Slashdot Mirror
HP To Sell Custom High-Security GNU/Linux Distro
bc90021 writes: "CNET has this story about Hewlett Packard's new secure version of Linux. Using 2.4.2, it can supposedly detect attacks as they happen. (At $3,000, I think it should counter-attack, too.) It will be available on HP servers (duh), or on servers that pass the RedHat 7.1 server qualification tests."
Is it really worth to pay $3,000 for a distro with an Intrusion Detection System like snort configured ?
So what they are saying, is that they have installed snort by default?
What a deal!
Personally, we run all our stuff, business and domestic, on Debian. What other OS has next-day bugfixes, and an fully-documented policy? Let alone a sane installation procedure.
anarcho-roboticist [lopster incomplete: 6.5% of 2.5GB]
Stallman's kind of like Nader... I think their both nuts, but once in a while they get something right. Their real problem is that they both have the personality of vogons.
What, me worry?
I presume they mean selling their *addons* to Linux, and the service of bundling them all together.
:)
(Expensive service, too)
AFAIK, they can't "sell Linux" as such without breaching the GPL.
I assume the wording is just unclear, as otherwise it could start a riot
Is that like Linux?
It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.
The costs in doing so would, as far as I can tell, not be too large and this could give them more bargaining power against software companies (MS).
It would have been nice if the article had described what, exactly, the HP additions are supposed to do. We get some vague platitudes about "tightly controlling communications" and "detecting attacks". This could be anything from a well-written iptables setup and a syslog monitor to a full-blown, user-space stateful filtering/SNMP and "page-the-sysop-we-are-being-DDOSed" application.
Does anybody have any REAL info on what HP is doing that is so wonderful?
www.eFax.com are spammers
I guess this just increases the false sense of security. those who are security aware, are capable of securing their own distro. those who are not, are only spending loads of money. reasonable defaults are ok, but changing them, means probably opening a hole, or weakening the overall security. installing a secure distro is ok, but remember security is a *process*.
Here are some of the issues listed on the page:
- secure administration model
- lockdown
- process containment (compartmentalization)
- file system protection (MAC)
- auditing.
So I presume that these will all be central to the new product. It seems fairly sensible - and it will be interesting to find out the details of exactly what they've implemented, and how.OpenBSD is free. "Four years without a remote hole in the default install!"
--
#nohup cat
No seriously, perhaps the motto should not be *HP Invent* but *HP Reinvent*, HP is seriously screwed because of the overhead of the PA RISC line of systems. Customers are sick of paying so much for them plus the support.
Now, I am not saying they're PA RISC line is bad, some of the systems kick major ass running HP-UX && HP-UX 11.XX and 11i have some pretty cool stuff - but the operating costs are just too bloody high - esp. now.
What cracks me up is HP is really using the Linux branding to get a head, unlike IBM who sort of made their branding from Linux which almost seems to indicate they (IBM) has greater faith in their core product.
Of course this is all hogwash until the Dist. hits the streets :)
...just for dumbass-suits who are simply too stupid to even use their own mailreaders.
Oh, no, wait - no, these people won't buy something someone told them to be "secure", they would buy some Java/XML/SAP/Buzzword-of-the-month compatible stuff...
In all honestly, I do hope the HP does well selling these $3,000 linux boxes. Not because of that its in there, but service/skill it took to actually took to configure the box right.
(I assum of course that the box does what it says it does)
Just like the thought that musicians will give their the music away (via the internet) but charge for real live preformances, the new economy (excuse me) may well be based very much on what the acutally person can do and what can not be replicated digitally. Ie, Doctors don't charge for the information they have and tell you, they charge for the skill in which they apply it to you. That is, all the information about treating asthma is in books, but I doubt ou would want to read the man page asthma and just treat yourself, but you pay the doctor to apply his skill to treat you.
Thus HP is charging for the skill it takes to make more-secure internet boxes and perhaps, in this age, $3000 is a good start and in the future that skill may be worth even more.
Anyway, thanks
Sigs are dangerous coy things
one word..
ouch
i cant seem to come up with a sig.
Just my US$ 0.02...
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
This is the place to go for more information on the product. Quite a lot of technical information, including kernel information. It seems that it's intended to be installed over RedHat in a "layered installation" - diagrams included, as well as performance data.
