HP To Sell Custom High-Security GNU/Linux Distro

bc90021 writes: "CNET has this story about Hewlett Packard's new secure version of Linux. Using 2.4.2, it can supposedly detect attacks as they happen. (At $3,000, I think it should counter-attack, too.) It will be available on HP servers (duh), or on servers that pass the RedHat 7.1 server qualification tests."

"what-about-settling-on-debian dept"

Ya know, maybe (just maybe) HP was more interested in using a stable, reliable distro instead of a crappy one that exists solely to promote some raving lunatic's agenda.

Businesses don't have the luxury of picking a product because it's politically correct on Slashdot. Businesses need to pick the best product for the job, and that's exactly what HP did when they standardized on RedHat.

-sting3r
(posting anonymously to preserve my precious karma)

Re:"what-about-settling-on-debian dept"

[f_thegreenbear]

If business used ethics, we might have a chance of seeing out this century.

Personally, we run all our stuff, business and domestic, on Debian. What other OS has next-day bugfixes, and an fully-documented policy? Let alone a sane installation procedure.

Re:"what-about-settling-on-debian dept"

[n0rm]

Stallman's kind of like Nader... I think their both nuts, but once in a while they get something right. Their real problem is that they both have the personality of vogons.

Re:"what-about-settling-on-debian dept"

[bill0r]

so maybe (just maybe), you are just a rh Luser?
Debian does the work, 100 times better than any other distro, and don't even get me started on distro wars.

Re:"what-about-settling-on-debian dept"

[Unknown+Bovine+Group]

Debian does the work, 100 times better than any other distro, and don't even get me started on distro wars.

"Make love, not war!!" he shouts, as he fires the mortar.

Re:"what-about-settling-on-debian dept"

[gerddie]

Their real problem is that they both have the personality of vogons.

As long as they don't recite poetry that's okay with me :-)

Re:"what-about-settling-on-debian dept"

[Brian+Knotts]

Hey. I'm a guy that started on Slackware, used RedHat for several years, and have used Mandrake on the desktop.

I've switched to debian unstable and I'm not looking back.

I had already switched my servers to debian, because of the better security practices I see in the debian world.

Now, I'm using it on the desktop, and it's absolutely brainless to keep updated.

And when a new version of debian comes along:

apt-get update
apt-get dist-upgrade

It don't get much easier than that. And I can do it remotely.

Re:"what-about-settling-on-debian dept"

[bill0r]

bring it on :)

Re:"what-about-settling-on-debian dept"

right on brother. I have Mandrake 8.0 on my desktop at work, Debian Sid on my laptop and home machine. I was looking forward to being able to use urpmi to do basically what apt does, but its broken.

I don't understand how people can stand redhat machines that aren't servers in some closet and never touched. Its a huge pain in the ass to have to download a bunch of rpm dependencies. Install them in the right order and cross your fingers.

I can't stand Stallman and could care less about "free" software. I use debian because once you have it installed, its so damn simple to maintain.

They ship a IDS ?

[jneves]

Is it really worth to pay $3,000 for a distro with an Intrusion Detection System like snort configured ?

Re:They ship a IDS ?

[stoney27]

One would assume that companies are paying for more support then just the distro with IDS configured.

-Scott

Re:They ship a IDS ?

[oingoboingo]

Is it really worth to pay $3,000 for a distro with an Intrusion Detection System like snort [snort.org] configured ?
I'd say the distro would pay for itself in about 2 seconds if it actually did what it is advertised to do. $3000 isn't much to pay to have HP say "This thing is guaranteed to be configured correctly, and work as advertised.
Sure beats have the monkeys from sysadmin bollocks around for a whole day on getting the config 'correct', only to find out when it's too late that they misunderstood something.
If you're going to pay for redundant power supplies, redundant cooling, RAID hard drives and dual NICs to make sure your hardware is done properly, then what's another $3k to make sure your intrusion detection works properly and you can call someone for help if it doesn't?
(Of course I'm assuming HP will actually answer the phone....)

Re:They ship a IDS ?

[wangi]

You'll be getting more than that, but yes - why not?

Why should every sysadmin go through locking down and beefing up each and every install? What a waste of time... Much better to start with a known level and improve on that (or leave it as is).

Remember this isn't just about software - it's about support... $3000 isn't much anyway!

Re:They ship a IDS ?

[The+Infamous+TommyD]

Yep, HP does ship an IDS, but AFAIK it is not on Linux yet. It's called IDS/9000 and it is NOT a network intrusion detection system. I've seen a briefing on it and as a network security researcher I'd say it is the most advanced IDS out there. It looks for very general patterns that indicate attacks--not specific signatures that may indicate an attack.

This could be a sign that IDS/9000 may be coming for Linux though. And it would definitely be worth more than $3000 for IDS/9000 on a large multi-user server.

Re:They ship a IDS ?

[gaudior]

HP will most certainly answer the phone. Their firstline techs are often better than some companies senior techs. We're talking Enterprise class here, not Mom and Pop ISP.

Re:They ship a IDS ?

True. I've never had anything but great luck with their techs. They're always helpful and get the job done right the first time.

Re:They ship a IDS ?

$3000 isn't much to pay to have HP say "This thing is guaranteed to be configured correctly, and work as advertised.

I can get a guarantee from the butcher, but I'd rather stick my head up a bull's ass than take his word for it.

Re:They ship a IDS ?

[Clived]

Personally I would say NO, but then perhaps the corporate world is full of network admins who are too busy plugging holes in their IIS servers to be able to concentrate on installing a regular Linux distro, with security hardening readily available on the Internet. Lets wait and see the market response to this "distribution", but with IBM including Linux (Suse) for their mainframe environment, at a hello of a lot less than $3G's (according to recent articles here), I think HP needs to seriously re-examine their pricing structure. Also I am sure there will be issues regarding GPL, etc which have to be carefully examined, regarding this situation

My two bits

Re:They ship a IDS ?

Enterprise class has nothing to do with "good tech support." I've never used HP tech support before, because I've never had any problem with anything from them (just printers mostly), so I have no clue what their tech support is like. Experience with @home though shows how some Enterprises have the worst tech support in the world. When the person calling is smarter than the level 1 tech's it's pretty bad, and when service is out, that's bad. With my old dial-up ISP, exis.net (real small local ISP here), I got better tech support than with any ISP I've had. I used erols.com before exis.net, and I didn't exactly like the tech support, especially when the guy on the other end is chomping on his lunch while on the phone.

Re:They ship a IDS ?

[fors]

If you think @Home is an enterprise class service you haven't had much exposure to high end systems. Calling @Home enterprise class is like saying Emachines make an enterprise class server.

Re:They ship a IDS ?

[singe_69]

Hey thanks! I was one of their "firstline techs" for networking and then I became the help desk for those firstline techs. gaudior is entirely correct, since 3k per unit makes this a high profile product HP will go out of its way to assure satisfaction(assuming that Carly hasn't changed to much policy since the Lew Platt days). We used to get calls from Mr. Platt's office asking us to fix problems for upset customers that had been routed to his office and half the time the problem was a network issue that had nothing to do with an HP product but we were still asked to fix it, now THAT'S customer satisfaction! S.

amifirstpostornot?

[Old+Wolf]

With this new numbering system you can't tell who was first really..

Re:amifirstpostornot?

Maybe that was the plan ;-P'

*gasp*

[tubby]

So what they are saying, is that they have installed snort by default?

What a deal!

Counter-Attack?

[BiggestPOS]

Your DHCP server detects a buffer-overflow attack from some jack-ass running WindowsXP. It goes into action, hitting bugtraq to find the latest exploits for the offending OS, found. It firewalls itself off, then passes the appropriate counter-measure information to your mail server. The mail server hacks the machine, shuts down the offending process, and patches the TCP/IP stack with one that DOESN'T have raw socket access. After only a few moments, one less XP machine is 1337.

Selling their own GNU/Linux?

[Cloud+K]

I presume they mean selling their *addons* to Linux, and the service of bundling them all together.
(Expensive service, too)

AFAIK, they can't "sell Linux" as such without breaching the GPL.

I assume the wording is just unclear, as otherwise it could start a riot :)

Re:Selling their own GNU/Linux?

[Cloud+K]

Oops. Someone just reminded me to think "free speech" rather than "free beer"...

Can't help it, I like free beer ;)

Just to clarify, yes they can sell it:
http://www.gnu.org/philosophy/selling.html

Re:Selling their own GNU/Linux?

[Hammer]

You can sell GPL'ed software! You must also give away the source and the right to give it all away for free. Red Hat, MandrakeSoft, SuSE et al are all selling Linux.
For the record IANAL

GNU/Linux WTF is that?

Is that like Linux?

Oh for heaven's sake

[sarcasm mode on]

/me looks at title... HP to sell.. hmm.. what's this GNU/Linux? Is that some new version of Linux I haven't heard of?

Oh wait. It says here that people call it GNU/Linux to refer to the software that runs the rest of the OS, and not just the kernel. And wouldn't you know it, the software is Free!

Well golly! That completely changes the whole way I view Linux! Because of those three letters and a slash, my whole reason for using the OS and my entire philosophy about software has been drastically overhauled! I'll never be the same! Thank you so much, Mr. Stallman! I sure would have never known about any of this stuff if you hadn't pushed for the GNU/ prefix on everything!

[sarcasm mode off]

Seriously, people. Slashdot editors, you're ALLOWED to leave the GNU/ off. We know what you're talking about when you say Linux. That's four more bytes my system has to download and my browser has to render. We're not four years old. We know all about GNU. We're thankful. Let it go.

/me waits for the flamebait mods to begin...

Re:Oh for heaven's sake

Actually apart from Mr Stallmans immediate followers we all prefer that you do not tack on GNU/ to Linux. RMS didn't create Linux. He is unable to create his own unix lookalike (anyone heard of HURD lately??) and want to steal some of the credit.

