues with 1984 and I could go off on a political rant, but I won't. But, right now I'm in the middle of reading Snowcrash and I am coming to the opinion that the biggest threat to personal freedom is not the government, but big business. Business that seems to be above the law. Or just find ways to simply bypass the law with technological means. Which kind of explains it.
But that's beside the point. I was trying to make a joke. Guess it didn't work. ;-)
1) has no need for insurance
2) has no money left for insurance
3) has no interest in compensation if their systems go down, because they were already completely "secured" from any use
4) has nothing on their systems worth cracking them for (see 3)
5) has been taken over by their security people, as is the fate of anyone who relies on mercenaries ("money is not the sinews of war")
--