"Make love, not war!!" he shouts, as he fires the mortar.
m00.
I am announcing this product in an hour. Shankland loves to jump the gun.
The kernel component of HP Secure Linux is under the GPL license. All of the other Linux security vendors currently hide their security mods to the kernel in binary-only modules, IMO abusing the modules exception to the kernel. HP would rather not play games of getting around the GPL. The user-mode component of Secure Linux is not GPL-ed, but we understand that given the kernel drivers, programmers can roll their own.
Thanks
Bruce
Bruce Perens.
They have to call it that because Bruce Perens is very significant in their Linux strategy. He calls it that, so thay have to as well, or else they piss him off.
Quite frankly, they probably get most of their non-technical information about Linux from him. If he called it Green-Cheesux, they would as well. While this is perhaps not a good example, I am happy that they are listening to their advisors from within the community.
Even Slashdot wants to hide some things
Come on, everybody knows that those tests are culturally biased. When are people going to learn that computers who don't have a beige box are economically and societally discriminated against? Non-beige boxes have a higher crime rate, higher drop-out rate, and generally are used for menial tasks.
Stop the cultural profiling!
Their real problem is that they both have the personality of vogons.
:-)
As long as they don't recite poetry that's okay with me
by comparing RedHat's Stock quotes with HP.
::weep::
RED HAT INC RHAT 3.75 0.00
HEWLETT-PACKARD HWP 24.70 0.00
I'm sad.
Just a guy with an opinion
Readers of /. yesterday, will recall Caldera's announcement regarding releasing pieces of the Original UNUX codebase to OSS. That announcement along with today's announcement from HP that they're gettinng into the Linux distro business signals a major shift in the market perception of the value of Open Source.
--CTH
--Got Lists? | Top 95 Star Wars Line
Can someone explain something to me? If they create a secure version of linux, don't they have to give away the source code with it? So then what's the point of selling this for $3000? Who's gonna buy it when they could just ask for the source code and compile it themselves??? Or may be I just Don't Get It.
Juiced? Or Not?
Yup....
/. articles. Anyways.....
As a person who's first love was Linux, I feel qualified to commment on the reasons to migrate away from Linux. I started with Slackware in 97 from a cd in the back of my html book, basically a cheap way to get apache running without having to own an expensive risc machine. Anyways, I've toiled with linux thru the early hacker/academic days, thru the hype-days from 98 to 99, and still every-now-and-then install it for a friend in need. I've probably install Redhat over 100+ times at the Linux Users Group here in Dallas, and have installed Slackware upwards of 50+ times, Deb/suse/others upwards of 20+ each. Inversly, I've probably installed FreeBSD only a few times since I toned-down my OS-install fever. It gets old, really fast installing linux for the install project. Anyways.... as a seasoned Finux vet, I think that FreeBSD is better in many ways, except the userbase, and application base. There are more Finux users, and more Finux developers by several orders of magnitude compared to all the BSD distro's combined.
What I have noticed from this large group of Finux users is the fact that they are overtly insecure about their feelings of "elite-ness". In other words they tend to feel threatened by people who donn't join their band-wagon.... of finux evangelism. In fact, such a large majority of Finux userrs started using Finux simply because they percieve that Microsoft is a Monopoly, and or in some way they have negative feelings about microsoft. Other time sI find that they had feelings of inadiqatcies in their microsoft envrironment, and seeked an area where they are different.... again thsi goes back into the elitism aspect, and the need thereof to be elite, and/or different. In this wway they can justify putting Microsoft users down, by advertising that they are now Finux users.
The above being said, leads this very specific class of Finux users feelings insecure when they hear about an even more elite group of people, a smaller comunity, of more-often ex-finux users..... using something called BSD. The typical reactio is that they are not with us, therefor against us... type reaction... and the hostility, and missunderstandings ensue.
Most anti-BSD rehtoric posted on Slashdot is from the narrow minded Group of finux users taht simply feel threatened by something they simply don't understand. My Favorite argument to shootdown first is the hords of Finux folks, and windows folks that say Unix is 20 years old! Ha... 20 years ago unix was entirly different, and FreeBSD, compared to some old Unix systems of the 80's is like HUGE in all the different ways. Most of the time people have read this in some website, from an un-educated reporter. In reality, unix has had many huge changes over the years, as have os design and implementation over the years.... a direct result of CS students striving to push the limits. The word micro-kernel comes to mind, yes.. we now have modulare kernels too.... oh my... and don't forget about ever popular virtual memory idea... geeze... Unix sure is darn different that it was 20 years ago.