OEM Distributions

[Torulf]

It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.

The costs in doing so would, as far as I can tell, not be too large and this could give them more bargaining power against software companies (MS).

Re:OEM Distributions

[simong]

Er, that would be VA, and look what happened to them...

Re:OEM Distributions

[it's+a+culture+thing]

It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.

Yes but they're hardware manufacturers. I'd assume that they have a limited number of software guys especially ones with lots of experience in this area as they tend to be expensive just to have hanging around. Anyway with everyone downsizing at the moment who are the hardware guys going to get rid of first? The designers of the next generation hardware which they need or a load of expensive software guys which bring political problems with them (see next comment).

The costs in doing so would, as far as I can tell, not be too large and this could give them more bargaining power against software companies

You can imagine just how popular they would be with MS if they did this e.g. no more large discounts, last to get the latest updates, bug issues remaining unresolved etc. The cost itself probably wouldn't be the issue, more the political concequences.

Re:OEM Distributions

[geekoid]

The people who run Hardware companies are, mostly, still thinking total propriety controll over anything that deals with there product.

They also don't want to do things that cost them more money then they think they need to spend. those two concepts have been the biggest stalling ground for linux driver development.

A hardware company that had truly revolutionary products would just open-up the proper information to the public, and someone would create the linux/BSD/whatever/ driver for them. Except MS products, very few MS programmer could actual develop anything that didn't have pre-designed API's and a Help system full of examples to copy from.
Since I am talking kernel, there is no need for GNU.

Re:OEM Distributions

Companies are already doing this. Check out Nokia (http://www.nokia.com/securitysolutions/platforms/ index.html) and Enterasys (http://www.enterasys.com/ids/sensor/gigabit.html )

Re:OEM Distributions

They do have their own Linux distributions - or nearly. In this case they call it HPSUX, and there's a reason...

Re:OEM Distributions

[billwear]

So I'm going to break ranks and get involved in this discussion. Someone will probably yell at me, but my first allegiance is to open source, so I'll take my chances.

In case you're wondering, I'm the product manager for this Secure Linux offering, so if you have questions, fire away. But in the meantime...

It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.

You're right, the appliance play is a strong one with customers. As much as the average ISP loves the technology, there just isn't time to roll your own anymore (thanks very much to the "new" economy). If I want a mail server, it's a lot easier for me to grab someone's black box -- as long as I can trust it -- than to do it myself. Same for other utility boxes: FTP, DNS, NNM, "insert-daemon-of-the-day-here".

It's a lot easier for vendors like HP to build it on our own box, because our customers _always_ want SLAs that guarantee uptime and security and such. But we can't get stuck on one box, and the HP offering recognizes that. We pretty much have to have some site security surveys before we're willing to make promises and support a customer putting this on the wire. It's kindof like checking the other guy's rope before you agree to anchor his climb -- you're half of this partnership, and you need to look out for your customers.

Sure, we may sell some hardware in the process, but that isn't why we did this. We did it 'cause it was the right thing to do, because we had some cool ideas about how multi-level security would fit into Linux and maybe add some value -- ideas so big that we couldn't _not_ do turn them into code.

Oh, by the way, I would love to tell my friends that my team started a new Linux distro, and I appreciate the credit, but it isn't really intended to usurp like that. We'd like to get the code into the kernel and let it be a part of all distros -- but, as always, it's up to the community to christen it, not us.

"There's nothing truer than the truth." --Wear family motto

What an amazingly information-free article

[wowbagger]

It would have been nice if the article had described what, exactly, the HP additions are supposed to do. We get some vague platitudes about "tightly controlling communications" and "detecting attacks". This could be anything from a well-written iptables setup and a syslog monitor to a full-blown, user-space stateful filtering/SNMP and "page-the-sysop-we-are-being-DDOSed" application.

Does anybody have any REAL info on what HP is doing that is so wonderful?

3k$ for a distro?

[sTeF]

I guess this just increases the false sense of security. those who are security aware, are capable of securing their own distro. those who are not, are only spending loads of money. reasonable defaults are ok, but changing them, means probably opening a hole, or weakening the overall security. installing a secure distro is ok, but remember security is a *process*.

Re:3k$ for a distro?

[mr_vauxhall]

What you buy is accountability.
I install Red Hat and set it up. We get hacked. Tough, I goofed.
I tell the boss to buy $3k's worth of HP stuff. We get hacked. We sue/ claim compensation from HP for not doing their job right.

Re:3k$ for a distro?

[sTeF]

You can only sue them if you can prove, that you have all patches installed. because it's your responsibility to keep the hosts security thight. they can sell you a secure distro if you happen to install a not secure package, or fail to upgrade. then it's your fault.

btw, can't we sue microsoft for all the damage done by the codered family?

just buying a distro is not enough. you need competent sec staff.

Re:3k$ for a distro?

[powerlinekid]

same logic as you said above... microsoft provided a patch (nomatter how late, they still did... now if someone had sued before the patch...) and some idiots decided it wasn't worth having (hence codered II)... can't sue microsoft, because they can't force you to install the patch(no matter how much they try with that windows update shit)

Re:3k$ for a distro?

[spudnic]

Show me one case where a company has successfully sued an OS maker after an intrusion.

Re:3k$ for a distro?

[powerlinekid]

however not prior to the first known exploitations which began around may... codered isn't the first to exploit this, just the best

Re:3k$ for a distro?

A properly configured box (index server functionality disabled) wasn't vulnerable anyway. Unless you were one of the 3 people that actually used index server.

Re:3k$ for a distro?

[powerlinekid]

that has nothing to do with what we were talking about... have a vulnerablilty by default and dealing with patches... iis is default... and by the looks of codered alot more than 3 use/used iis

HP-LX

[MikeCamel]

A search on HP's site yields a training course which has been available for around a month. The name of the product seems to be "HP-LX".

Here are some of the issues listed on the page:

• secure administration model
• lockdown
• process containment (compartmentalization)
• file system protection (MAC)
• auditing.

So I presume that these will all be central to the new product. It seems fairly sensible - and it will be interesting to find out the details of exactly what they've implemented, and how.

Re:HP-LX

The name of the product seems to be "HP-LX".

Wait until RMS finds that out!

Re:HP-LX

[Shirotae]

A search for "documentation security" on the HP site takes you to an interesting page - follow the hp-tlx link in the index for Administration Guide, Installation Guide and Release Notes.

The paper "An Operating System Approach to Securing e-Services" published in Communications of the ACM Feb 2001 is also of interest since it describes some of the features of the system.

Re:HP-LX

[Surak]

So in addition to the fact that HP-SUX, apparently now HP-LIX, too!! :)

Re:HP-LX

[cbwsdot]

It looks like I need to pay for this document.

Re:HP-LX

[mcc]

Just a quick question. What, exactly, do you mean to by your reference to "MAC", and how does whatever "MAC" stands for in this case connect to file system protection? Do you mean that the file system protection is somehow (how?) related to ethernet MAC addresses, or is this some acronym i am not familiar with?

(p.s. once you've explained this definition/use of MAC, maybe could you add an entry to everything2 explaining it there? ^_^ just checking.)

Re:HP-LX

then get a subscription to the ACM digital library and quit whing, you cheap fuck.

Re:HP-LX

[mosch]

MAC == Mandatory Access Controls.

Re:HP-LX

[Shirotae]

The ACM paper is also available here. It is a good description of the compartment model, but the product has some extra features not described in the paper.

Re:HP-LX

Wow...first hp-sux, now hp-lix...

Re:HP-LX

[HiThere]

In the three years that I maintained a subscription I found one item of interest. So I let it lapse. I'm not about to start it up again for one article about a system I probably won't use.

It's a true pity. Once upon a time the ACM had a lot of good articles, especially in Computing Surveys. Maybe I just hit a 3 year fallow period. But that's not the way I intend to bet. I've got enough other choices on how to spend my cash, that don't require that I buy a pig in a poke.

$3000?

[EvlPenguin]

OpenBSD is free. "Four years without a remote hole in the default install!"

Re:$3000?

FreeBSD and NetBSD are just as secure if not at least modern . . . numbnuts.

Re:$3000?

[chegosaurus]

Yeah, and can you run Oracle on OpenBSD?

Re:$3000?

OpenBSD is free of ipf, SMP, etc., as well
No remote holes, because noone cares.

Re:$3000?

Actually, that's not true. The version of OpenSSH that shipped with OpenBSD 2.6, which was WELL within the past 4 years, had a remotely exploitable root exploit. I don't know why they won't change the website (you'd never think ego would be in any way associated with the OpenBSD project), but it's incorrect nonetheless.

Re:$3000?

[kaisyain]

That doesn't do much good if you need something more than the default install provides.

Re:$3000?

i have an old 20MB hd with dos on it. 15 years without a remote hole in the default install!

Re:$3000?

Thank you, thank you, thank you . . . in the *real* world a system that is *secure by default* is fucking worthless when you can't use it for anything aside from lightweight wokstations or few (very few) network appliances.

freaking worthless piece of crap . . .

Re:$3000?

[EvlPenguin]

No, but I can run MySQL on OpenBSD just fine.

If you were serious about security you wouldn't be using Linux. I don't care how secure HP says its new distro will be. There will probably be sevral remote root exploits within a few weeks.

Re:$3000?

[powerlinekid]

Hell... a win2k box would have no security holes if i turned off all the damn ports too... gotta love theo

Re:$3000?

Haha, MySQL. I'm so sorry.

Re:$3000?

[kurowski]

Um, you got a source to cite for that one? According to the OpenBSD web site the buffer overflow in RSAREF (which is what I assume you're talking about) was not exploitable on OpenBSD.

So I'm curious to see where your info came from, because if it's true, then I'm sure the good folks who manage the OpenBSD site will update it. Hell, if you really find an exploit, I'll setup a box with an unpatched 2.6 install to test it on.

Re:$3000?

http://www.openbsd.org homepage in red writing :)

To quote: Four years without a remote hole in the default install!

And to all the other people on this thread.... All the ports that could pose a security problem are switched off by default so that you will only open them up as and when you are capable enough to do so.

When our dumdass Mac administrator installed a default version of Linux/m68k, I spammed him with mail (from himself - root) until he worked out how to close port 80 on the mail server.

An open port + clueless admin == loads of fun :)

Re:$3000?

Where does it say the overflow was not exploitable? the page you link says "Dec 2, 1999: A buffer overflow in the RSAREF code included in the USA version of libssl, is possibly exploitable in httpd, ssh, or isakmpd, if SSL/RSA features are enabled. (patch included)."

Every few months there's another debian security alert for OpenSSH; while this doesn't mean the versions packaged with OBSD are necessarily vulnerable, I'd trust it about as much as I'd trust any other package with such a record: an unknown. By fudging OpenBSD's security record by redefining it when there's an issue, they lull themselves into a false sense of security. Don't get me wrong - its good work, but the presence of even unexploitable bugs in something with the visibility & importance of a shipped OpenSSH/RSAREF makes me wonder about the security of the other stuff, & rearranging the text of the security record to make it technically true is amateurish.

Re:$3000?

[kurowski]

Actually, I was seeking a source for the claim that OpenBSD 2.6 had "a remotely exploitable root exploit."

Sorry for the confusion.

Re:$3000?

[kurowski]

Where does it say the overflow was not exploitable?

On the line of text immeadiately following what you quoted, it says "* Update: Turns out that this was not exploitable in any of the software included in OpenBSD 2.6."

By fudging OpenBSD's security record by redefining it when there's an issue, they lull themselves into a false sense of security.

When have they redefined it? (No, really, I'm curious.) I don't see a track record of them trying to cover up security problems. For example, the front page of their web site used to say "Two years without a local root exploit" but along came a local root exploit and instead of changing what "local root exploit" meant, they dropped the claim.

Re:$3000?

On the line of text immeadiately following what you quoted, it says "* Update: Turns out that this was not exploitable in any of the software included in OpenBSD 2.6."

This version was in 2.5, but by the time the flaw was found 2.6 was current, and for some reason "old" installs aren't considered part of the security record.
I didn't say they were redefining the terms they were using, they were however redefining their goal statement. Security is a process not a product. The implied goal is that OBSD would continue to exist with no local root exploits. From the outside looking in its much like a kid saying "aww, gee, I wasn't tryin' to do foo anyway. But I'm still better than you at bar." What happens if there is a remote root tomorrow? does the page:
a) remove all reference to the previous record & replace with the text "we still rule"
b) "one day without a remote rooting" with a link to the patch

b) is what a professional would do, but if the OpenBSD track record is any indication, a) would happen.

An Attempt to Save Themselves

[jasonrfink]

No seriously, perhaps the motto should not be *HP Invent* but *HP Reinvent*, HP is seriously screwed because of the overhead of the PA RISC line of systems. Customers are sick of paying so much for them plus the support.

Now, I am not saying they're PA RISC line is bad, some of the systems kick major ass running HP-UX && HP-UX 11.XX and 11i have some pretty cool stuff - but the operating costs are just too bloody high - esp. now.

What cracks me up is HP is really using the Linux branding to get a head, unlike IBM who sort of made their branding from Linux which almost seems to indicate they (IBM) has greater faith in their core product.

Of course this is all hogwash until the Dist. hits the streets :)

Yes, but...

[gmz]

...just for dumbass-suits who are simply too stupid to even use their own mailreaders.
Oh, no, wait - no, these people won't buy something someone told them to be "secure", they would buy some Java/XML/SAP/Buzzword-of-the-month compatible stuff...

Re:Yes, but...

XML is not a buzzword.

XML is the future.

Service=money

[peripatetic_bum]

In all honestly, I do hope the HP does well selling these $3,000 linux boxes. Not because of that its in there, but service/skill it took to actually took to configure the box right.
(I assum of course that the box does what it says it does)

Just like the thought that musicians will give their the music away (via the internet) but charge for real live preformances, the new economy (excuse me) may well be based very much on what the acutally person can do and what can not be replicated digitally. Ie, Doctors don't charge for the information they have and tell you, they charge for the skill in which they apply it to you. That is, all the information about treating asthma is in books, but I doubt ou would want to read the man page asthma and just treat yourself, but you pay the doctor to apply his skill to treat you.

Thus HP is charging for the skill it takes to make more-secure internet boxes and perhaps, in this age, $3000 is a good start and in the future that skill may be worth even more.

Anyway, thanks

Re:Service=money

Chalk up another one who didn't read the article.

They're not selling boxes preinstalled with Linux for $3000. They're selling a *distribution* of Linux that has HP features and security for $3000/license.

Hardware is extra. (Would you like to supersize that?)

Re:Service=money

[Surak]

Ummm... They're not selling $3,000 Linux boxes, they're selling $3,000 Linux....

Re:Service=money

[Alien54]

In all honestly, I do hope the HP does well selling these $3,000 linux boxes. Not because of that its in there, but service/skill it took to actually took to configure the box right.

This should not be a problem.

After all Microsft has sold a version of NT that was claimed as being completely secure in compliance with some high level government standard. That particular configuration was one that had no network attached.

- - -
Radio Free Nation
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -

Re:Service=money

I assum of course

When you assum, you make an ass out of... um...

Re:Service=money

[nihilvt]

After all Microsft has sold a version of NT that was claimed as being completely secure in compliance with some high level government standard. That particular configuration was one that had no network attached.

When doing classified processing on ANY box at work, be it NT, 2000, linux, IRIX, etc, it must be physically disconnected from the network and external peripherals. I would imagine that "some high level government standard" requires that for a machine to be "secure" it must not be attached to a network.

Re:Service=money

[dillon_rinker]

NT 3.5, IIRC? Maybe 3.51? Anyway, it was't just no network...it was no floppy and no CD-ROM, too.

Re:Service=money

[HiThere]

Ie, Doctors don't charge for the information they have and tell you, they charge for

Among other things, the legal right to write perscriptions.

$3k ???

[Atrophis]

one word..

ouch

Re:$3k ???

Really? i didnt think "ouch" was a word?

Re:$3k ???

[deathcubek]

http://www.m-w.com/cgi-bin/dictionary :

First definition
Main Entry: ouch
Pronunciation: 'auch
Function: noun
Etymology: Middle English, alteration (from misdivision of a nouche) of nouche, from Middle French, of Germanic origin; akin to Old High German nusca clasp
Date: 14th century
1 obsolete : CLASP, BROOCH
2 a : a setting for a precious stone b : JEWEL, ORNAMENT; especially : a buckle or brooch set with precious stones

Second definition
Main Entry: ouch
Function: interjection
Etymology: origin unknown
Date: 1838
-- used especially to express sudden pain

Questions...

[Noryungi]

Really quickly:

• Is this under GPL? If not, does that mean the FSF can now sue HP, to get the GPL status clarified once and for all?
• As many have pointed out already, how is this different than from installing Snort and others pre-configured?
• Does this includes all the NSA-supplied patches? with source code included?
• Finally, how on earth is HP going to sell this for an outrageous amount of money while things like Linux-Bastille are free?? (Not to mention OpenBSD, yadda, yadda, yadda...)

Just my US$ 0.02...

Re:Questions...

[battjt]

$3000 is nothing for a large company.

Image being a manager facing peers and your boss after machines you are incharge of were deflowered. Would you rather say "but, I had the long haired unshaved Linux admin who shows up for work around noon install 'snort'", or "but, I bought a secure Linux install from HP".

It doesn't have anything to do with technologies involved. It has to do with perception, and job preservation.

Joe

Re:Questions...

[Anomolous+Cow+Herd]

Really quickly

You have no understanding of the GPL, do you? Companies are allowed to sell additional software with their distros, and they never have to give it away for free. You sir, are a cheapskate. You would demand that a company that spent a major amount of money on developing a comprehensive trusted system on your favorite OS just give away all their work for free. You must be unemployed or working outside of the software-engineering industry to hold such a view.
This is much different from Snort, but then again, you must be relying on michael's (as usual) braindead summary of the article and Linux distro in question. If he had actually done some research on it (like just about any journalist with anything approaching integrity would), he would have written that this distro will have many components of a truely "trusted" status operating system, such as a filesystem supporting mandatory access control lists, compartmentalization, and several other things that have nothing to do with "I checked this code a bazillion times for security holes and we're screwed if we want to add features" and everything to do with a design that tolerates coding errors and doesn't allow an attacker to take advantage of them.

Just my US $0.02...

Re:Questions...

[RollingThunder]

GPL just means source code.

It does NOT mean implementation.

Presumably, what HP is selling here, is a tricked out, tuned, stripped to minimal configuration, that they've had "many eyeballs" look at.

They don't have to release word one about how they set up the software, or even WHICH software. Just any changes to code that they had to do to get it to work.

Re:Questions...

[barneyfoo]

or even WHICH software...

That is wrong. If I buy this software package, I am being licensed a good portion of it under the GPL, which means I can request the source code for any software package in the distribution. However, if you did NOT buy the software, you have no rights to request the source from HP. Someone else bought the software from HP has every right to offer it to you (all non-proprietary parts).

Re:Questions...

[barneyfoo]

Er, uh, point of clarification:

I wrote:

I am being licensed a good portion of it under the GPL, which means I can request the source code for any software package in the distribution.

I meant: which means I can request the source code for any software package in the distribution that happens to be GPL.

Re:Questions...