The fact is, and I can do a google search I find the Linus quote of how he would nto have ever created the Linux kernel if he had know about the Berkly System Dist. He was only aware of the Car-mellon like Minux system. Yup, he has said it, and you can find the quote on google, and past
I find taht most of the FreeBSD folsk are people tired of all the Linux hype.... I mean... we have tried all the distro's, played with all the various package systems, recompiled the finux kernel a time or two... doen some programming, etc, etc, etc..... Then, its liek FreeBSd is sitting right there, simple, eligant, beutiful. The first thing that most linux converts claim got them is the FreeBSD ports system. Really it is such a simple idea that we are suprised it hasn't caught on in the Finux world originally. Basically you have a cvs tree of all the software taht has been ported to the FreeBSD OS. To get updated versions of software, it is simple to just cvsup the entire ports collections, and then travel to the the software you want...say apache, and run "make install". Simpel as that... the latest, greated Apache with all the freebsd patches, and optimisatiosn are applied. No toiling with rpms, and the dreaded hunt for dependencies. The porsts systems checks for dependencies, downloading the latest version of Gmake if needed, or whatnot.
Other nice fetures about FreeBSD, and the other bsd's is taht the stability is paramount... a recent comparison of Unixes on sys admin magazine ranked FreeBSD the lowest of "out-of-the-box" installs for performance. Thsi is nto suprising since FreeBSD is build for stability (out-of the box), and many Finux distro's are optimised at the time of burnign the distro to CDROm, is highly optimised, and unstable.... so little tweaks are needed out of the box to make the system unstable... in other worlds the Finux systsm typically are more prone to instability under heavy loads that freeBSD. I won't bore you with teh technical details, as the lay-man won't get the jist of what I'm sayigng.
That being said... I'd advise the person who wrote the high-performance tuning guide, linked inthe article, to tone down a bit his kernel conf. It appeas to lean on the unstable side, especially with the extreamly high buffs lines under the useers line in the kern conf. oh well... it will push things to the extream limit.
I've switched to debian unstable and I'm not looking back.
I had already switched my servers to debian, because of the better security practices I see in the debian world.
Now, I'm using it on the desktop, and it's absolutely brainless to keep updated.
And when a new version of debian comes along:
apt-get update
apt-get dist-upgrade
It don't get much easier than that. And I can do it remotely.
HP is trying to be one Microsoft of the Linux Market. Sell you for a very expensive price what you can get, the most and important part, for free.
That can be good for the Corporate World where you have to sell to the suits a non-microsoft os with a good support (=expensive $).
------I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.------
I don't think this is really focusing on the real problem at hand. I've seen it all too many times before... you can have the best OS, with the most security features, but if the stupidest person is running the show, well... game over.
I think spending $3000 on an OS, albeit secured to *some* extent (there will always be new flaws found out) is a bit much, especially in the Linux world. Anyone with a decent knowledge of security and access to the net can build a pretty secure Linux server system.
So basically what I am saying is, the emphasis should be more on the people running the things, rather than the OS itself. It will make people slack in the efforts to secure their servers, especially in the business market where this is crucial.
Certainly RMS does many imperfect things. But there is another side: The issues are very important. There are many ways that freely available software can, and does, drift away from being truly free. Even a small amount of legal tangle can make software useless to many people.
Consider this: How would you react if you were trying to explain something complicated, and very important, and you were getting responses that indicated that people didn't understand.
Richard Stallman is certainly not a good publicist for his ideas. However, it seems to me that when he takes a stand, there is generally some sensible underlying motivation. Here is a suggestion: Don't sweat the small stuff. Don't get caught up in his shortcomings. See the big picture. Remember that RMS stands to gain nothing personally. His ideas only keep software free for all of us to use and improve.
Mr. Stallman has become a popular outlet for anger. However, most of the angry people don't seem to have a true understanding of the underlying issues.