[RollingThunder]

Good point, I was presuming the viewpoint of a non-customer, IE: just somebody off the street looking for a cheap route to getting the same product that HP is providing.

But just to be pedantic: you're not buying the software, you're buying a particular arrangement and configuration of the software. One isn't OK under the GPL (HP doesn't have the rights to sell something it has no copyright to) but the other is entirely up to them.

As to the last item, I would guess that all depends on the EULA that they release their configuration under.

Re:Questions...

Spend some more time on gnu.org in order to learn that's perfectly OK to sell someone else's copyrighted GPL software. See also redhat.com.

Re:Questions...

[DeathB]

You have to be kidding right? First, Bruce Perens said that all modifications to GPL'd code were going to be released, even when they could have not done so (by using binary modules). And second, do you really think that with Bruce Perens guiding HPs open source work, that even internally people could get away with it? I think you're seriously underestimating HPs commitment to open source.

Technical paper available

[MikeCamel]

More information seems to be appearing (or I didn't find it on my original search): there's a technical discussion (pdf) with more information. Seems to be based on compartmentalisation: "The key concept of our trusted operating system is the compartment. Services and applications on the machine are run within separate compartments."

This is the place to go for more information on the product. Quite a lot of technical information, including kernel information. It seems that it's intended to be installed over RedHat in a "layered installation" - diagrams included, as well as performance data.

Re:Technical paper available

[roguerez]

Compartmentalization? Would that be like the FreeBSD jail feature?

JAIL(8) FreeBSD System Manager's Manual JAIL(8)

NAME
jail - imprison process and its descendants

SYNOPSIS
jail path hostname ip-number command ...

DESCRIPTION
The jail command imprisons a process and all future descendants.

[...]

Re:Technical paper available

[Cary]

This sounds like it's just using HP's VirtualVault product. It does thinks like break up the root functions into separate mini-accounts. (In addition to more traditional IDS functionality.)

Re:Technical paper available

[Shirotae]

This sounds like it's just using HP's VirtualVault ...

VirtualVault runs on a modified version of HP-UX, on PA-RISC hardware. It is also rather expensive (a lot more than $3000). That the new product has some of the features that made VirtualVault a success is not really surprising, after all, the people who worked on it can get all that secret internal information from the VirtualVault team because that are part of the same company.

Kernel Component of Secure Linux is Under GPL

[Bruce+Perens]

I am announcing this product in an hour. Shankland loves to jump the gun.

The kernel component of HP Secure Linux is under the GPL license. All of the other Linux security vendors currently hide their security mods to the kernel in binary-only modules, IMO abusing the modules exception to the kernel. HP would rather not play games of getting around the GPL. The user-mode component of Secure Linux is not GPL-ed, but we understand that given the kernel drivers, programmers can roll their own.

Thanks

Bruce

Re: Kernel Component of Secure Linux is Under GPL

Moderators: Please note the importance of the above message.

Re:Kernel Component of Secure Linux is Under GPL

[grammar+fascist]

So this is what you've been doing at HP? A lot of us have been wondering.

Re: Kernel Component of Secure Linux is Under GPL

respect mah authoritah!

Re:Kernel Component of Secure Linux is Under GPL

[bhsx]

You sir, are a fool. Yes, he works for HP. He is Bruce Perens... the REAL Bruce Perens, idiot.
But for the uninformed who may be thinking the same thing as this fool, here are a few links to a clue, please drop a quarter in the slot...

http://linuxtoday.com/stories/4179.html

http://slashdot.org/interviews/99/07/30/2220240. sh tml

http://lwn.net/1998/1119/Trojan.html

http://www.linuxdevices.com/news/NS8872688150.ht ml

http://embedded.linuxjournal.com/advertising/pre ss /perens.php?sid=17

and finally... you should probably check this last one out...

http://www.hp.com/products1/linux/news_events/pr es s_releases/perens.html

That last one is the HP announcement titled "Bruce Perens, Open Source advocate, joins hp".

Re:Kernel Component of Secure Linux is Under GPL

That may be all well and good, but what does that have to do whether the userland components are GPLed? This Bruce guy needs a talking to by Richard Stallmann.

Re:Kernel Component of Secure Linux is Under GPL

[Bruce+Perens]

LWN.net has an interview with me in their coverage of the O'Reilly show last month. It says a bit of what I've been doing.

Thanks

Bruce

Re:Kernel Component of Secure Linux is Under GPL

[bgarcia]

You sir, are a fool.

You, sir, have been hooked!

Hope you at least enjoyed the bait!

Re:Kernel Component of Secure Linux is Under GPL

[proberts]

Hi Bruce [we met at Defcon last year]

This (All the other...) isn't totally true, there are Linux security vendors doing Open Source work, such as Enguarde and some promising things coming out of the RSBAC camp (Alt.Castle?)

Will there be a feature comparison to RSBAC (http://www.rsbac.de) and the NSA-sponsored stuff available anywhere soon?

Thanks,

Paul

HP No Choice

[Proud+Geek]

They have to call it that because Bruce Perens is very significant in their Linux strategy. He calls it that, so thay have to as well, or else they piss him off.

Quite frankly, they probably get most of their non-technical information about Linux from him. If he called it Green-Cheesux, they would as well. While this is perhaps not a good example, I am happy that they are listening to their advisors from within the community.

Re:HP No Choice

[niko9]

It's marvinthe martian, not martin.

Testing

[Wind_Walker]

...that pass the Red Hat 7.1 qualification test

Come on, everybody knows that those tests are culturally biased. When are people going to learn that computers who don't have a beige box are economically and societally discriminated against? Non-beige boxes have a higher crime rate, higher drop-out rate, and generally are used for menial tasks.

Stop the cultural profiling!

Re:Testing

[bero-rh]

Come on, everybody knows that those tests are culturally biased. When are people going to learn that computers who don't have a beige box are economically and societally discriminated against?

Umm, please don't mention this in response to the Red Hat 7.1 qualification test - we've made sure quite a number of black boxes (such as IBM's) are included. ;)

CNet saddens us. . .

[Brainboy]

by comparing RedHat's Stock quotes with HP.
RED HAT INC RHAT 3.75 0.00

HEWLETT-PACKARD HWP 24.70 0.00

I'm sad. ::weep::

Re:CNet saddens us. . .

Quotes don't mean jack. Even if Redhat was 10 times as high... currently RHAT has a market cap of 636.8 million whereas HWP has a market cap of 48.5 billion. A lot more HWP shares out there. :)

Re:CNet saddens us. . .

[jhaberman]

Ya know what makes me sad? As an employee of HP I have 200 stock options... the only problem? The price set on those options is $61.

Yes, do the math kiddies... Were I to exersize them now, I could LOSE a whopping 37 bucks a share. What a great idea.

That should give you a clue how bad the economy is right now... But at least I survived the swinging axe yesterday!

Jason

Caldera's announcement of 8/22 - lost to /. outage

[hillct]

Readers of /. yesterday, will recall Caldera's announcement regarding releasing pieces of the Original UNUX codebase to OSS. That announcement along with today's announcement from HP that they're gettinng into the Linux distro business signals a major shift in the market perception of the value of Open Source.

--CTH

i'm confused...

[xnerd00x]

Can someone explain something to me? If they create a secure version of linux, don't they have to give away the source code with it? So then what's the point of selling this for $3000? Who's gonna buy it when they could just ask for the source code and compile it themselves??? Or may be I just Don't Get It.

Re:i'm confused...

[FatalException]

They can sell addon software, which is what I assume they are doing.

Re:i'm confused...

[pkesel]

When you buy enterprise systems from HP or Sun or another big player you pay for far more than a box with a CPU and bunch of wires and a CD or two. They build to spec and install software. If you buy enough from them they'll even set it up for your network, even with proper IP and users. If you pay a bit more they'll come out and put it in the rack and power it up for you. It's not like buying a PC from Dell.

Re:i'm confused...

[RocketJeff]

Actually, according to the GPL, they only have to give the source code to the people that they give the software to. Most companies/groups give GPL'd source to anyone that asks - but they don't have to.

OTOH, the GPL also states that anyone who gets the software can redistribute it however they want - as long as they make the source available to the people they gave the binaries to (just like the original seller). I just can't see a company that buys software for $3000 giving it away to everyone else for free, however.

NOTE: if you read some of the information on the HP site (as point to in other messages), HP is making their Linux changes available for everyone. They do have non-GPL'd software available in their distribution (whaich can't be given away). This is also within the terms of the GPL.

Re:i'm confused...

Does Caldera have to give away wordperfect source because it runs under Linux? Or Oracle, Or ID, etc. So basecially yes, you just Don't Get It.

Just guessing...

[UM_Maverick]

I'm just guessing here (since the article didn't say SQUAT), but I would think that you get some extra stuff from HP:

• Support (yes, I realize Snort gives you source, but this way you can let *someone else* deal with the source/configuration)
  
• A responsible company (PHB's love this. I work for a huge company that only deals with MS for software because we would pretty much swamp any other company...MS is one of few, if any, companies big enough to support us)
  
• I'm sure there are others, but I need to get back to working for said big company...
  

Why I chose FreeBSD

Yup....

As a person who's first love was Linux, I feel qualified to commment on the reasons to migrate away from Linux. I started with Slackware in 97 from a cd in the back of my html book, basically a cheap way to get apache running without having to own an expensive risc machine. Anyways, I've toiled with linux thru the early hacker/academic days, thru the hype-days from 98 to 99, and still every-now-and-then install it for a friend in need. I've probably install Redhat over 100+ times at the Linux Users Group here in Dallas, and have installed Slackware upwards of 50+ times, Deb/suse/others upwards of 20+ each. Inversly, I've probably installed FreeBSD only a few times since I toned-down my OS-install fever. It gets old, really fast installing linux for the install project. Anyways.... as a seasoned Finux vet, I think that FreeBSD is better in many ways, except the userbase, and application base. There are more Finux users, and more Finux developers by several orders of magnitude compared to all the BSD distro's combined.

What I have noticed from this large group of Finux users is the fact that they are overtly insecure about their feelings of "elite-ness". In other words they tend to feel threatened by people who donn't join their band-wagon.... of finux evangelism. In fact, such a large majority of Finux userrs started using Finux simply because they percieve that Microsoft is a Monopoly, and or in some way they have negative feelings about microsoft. Other time sI find that they had feelings of inadiqatcies in their microsoft envrironment, and seeked an area where they are different.... again thsi goes back into the elitism aspect, and the need thereof to be elite, and/or different. In this wway they can justify putting Microsoft users down, by advertising that they are now Finux users.

The above being said, leads this very specific class of Finux users feelings insecure when they hear about an even more elite group of people, a smaller comunity, of more-often ex-finux users..... using something called BSD. The typical reactio is that they are not with us, therefor against us... type reaction... and the hostility, and missunderstandings ensue.

Most anti-BSD rehtoric posted on Slashdot is from the narrow minded Group of finux users taht simply feel threatened by something they simply don't understand. My Favorite argument to shootdown first is the hords of Finux folks, and windows folks that say Unix is 20 years old! Ha... 20 years ago unix was entirly different, and FreeBSD, compared to some old Unix systems of the 80's is like HUGE in all the different ways. Most of the time people have read this in some website, from an un-educated reporter. In reality, unix has had many huge changes over the years, as have os design and implementation over the years.... a direct result of CS students striving to push the limits. The word micro-kernel comes to mind, yes.. we now have modulare kernels too.... oh my... and don't forget about ever popular virtual memory idea... geeze... Unix sure is darn different that it was 20 years ago.

The fact is, and I can do a google search I find the Linus quote of how he would nto have ever created the Linux kernel if he had know about the Berkly System Dist. He was only aware of the Car-mellon like Minux system. Yup, he has said it, and you can find the quote on google, and past /. articles. Anyways.....

I find taht most of the FreeBSD folsk are people tired of all the Linux hype.... I mean... we have tried all the distro's, played with all the various package systems, recompiled the finux kernel a time or two... doen some programming, etc, etc, etc..... Then, its liek FreeBSd is sitting right there, simple, eligant, beutiful. The first thing that most linux converts claim got them is the FreeBSD ports system. Really it is such a simple idea that we are suprised it hasn't caught on in the Finux world originally. Basically you have a cvs tree of all the software taht has been ported to the FreeBSD OS. To get updated versions of software, it is simple to just cvsup the entire ports collections, and then travel to the the software you want...say apache, and run "make install". Simpel as that... the latest, greated Apache with all the freebsd patches, and optimisatiosn are applied. No toiling with rpms, and the dreaded hunt for dependencies. The porsts systems checks for dependencies, downloading the latest version of Gmake if needed, or whatnot.

Other nice fetures about FreeBSD, and the other bsd's is taht the stability is paramount... a recent comparison of Unixes on sys admin magazine ranked FreeBSD the lowest of "out-of-the-box" installs for performance. Thsi is nto suprising since FreeBSD is build for stability (out-of the box), and many Finux distro's are optimised at the time of burnign the distro to CDROm, is highly optimised, and unstable.... so little tweaks are needed out of the box to make the system unstable... in other worlds the Finux systsm typically are more prone to instability under heavy loads that freeBSD. I won't bore you with teh technical details, as the lay-man won't get the jist of what I'm sayigng.

That being said... I'd advise the person who wrote the high-performance tuning guide, linked inthe article, to tone down a bit his kernel conf. It appeas to lean on the unstable side, especially with the extreamly high buffs lines under the useers line in the kern conf. oh well... it will push things to the extream limit.

Re:Why I chose FreeBSD

But then again BSD users like you take any posts on slashdot or otherwise about linux to rant about how your OS is better.

Much as you want to sound like you are being reasonable you are just as bad as those linux zealots.

This is a post about HP releasing tools for linux that allows certian security measures to be erected on a redhat system. It is not about linux being better then FreeBSD, OpenBSD or XXXBSD etc etc.

So everyone stop being stupid assholes who think they are right to post a "My OS is better then
your" comment. Because no matter how you look at it they are just self serving not good.

Re:Why I chose FreeBSD

I thought your comments about the attitudes of the user base were very interesting. You see, I use linux because I strongly dislike unix, and I particularly dislike BSD because of the attitudes of the BSD people I had to deal with more than 15 years ago.
Since the introduction of GPL licensing and the linux kernel, attitudes have changed markedly. I know I'm old, I wrote my first computer game in 1975, but you probably don't need to be that old to see the difference.
It used to be that the attitude of the Unix mavens (particularly the BSD people) was "the unix way is the RIGHT way, and if you don't like it, it's because you are a stupid waste of flesh". I found this annoying, since there are so very many obvious bad things [tm] in unix (the concept of root superuser, the neolithic rwxrwxrwx structure, and so one) that could be improved or replaced if only people were willing to admit that this would be desirable.
If you'd told me in 1982 that the great hope of operating systems in the 21st century would be unix look-alikes, I would have cut my wrists. That obsolete toy of elitist academics? C'mon, buy a VMS system and grow a pair.
All that being said, the cathedral/bazaar phenomenon has opened minds and changed our ways of thinking about OSes just as the Internet has enabled us to become a true hacker community. Now people in the BSD and linux development groups are actually willing to replace bad things (kill NFS now!) and improve weak things (sudo, anyone?) despite the religious ravings of the unix hierophants. Huge change for the better.
I will continue to use linux, despite my many years of experience with BSD and System V and VMS and Solaris and MVS and OS400 and RSTS/E. I like linux, and it's easier to implement a sane boot sequence on it than in FreeBSD (not that anyone actually ships anything sane - but RedHat was getting close until they got linuxconf-happy). And it's GPLed, which means when I contribute a code patch HP and Microsoft have to play fair if they want to use it.
--Granpa Simpson

One more trying to sell Linux like a Windos Clone

[GdoL]

HP is trying to be one Microsoft of the Linux Market. Sell you for a very expensive price what you can get, the most and important part, for free.

That can be good for the Corporate World where you have to sell to the suits a non-microsoft os with a good support (=expensive $).

Not Focusing on the real problem

[Evil+Oli]

I don't think this is really focusing on the real problem at hand. I've seen it all too many times before... you can have the best OS, with the most security features, but if the stupidest person is running the show, well... game over.

I think spending $3000 on an OS, albeit secured to *some* extent (there will always be new flaws found out) is a bit much, especially in the Linux world. Anyone with a decent knowledge of security and access to the net can build a pretty secure Linux server system.

So basically what I am saying is, the emphasis should be more on the people running the things, rather than the OS itself. It will make people slack in the efforts to secure their servers, especially in the business market where this is crucial.

Re:Not Focusing on the real problem

[pkesel]

Have you hired a competent System Admin lately? Or better yet, and more accurately, have you hired a competenet System Admin lately and not given him five times more work than he can do adequately? If I can buy a server, like an enterprise class HP box, with security features built in and well documented, I'll do it rather than relying on the overworked or underskilled SA. Too often they say "Trust me." while they sneaks in after hours to patch the holes he didn't get to when he told me he did it.

Re:Not Focusing on the real problem

[oingoboingo]

Absolutely! It's not so much that the average sysadmin is bad at their job, it's that they've got 50 machines to look after, and only enough time to realistically care for 10. Any products like this HP one which can make critical admin tasks like intrusion detection easier and more automated are worth every cent.

It's clear from the postings of a lot of people on this discussion to the effect of "your sysadmins must be all morons if they can't install snort and harden a linux distro themselves!!" that they've never had a sysadmin job in a big, busy company. It's simply not an efficient use of your time to be configuring and installing stuff like snort, or manually hardening a linux distro, when for $3000 you can have it all done for you, and backed by a company like HP.

Re:Not Focusing on the real problem

Well, slashdot has a significant ghetto element of highschool/college kids who believe that the world runs on athlon motherboards from pricewatch and that paying $79 for an OEM copy of Windows is lots of money. Real World indicates that most corporations piss away $3000 without thinking of it (even my manager could sign for that, and we routinely dump hardware worth several times that cost just because it's 'old'), and that senior-level Unix sysadmin time has the the real cost of $hundreds per hour.

Re:Not Focusing on the real problem

[WildBeast]

Wait a minute, isn't that the same way Windows admins became dumb? All of a sudden, we'll all be buying fairly secure machines from HP but when a real security threat hits, we're powerless. How do you expect sysadmins to be any good if they don't have a close relationship with the machine they administer?

Re:Not Focusing on the real problem

[Evil+Oli]

I *am* a system admin. Talking from my own experience, and the collective experience of others, the general knowledge level in this area needs to have the bar raised.

You wouldn't expect anybody to buy a house with the latest security system and locks, and then not have the understanding to lock the windows, and turn on the security system. People rely too much on the technology doing the work for them, and this is where problems start.

As for overworked SA's, well, that's just the problem. Not enough experienced and educated folk (notice, not "certified") to go around. Unfortunately, not every MD or IT manager can afford enough of their time to fix problems themselves.

P.S. Sneaking in after hours (or remotely) to patch things up is part of the fun!

Re:Not Focusing on the real problem

[pkesel]

I feel your pain. I've been waiting six weeks for a simple Java package install on my HP-UX server. I could do it in a couple hours, including patch research and install, but you have to go through channels. I could admin the box to a better level than it is at now. We've got a dozen developers working in the same directory with the same login, and with no code control. /usr/local and everything under it is at mode 777. And they worry about us running Apache and Tomcat for an internal info site!

The issues are very important.