Bush's education improvements were
Some people are so stuck in their ways that they cannot imagine that "it's free" and "it rocks" are NOT mutually exclusive. Well - these people will perhaps be MORE willing to adopt Linux if they pay a lot of money for it along with receiving some propaganda (true or not) of how much more secure than free Linux this distrobution really is, than if they download the ISO and hand it to the local (very capable) sysadmin.
Basically, HP will make some dough on Linux. They deserve it. HP/UX is supposedly a pretty sweet OS. It's been part of what kept Unix afloat in the middle of the NT reverse-revolution. I don't think that making a bit of dough on Linux is in any way bad - as long as there are free, good quality alternatives available.
So we can use Trustix and OpenBSD and Bastille and even roll our own distrobution, while some people will pay $3000 for a brand name.
If we're supportive/lucky, we might even see HP releasing some products under the GPL. If they're relatively moral, they'll give back some of their new technology to the society that gave them the platform for all that profit.
And heck - if they fall to the ground, they'll prolly release the full code. Win-win for us, folks!
Stop the brainwash
*Note: This is not entirely off topic, more of a summation of the last couple days worth of linux nes*...I wonder if they honestly thought fucking big businesses (the ibms, compaqs, hps, etc) in the ass would help cement their world dominance for all eternity (doesn't satan want to do that too???)... Lets face it, they (microsoft) are very good at what they do... business (haha... and you were thinking software???), maybe even better than anyone else. But they left out one little unthinkable at the time detail... open source. So the community of hundreds of thousands develops this OS which begins to mature... becomes the media darling... and is taken as the potential OS of choice for IBM's top of the line servers, HP's servers, and is also an influencial key-note in caldera's decision to open Unix. While this doesn't immediatly hurt MS, I think that all this coverage and definitly the support on the part of these companies (Oh... so IBM and HP have decided to put linux on the tens of thousands of dollars servers??? maybe i should try that...) is going to help linux in the long run.
can't sleep slashdot will eat me
This appears to be a feature install for new HP servers only, just like any other OS option so it appears that they're merely charging you for the labor to install and vett the system with some development recovery thrown in. That is, it doesn't look like you can call your local HP boyscout and ask for brand new rockhard HP Linux CD for $3000, though the articel indicated that that might be a future option.
Comment removed based on user account deletion
To most /. readers three kilo-bucks is a little much to pay for something you can download. To understand why this makes sense for business sales you have to think like a manager. A lot of managers don't care so much about what something costs as the reputation of the vendor.
Consider these two options:
A) The bearded, long-haired, overly-caffeinated freak from down the hall says "Hey, I can download this stuff for free off the internet. It'll make us really secure, honest." (Disclaimer: I am a bearded, long-haired, overly-caffeinated freak.)
B) A well-respected vendor has a $3000 product that will make the computers really secure. If it doesn't work, we can call them up and bitch at them. Furthermore, we have someone outside the company to blame if it breaks.
Now, you're the manager. You choose. This is a savvy move by HP - in addition to whatever actual value-added there is in their product, they are also cashing in a little on their name and reputation. They're selling percieved value as much as actual value.
Information wants to be $1.98/lb.
Sounds more like the old corporate adage of "embrace, improve, destroy" to me.
Your DHCP server detects a buffer-overflow
Uhh... okay... thats a real bright design.
then passes the appropriate counter-measure information to your mail server. The mail server hacks the machine, shuts down the offending process, and patches the TCP/IP stack with one that DOESN'T have raw socket access.
Hmm more bright design. Why not just turn my web server into a honeypot while I'm at it.
SOMEONE has been reading too-fucking-much Steve Gibson. WindowsXP has 0 to do with this. So not only is this post off subject its complete FUD. Take a look here for a more enlightened view of XP and a realistic view of Gibson's worthless RANTs on XP and its access to raw sockets.
If the 5 this comment rated was for FUD I wouldn't even need to be posting this. Pfft.
http://windows.scares.us
If we can just get 150 people to put $20 in each, we can buy a copy of this and then mirror it!!!
;0)
Isn't the GPL great?
For $3000 you should get a Linux distro that's as stable and well-behaved as HP-UX. Redhat or Mandrake or any other off-the-shelf distro isn't there yet.
And you'll get the HP support, which is also far more than you'll get from Redhat or the others.