[Futurepower(tm)]

Certainly RMS does many imperfect things. But there is another side: The issues are very important. There are many ways that freely available software can, and does, drift away from being truly free. Even a small amount of legal tangle can make software useless to many people.

Consider this: How would you react if you were trying to explain something complicated, and very important, and you were getting responses that indicated that people didn't understand.

Richard Stallman is certainly not a good publicist for his ideas. However, it seems to me that when he takes a stand, there is generally some sensible underlying motivation. Here is a suggestion: Don't sweat the small stuff. Don't get caught up in his shortcomings. See the big picture. Remember that RMS stands to gain nothing personally. His ideas only keep software free for all of us to use and improve.

Mr. Stallman has become a popular outlet for anger. However, most of the angry people don't seem to have a true understanding of the underlying issues.

Re:The issues are very important.

[szomb]

However, most of the angry people don't seem to have a true understanding of the underlying issues.

And this is, of course, something completely new and unheard of, and only relating to RMS.

Excellent idea!

[Jeppe+Salvesen]

Some people are so stuck in their ways that they cannot imagine that "it's free" and "it rocks" are NOT mutually exclusive. Well - these people will perhaps be MORE willing to adopt Linux if they pay a lot of money for it along with receiving some propaganda (true or not) of how much more secure than free Linux this distrobution really is, than if they download the ISO and hand it to the local (very capable) sysadmin.
Basically, HP will make some dough on Linux. They deserve it. HP/UX is supposedly a pretty sweet OS. It's been part of what kept Unix afloat in the middle of the NT reverse-revolution. I don't think that making a bit of dough on Linux is in any way bad - as long as there are free, good quality alternatives available.

So we can use Trustix and OpenBSD and Bastille and even roll our own distrobution, while some people will pay $3000 for a brand name.

If we're supportive/lucky, we might even see HP releasing some products under the GPL. If they're relatively moral, they'll give back some of their new technology to the society that gave them the platform for all that profit.

And heck - if they fall to the ground, they'll prolly release the full code. Win-win for us, folks!

Re:Excellent idea!

[SuiteSisterMary]

while some people will pay $3000 for a brand name.

Let me quantify this further: Some people will pay 3000 dollars for SOMEBODY ELSE'S EXPERTISE AND GUARANTEE.

And if you argue that if you don't know security, you shouldn't have a server, I can extend that arguement to if you can't write your own kernel, you shouldn't be using an OS.

Re:Excellent idea!

[spudnic]

And heck - if they fall to the ground, they'll prolly release the full code. Win-win for us, folks!

No, not win-win for us. It repulses me every time I hear someone say this. How short-sighted can you be? There can only be so many large companies that embrace Linux and fail before they all get the idea that it's just not worth it.

Want to support and promote Linux? Wish HP all the luck in the world pulling this off. By selling and supporting a distro like this, Linux may get a strong foothold inside corporate data centers. Now that's definately a win-win for us. With a substantial Linux corporate userbase we will see more industrial strength apps and tools being released for the platform we all love.

Do you want the Linux community to be viewed as nothing more than a bunch of scavengers? Vultures circling overhead just hoping that a great initiative will fail so we can scoop down and eat up the remains?

I think not.

Best of luck, HP! You've made a great decision in choosing to support Linux, and we all hope that it brings in loads of money for your company for many years to come.

Re:Excellent idea!

[WildBeast]

If you don't know security, you should have your server hosted by a company who's got capable admins.

Oh silly little Microsoft...

[powerlinekid]

*Note: This is not entirely off topic, more of a summation of the last couple days worth of linux nes*...I wonder if they honestly thought fucking big businesses (the ibms, compaqs, hps, etc) in the ass would help cement their world dominance for all eternity (doesn't satan want to do that too???)... Lets face it, they (microsoft) are very good at what they do... business (haha... and you were thinking software???), maybe even better than anyone else. But they left out one little unthinkable at the time detail... open source. So the community of hundreds of thousands develops this OS which begins to mature... becomes the media darling... and is taken as the potential OS of choice for IBM's top of the line servers, HP's servers, and is also an influencial key-note in caldera's decision to open Unix. While this doesn't immediatly hurt MS, I think that all this coverage and definitly the support on the part of these companies (Oh... so IBM and HP have decided to put linux on the tens of thousands of dollars servers??? maybe i should try that...) is going to help linux in the long run.

Re:Oh silly little Microsoft...

One question mark is sufficient, toad.

Re:Oh silly little Microsoft...

[WildBeast]

Yes this will help Linux but it'll badly hurt Open Source.

But is it just a labor charge for new HW?

[gelfling]

This appears to be a feature install for new HP servers only, just like any other OS option so it appears that they're merely charging you for the labor to install and vett the system with some development recovery thrown in. That is, it doesn't look like you can call your local HP boyscout and ask for brand new rockhard HP Linux CD for $3000, though the articel indicated that that might be a future option.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The Price Tag

[AnotherSteve]

To most /. readers three kilo-bucks is a little much to pay for something you can download. To understand why this makes sense for business sales you have to think like a manager. A lot of managers don't care so much about what something costs as the reputation of the vendor.

Consider these two options:

A) The bearded, long-haired, overly-caffeinated freak from down the hall says "Hey, I can download this stuff for free off the internet. It'll make us really secure, honest." (Disclaimer: I am a bearded, long-haired, overly-caffeinated freak.)

B) A well-respected vendor has a $3000 product that will make the computers really secure. If it doesn't work, we can call them up and bitch at them. Furthermore, we have someone outside the company to blame if it breaks.

Now, you're the manager. You choose. This is a savvy move by HP - in addition to whatever actual value-added there is in their product, they are also cashing in a little on their name and reputation. They're selling percieved value as much as actual value.

Re:The Price Tag

Don't try to talk business models with the Linux types, they don't understand. Especially the part about money... this concept seems to elude most of them.

Re:The Price Tag

[Reality+Master+101]

Well put. The other thing is that a lot of l33t haxxhor types think $3000 is a lot of money. That's peanuts for a guarantee of security.

To put it in perspective, on a site that I'm involved with that runs credit reports, we were required to pay $20,000 to a company to "review" our architecture (joke) and do periodic port scans. I'm sure sometimes the port scans find vulnerabilities, but it's still pretty pricy.

On the hand, it's a good barrier to entry for the business. :)

Re:The Price Tag

[WildBeast]

Would I trust a guy who lives on computers or would I trust a company who lives on money? Oh that's a hard one.

Your view is kinda MicroSoftish dude, you're in the wrong community.

Re:The Price Tag

[AnotherSteve]

Go back and read my note again. I didn't say this is how I'd do it. I'm talking about how the boss-people make decisions. You gotta understand your target market.

If it was me, and I needed something really secure, I'd start with FreeBSD and go from there.

Re:The Price Tag

Unfortunately, you are right. This is because of the PHB (Pointy-haired Boss) phenomenon.

Support for free software is proveably better than the most expensive maintenance contract you can get.

By proveably, I mean you can idependently verify this claim. My company did it, and proved that gawk, perl, gcc and samba are get better support for free (including having the software authors SSH into the host and fix bugs on the fly) than you can get for $300,000.00 US yearly from IBM (or $45,000 US yearly from HP).

But PHBs are immune to logic and visible proof. They only believe what salespeople say, because they think of themselves as salespeople (or, worse yet, "managers") and thus believe that they instinctively know a sales pitch from reality.

IT SAYS RIGHT ON THE SOFTWARE LICENSE THAT YOU CAN'T HOLD THE VENDOR RESPONSIBLE IF IT DOESN'T WORK!

IT SAYS RIGHT ON THE MAINTENANCE CONTRACT THAT THE VENDOR GETS TO DECIDE WHETHER YOU HAVE A REAL PROBLEM GOVERNED BY THE CONTRACT!

Lawyers laugh hysterically at the HP and IBM maintenance contracts; all they say, in essence, is "we promise to answer the phone (unless we don't feel like it) and have a surly college student pretend to care about your business".

Mothers, don't let your babies grow up to be "managers".

--A _Worker_

Re:Caldera's announcement of 8/22 - lost to /. out

[futard]

Sounds more like the old corporate adage of "embrace, improve, destroy" to me.

Counter-Attack this FUD

[Psarchasm]

Your DHCP server detects a buffer-overflow
Uhh... okay... thats a real bright design.

then passes the appropriate counter-measure information to your mail server. The mail server hacks the machine, shuts down the offending process, and patches the TCP/IP stack with one that DOESN'T have raw socket access.
Hmm more bright design. Why not just turn my web server into a honeypot while I'm at it.

SOMEONE has been reading too-fucking-much Steve Gibson. WindowsXP has 0 to do with this. So not only is this post off subject its complete FUD. Take a look here for a more enlightened view of XP and a realistic view of Gibson's worthless RANTs on XP and its access to raw sockets.

If the 5 this comment rated was for FUD I wouldn't even need to be posting this. Pfft.

Re:Counter-Attack this FUD

[Da+Masta]

That article was bullshit too. NOTHING they said contradicts any of the facts Steve Gibson has said.

Yes, aftermarket patches/drivers are available to get raw sockets but most newbie h4X0r wanna-be's will probably never get them. And yes, they were available with win2k but it is marketed as a workstation OS, not a desktop os, meaning it is not the best place to play diablo2 and what-not and thus the target wanna-be demographics is eliminated as potential win2k users. On the other hand, one version of WinXP, home edition, is targeted for home users.

Remember the oversized packet exploit from way back that spurned many "hacker tools" such as WinNuke and its clones? It took 1 braincell to download it, 1 to find a buddy's ip through icq and 1 to press the "Nuke d4 fux0r!" button. These are the types of exploits that will be more and more common when WinXP Home Edition comes out because of its abilities to take advantage of more exploits out of the box.

I'd agree Steve is a bit of a sensationalist, but what he is saying is not wrong, and definitely not FUD! It will not be the end of the net, and WinXP should not be scrapped, but to say his rants are worthless is going too far.

Re:Counter-Attack this FUD

[Zinho]

Having read both Steve's article and the antioffline rebuttal, I think that anioffline has missed Steve's point. One 1337 H4x0r's Linux box does not a DDoS attack make. Sure there have been raw-socket attacks available from H4x0r-owned and -cracked Linux and other *nix platforms, but not in large number. There are far more windows boxes open to hacking, and there always have been. They haven't been attractive targets, though, because once you have them, they're pretty much useless compared to a good *nix box.

Now that there will be loads of WinXP boxes around to hack with capabilities similar to a real workstation or server running a Unix variant, the types of DDoS attacks that could be done with cracked *nix boxes can be done with the magnitude usually associated with zombie Win* boxen.

To beat the dead horse some more, Steve's not worried about script kiddies launching attacks from their own machines, he's worried about them infecting large numbers of WinXP boxen with various tojans, turing the trojan-infected boxen into a pool of ready-and-waiting attack zobmies, and launching hard-to-filter attacks using the raw sockets.

I can see why he's worried, and I'm taking a wait-and-see approach to it: wait a LONG time before adopting any of the *XP titles from Micro$oft, and seeing if the Net really does melt down after *XP's release. That way I can guarantee that I'm not contributing to the problem and, well, if the Net melts down, I can't stop it on my own anyway.

Re:Counter-Attack this FUD

Someone needs to grow a sense of humour.

Re:Counter-Attack this FUD

[tim_maroney]

Both your comment and the article you referenced should be dismissed as flamebait. The article, written in a juvenile, profane and offensive style, utterly misses the point that Gibson is careful to make, which is that with Windows XP providing raw socket access, it becomes easier to create malware that runs on Windows. It's not that it's impossible now, but there's this funny thing about people: when something becomes easier, they do it a lot more.

Tim

Re:Counter-Attack this FUD

[Psarchasm]

I'm possitively stunned at the near sighted responses to the minimal effect, if any, that could be attributed to giving the "at home user" access to raw sockets.

MacOS (about as "home user" as you can get) has had access to raw sockets for years - where is the war cry there? Should Steve Gibson want to rally a war cry (or rant) about WindowsXP's security, or lack thereof, let him... assuming he's found some bugs to bitch about. But here sits a man spouting FEAR, UNCERTAINTY and DOUBT - about an un-released OS that gives the casual programmer more access to his networking stack.

Plain and simple... Gibson is fighting the wrong battle and he does it in a journalistic style that leaves me wishing for better material to read... hmm where is the Weekly World News?

The answer isn't taking access to core parts of the OS away from the user (or the developers that can make legitimate use of it). The answer is fixing the core problem.

ftp://ftp.isi.edu/in-notes/rfc2460.txt

Re:Counter-Attack this FUD

[pmz]

The antioffline "facts" were not so factual. For example (from the antioffline article):

"Raw Sockets have been around for years in Unix based operating systems, and although many script kiddiots have made the move, they have yet to take over the world with the functionality of it."

This quote really misses something very important.

UNIX places the ports that would be useful to script kiddies out of their reach. This is accomplished by a simple permissions model. UNIX: I'm the superuser, don't touch my ports!

Windows XP is wide open. This is where Steve Gibson's arguments gain their basis. Windows XP: I don't mind, you can touch my ports all you want!

Re:Counter-Attack this FUD

[pmz]

Here's another good one from the antionline article:

"Have you [Steve Gibson] taken the time to notice, you are the only one in this world bitching about Windows XP?"

LOL! I guess Attorney Generals, Senators, privacy-rights organizations, anti-trust organizations, and consumer-rights organizations just don't count. Has another single software package been attacked on so many fronts by so many organizations as has Windows XP?

Re:Counter-Attack this FUD

You pathetic gibson ass licker.

Re:Counter-Attack this FUD

XP is wide open? You ignorant fuckwad. Without system-level privledges, you can't access ANY of the network components.

You are a fuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadf uckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfu ckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuc kwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuck wadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckw adfuckwadfuckwadfuckwadfuckwadfuckwadfuckwadfuckwa d

Re:Counter-Attack this FUD

[pmz]

Looks like your 'fuckwad' key got stuck there.

Anyway, from Steve Gibson's summary:

"... the Home Edition of Windows XP executes all applications with full administrative ("root") privilege. Thus, Windows XP eliminates the raw socket safety restrictions imposed by all other operating systems."

So, while I may be a genuine fuckwad (actually, fuckwad's my first name), I defer the ignorance to another party, if, in fact, Windows XP does protect the socket access.

For $3,000 ...

[Count]

It should make me breakfast

tar -xzvf breakfast.tgz

make sausage

make toast

make eggs

Re:For $3,000 ...

[pkesel]

For $3000 you should get a Linux distro that's as stable and well-behaved as HP-UX. Redhat or Mandrake or any other off-the-shelf distro isn't there yet.

And you'll get the HP support, which is also far more than you'll get from Redhat or the others.

I'd personally love to come to work tomorrow and find my new quad-processor K-class box running Linux. Or maybe that V-class monster in the other room.

Let's Mirror It

[Procrasti]

If we can just get 150 people to put $20 in each, we can buy a copy of this and then mirror it!!!

Isn't the GPL great? ;0)

Re:Let's Mirror It

[gaudior]

Get a freaking clue. The only HP-added code that is GPL'ed are the kernel-space mods. All the HP user-space stuff is binary-only, and NOT under the GPL. They don't have to give it away.

Re:Let's Mirror It

[Procrasti]

Twas a joke, the moderator got it right... maybe your post helped someone who didn't understand the distinction though... well done :)

rsbac, snort/hogwash, iptables

[matman]

Hmm, how about I just install RSBAC, snort/hogwash and iptables for free? :)

Re:rsbac, snort/hogwash, iptables

[mikeee]

Sure. You want to do that for me? Not for free? Well, you'ld better beat $3000 then, 'cause I've *heard* of HP...

Re:rsbac, snort/hogwash, iptables

[pkesel]

How about you learn what a 4-16 CPU PA-RISC server is about and port the kernel and support its I/O subystem and its firmware pre-boot sequence and get that Redhat distro up and running first. Then you go ahead and port the standard stuff and get it installed, and then test it all so severely that I can build my enterprise around it. And then when I've got 50-100 of them running you can sit up waiting for my calls when one of them burps.

These aren't the PC's in your basement guys. These are servers for the real world. HP's putting this stuff on its D,R,L,K,and T series servers and others. Quad or better CPU, 4Gb RAM, TB raid storage, proprietary bus. It's not a simple distro install and config.

I can do better than HP

[defile]

Check this out..

For $2,500/year, I can certify that your Linux box is 100% secure, and do whatever is necessary to make it secure and keep it secure.

If your box is ever hacked, I will dole out $10,000 on the spot.

There, beat that HP. :)

I'm only half serious, but would be glad to work something like this out if there were any takers.

The point of this exercise is to show that you don't need to buy Linux from a big slow vendor to get support. But most of you already knew that.

Re:I can do better than HP

[pkesel]

Can you do that for 2000 customers, who have over 250 servers each? Can Redhat do this? Mandrake? SuSe? Can you do it on an enterprise class K or V series server?

I'm going to trust HP, thank you.

Re:I can do better than HP

[gaudior]

BRAVO!

Re:I can do better than HP

But, as has been pointed out above, that's not just what you're buying w/this. Managers buy names. They buy safety. The saying that "Noone ever got fired for buying IBM" (now Microsoft) is a great example of manager-think. Buying support from your secretary's 16-year-old cousin is not what a manager is going to do. Even if it is cheaper than HP. You're buying a "relationship w/a vendor" and a "responsible party" for problems and a "support structure" and a "reputation" and maybe even a "partnership." These are not things that you can offer to a manager realistically. HP can.

Re:I can do better than HP

I can.

Re:I can do better than HP

[spudnic]

So I'm the head SA at megacorp, Inc. We take you up on your offer. We get hacked.

I go to the boss and explain that while we did hire some guy to watch over security, we ended up getting hacked, but he's going to pay us $10,000.

The PHB doesn't care about $10,000. Our company reputation is on the line. The $10,000 just means that the Fiscal Dept. has to waste time finding the forms to accept the check. He's mad at me because I trusted our network to "some guy" who he's never heard of.

Now change the scenerio.

So I'm the head SA at megacorp, Inc. We take HP up on their offer. We get hacked.

I go to the boss and explain that while we did enter into an agreement with HP to watch over security, we ended up getting hacked anyway.

The PHB, trusting the reputation of HP, explains that he is obviously disappointed that we had a problem, but understands that I did the best I could to try to prevent it.

Re:I can do better than HP

[LinuxGeek8]

For $2,500/year, I can certify that your Linux box is 100% secure.
If your box is ever hacked, I will dole out $10,000 on the spot.

You can count me in.
You can reach me at marcel@localhost.

Oh, and in case the box gets cracked by marcel@localhost, don't just blindly assume it's the same localhost.
You know, there's more then 1 localhost on this earth :)

Re:I can do better than HP

[Spoons]

For $2,500/year, I can certify that your Linux box is 100% secure, and do whatever is necessary to make it secure and keep it secure.

ha! This sentance proves you know nothing about security. No setup is 100% secure. You could have an elite commando force guarding your computer 24/7 in a cave 10 miles under the earth with no connections to the outside world, and still it would not 100% secure.

Re:GNU/Linux WTF is that?

[yomegaman]

It was a typo. They meant to say GUN/Linux, Eric Raymond's new distribution. Nothing says security like cold steel, you know...

Up to HP's standards?

[pkesel]

Is HP going to make this distro up to the HP-UX standard we're accustomed to? Will it have the Glance Plus Pack available for server monitoring? Will it integrate well with HP Open View and other tools? If so, it's going to be well worth the $3K they're asking. If they're writing that class of software for Linux they've certainly been through the compilers and libraries with a fine comb. I'd certainly trust their distro more than anything out there now. I've developed on HP-UX since '95 and I've grown to trust their OS and their tools. If they can give me the same feeling with Linux I'd be grateful.

docs on HP website

[patmfitz]

There's no concise product brief yet, but the following might answer some questions.

• Release Notes
• Admin Guide

How to solve most problems

[Ex+Machina]

IMHO 90% of host security problems can be solved via a non executable stack. Sure, its a kluge, but it stops all the moronic k1dd13s, It'll be interesting to see if HP includes this and any of the other security patches in the kernel.

Re:How to solve most problems

[Royster]

Non-executable stack is not a significant barrier. If there is an expliotable buffer overrun in an executable stack kernel the form of the exploit changes, but the kernel is still vulnerable to the same overrun. Go to the Linux Kernel Archive and follow any one of the many discussions on non-executable stack.

Idiot!

[gaudior]

Don't even think of comparing Oracle to MySQL. They reside in vastly different problem spaces. MySQL is a nice little backend for little websites. Oracle is a huge, powerful backend for very large websites, financial applications, manufacturing systems....

MySQL is not capable of crossing the street that Oracle races on.

Don't get me wrong. I use MySQL every day, for the problems that can be solved by small, simple databases. Company intranet, weblog, bulletin board, web stats, shopping cart.

I also use Oracle every day, for solving the problems of managing the infrastructure of the second largest ASP in the USA, and the largest IS solutions provider in the Healthcare industry.

HP "Gets It"

[istartedi]

The way to make money selling Free Software is to price it so high that nobody will burn a copy for their friends. "I payed $3000 for that. Buy your own d*** copy!"

Of course, perhaps HP is also fixing it up so it only runs with their stuff. That's another great way to make money on Free Software. Sell it as an option for something else, and make sure it's useless unless it's bundled with the Something Else. The key here is what you bundle with it. Bundling it with support gives you a disencentive to produce quality Free Software, but bundling it with hardware doesn't, at least not directly. If hardware vendors end up dominating the software market, they are likely to produce only a few killer apps, but at least they will put effort into those apps to reduce support calls.

Of course, Free Software tends to repel 3rd party software vendors. Perhaps Bill and Company gave 3rd party software vendors a bad reputation, OTOH, if the Free Software that comes with the system lags in features, then 3rd party vendors who are "pure plays" in the software market will step in, and people will pay money for 3rd party software that does more than the stock install. Then we are back to square one, with some future Microsoft breathing life into the 21st century's equivalent of the stale, boring mainframe world.

Cost

[rootmonkey]

I wonder how much a secure version of windows would cost. Oh, and a machine without a power supply or unplugging the machine doesn't
count.

The FSF charges $2000 for their CD distros.

You can charge what you want for distribution costs. 'Linux' is a hodge-podge of free software compiled together as an OS. You don't "add-on" to Linux because "Linux" doesn't exist.

Why do you think the FSF charges $2000 for their distros?

Pricing...

[Adambomb]

Well if you're talking a small business or home network, yeah that would be fine. The reason this setup is great for corps though is the fact that its 'guaranteed' secure by HP. The cash isn't for the software (since most of it is GPL'd), nor primarily for the machine, but for the words on paper that remove liability from your IT department, heh. Plus this kind of purchase keeps the PHB's happy, and thinking they know whats going on.

Honestly I'd rather have them grab a few of these with our budget than be put under the gun when someone misses a detail when reconfigging a box.

Re:GNU/Linux WTF is that?

Is that like Linux?

Yes. It refers to a system running the linux kernel which depends primarily on GPLed software for its user experience.

Some claim the GNU is meant to somehow imply that the FSF "owns" or is directly responsible for the GPLed software in question, but this is not necessarily the case.

You may, in general, use the terms GNU/Linux and Linux interchangeably for the installed OS (assuming you're not referring specifically to the kernel) depending on your personal preference.

I hope i have helped you.

This makes W2K looks cheap...

And W2K can be secured by a $20/hour kid in about an hour after install.

Re:Why I chose FreeBSD....NOT!

I'm tired of the BSD'ers getting their code stolen by companies like Microsoft. Why develop for BSD when the license lets any corporation steal what you have done and give you nothing in return.

Mandatory Access Controls

[evenprime]

They are one of the requirements of a Trusted OS

Re: man pages

[Jebediah21]

Damn, I want to read that man page for kidney failure. RedHat and Mandrake don't seem to have it. Do you think Debian or maybe a *BSD would have that man page?

Pointless

[Ogerman]

Yet another corporation that just doesn't "get it." Who in their right mind would pay $3000 for free software plus some little proprietary package that duplicates the functionality of snort, lids, tripwire, etc. while limiting your support options? ..and not to mention the fact that they are not giving anything back to the community.

Re:Pointless

[gaudior]

Why don't you READ before POSTING? This is the BIG SHOW, pal, not your dorm room. Hardened Linux, on Enterprise-class machines, backed by one of the best support organisations...

THis is a GOOD thing. HP 'Gets It', in spades. I hope it is successful. It will help Open Source endeavours of all stripes.

Re:Pointless

[WildBeast]

what? Just install Slackware or Rock Linux, it's as secure as it gets. Want more security? Go with OS/2, nobody will care to try and hack into it.

Re:Pointless

[gaudior]

You are not going to 'Just install Slackware' on a PA-RISC box. Like I said, this is not for the 'roll your own', hobbiest crowd. This venture by HP gets secure linux into corporate datacenters, in a way that hasn't happened yet.

I am using linux in our datacenter. But not for the mission critical things. Our client apps run on RS-6000, HP-9000, AS/400, OS/390, Citrix, etc.

Linux runs some of the webservers, some of the Oracle DB's, some of the communication and file handling, FTP, etc.

Why HP did GPL

[WillSeattle]

Part of why Carly went this route, is HP is really getting hammered on quarterly profits. I think it's a smart move, and it will expand the Linux user base universe.

Be thankful she did it the right way - we get the source - and while you or I shan't choose it, it might help those of us stuck at companies afraid to go with Linux to choose the right solution anyway.

Re:GNU/Linux WTF is that?

[bwt]

Actually, HP is NOT selling a "GNU/Linux" distro. According to the article they are calling their product "HP Secure OS Software for Linux". I believe their choice of terminology represent a deliberate statement about their feelings of the significance of the GNU software within their total offering. Most distros feel similarly, as do most customers of Linux.

Clearly HP feels that the fact that GNU re-implemented "ls", "grep" and a few other commodity commands is not worthy of recognition within the name of their product. Perhaps the glibc library is a critical brand worthy component, but since the leader of that project hasn't asked to refer to distros as "glibc/Linux", this is a non-issue.

about your sig.!

[KeizerHein]

load "linux",8,1?

more something like like:

LOAD "LUNIX",8,1

and you'll see this

http://lng.sourceforge.net/

DogFood and HP email

[Puff65535]

Here's a scan of one of HP's mail servers (kinda cheating since I already knew they used linux having been peripherally involved in setting up the agilent server)

[root@dragon /root]#nmap -v -sS -O -p '20-25' smtp.hp.com

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host letter.hp.com (192.151.27.3) appears to be up ... good.
Initiating SYN half-open stealth scan against letter.hp.com (192.151.27.3)
Adding TCP port 25 (state open).
The SYN scan took 2 seconds to scan 6 ports.
For OSScan assuming that port 25 is open and port 42153 is closed and neither are firewalled
Interesting ports on letter.hp.com (192.151.27.3):
Port State Service
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp open smtp

Sequence numbers: DEC22EAD DE404791 DEB46026 DE3FF6CC DE2FE8C8 DE84AE79
Remote OS guesses: Linux 2.1.122 - 2.2.14, Linux kernel 2.2.13

Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds

Looks like they trust their linux enough to let it play outside the firewall

Product website on HP.com

[patmfitz]

More info about the new HP security product:
http://www.hp.com/security/products/linux/

Service != money

[Merkins]

Just like the thought that musicians will give their the music away (via the internet) but charge for real live preformances

You have obviously never tried to make a living as a performing original musician. It joust does not and will not work like that for 98% of musicians. For Metallica it will (If they can get Hetfield out of rehab) but for most.....sorry.

Want a quick demo?

Just for fun, here's something copied and pasted from a shell on this machine...

syshi/root # telnet w3 80
Trying 15.144.25.18...
Connected to w3.hpl.hp.com.
Escape character is '^]'.
^]
telnet> close
Connection closed.
syshi/root # tlsetcomp web
sh-2.04# PS1='`tlgetcomp`\W \$ '
web/root # telnet w3 80
w3: Host name lookup failure
web/root # telnet 15.144.25.18 80
Trying 15.144.25.18...
I did ^C because I didn't want to wait for the timeout
web/root #

Fun! This machine is running a web server (Apache), but from the compartment where the web server runs, you can't make DNS queries, nor can you make outgoing TCP connections, not even when running as root. There's a lot more, but I've got to get back to work!

P.S. people speculating about snort just have not bothered to do any homework at all.

WTF?

[gaudior]

Who mentioned @home? I'm talking about ASP datacenters, heavy crunching, warehouses, transactions.

Re:WTF?

[fors]

The Anonymous Coward I was replying to. Comment # 2205418 score 0. I wasn't commenting on your statement but the idiot who thought @Home technical support is Enterprise class support.

Re:WTF?

[Stephen+Samuel]

When replying to an AC, try including enough text so that people can geet the context of your remark, rather than thinking that you're replying to the grandparent message.