I'd personally love to come to work tomorrow and find my new quad-processor K-class box running Linux. Or maybe that V-class monster in the other room.
- Sig this!
Hmm, how about I just install RSBAC, snort/hogwash and iptables for free? :)
Check this out..
For $2,500/year, I can certify that your Linux box is 100% secure, and do whatever is necessary to make it secure and keep it secure.
If your box is ever hacked, I will dole out $10,000 on the spot.
There, beat that HP. :)
I'm only half serious, but would be glad to work something like this out if there were any takers.
The point of this exercise is to show that you don't need to buy Linux from a big slow vendor to get support. But most of you already knew that.
It was a typo. They meant to say GUN/Linux, Eric Raymond's new distribution. Nothing says security like cold steel, you know...
...wearing a skin-tight topless leather jumpsuit, with cutaway buttocks and transparent crotch panel.
Is HP going to make this distro up to the HP-UX standard we're accustomed to? Will it have the Glance Plus Pack available for server monitoring? Will it integrate well with HP Open View and other tools? If so, it's going to be well worth the $3K they're asking. If they're writing that class of software for Linux they've certainly been through the compilers and libraries with a fine comb. I'd certainly trust their distro more than anything out there now. I've developed on HP-UX since '95 and I've grown to trust their OS and their tools. If they can give me the same feeling with Linux I'd be grateful.
- Sig this!
IMHO 90% of host security problems can be solved via a non executable stack. Sure, its a kluge, but it stops all the moronic k1dd13s, It'll be interesting to see if HP includes this and any of the other security patches in the kernel.
Don't even think of comparing Oracle to MySQL. They reside in vastly different problem spaces. MySQL is a nice little backend for little websites. Oracle is a huge, powerful backend for very large websites, financial applications, manufacturing systems....
MySQL is not capable of crossing the street that Oracle races on.
Don't get me wrong. I use MySQL every day, for the problems that can be solved by small, simple databases. Company intranet, weblog, bulletin board, web stats, shopping cart.
I also use Oracle every day, for solving the problems of managing the infrastructure of the second largest ASP in the USA, and the largest IS solutions provider in the Healthcare industry.
I wonder how much a secure version of windows would cost. Oh, and a machine without a power supply or unplugging the machine doesn't
count.
Yes but every time I try to see it your way, I get a headache.
Well if you're talking a small business or home network, yeah that would be fine. The reason this setup is great for corps though is the fact that its 'guaranteed' secure by HP. The cash isn't for the software (since most of it is GPL'd), nor primarily for the machine, but for the words on paper that remove liability from your IT department, heh. Plus this kind of purchase keeps the PHB's happy, and thinking they know whats going on.
Honestly I'd rather have them grab a few of these with our budget than be put under the gun when someone misses a detail when reconfigging a box.
Ice Cream has no bones.
They are one of the requirements of a Trusted OS
"Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
Damn, I want to read that man page for kidney failure. RedHat and Mandrake don't seem to have it. Do you think Debian or maybe a *BSD would have that man page?
Everytime you look at porn a devil gets their horns.
Yet another corporation that just doesn't "get it." Who in their right mind would pay $3000 for free software plus some little proprietary package that duplicates the functionality of snort, lids, tripwire, etc. while limiting your support options? ..and not to mention the fact that they are not giving anything back to the community.
Part of why Carly went this route, is HP is really getting hammered on quarterly profits. I think it's a smart move, and it will expand the Linux user base universe.
Be thankful she did it the right way - we get the source - and while you or I shan't choose it, it might help those of us stuck at companies afraid to go with Linux to choose the right solution anyway.
--- Will in Seattle - What are you doing to fight the War?
Actually, HP is NOT selling a "GNU/Linux" distro. According to the article they are calling their product "HP Secure OS Software for Linux". I believe their choice of terminology represent a deliberate statement about their feelings of the significance of the GNU software within their total offering. Most distros feel similarly, as do most customers of Linux.
Clearly HP feels that the fact that GNU re-implemented "ls", "grep" and a few other commodity commands is not worthy of recognition within the name of their product. Perhaps the glibc library is a critical brand worthy component, but since the leader of that project hasn't asked to refer to distros as "glibc/Linux", this is a non-issue.
load "linux",8,1?
more something like like:
LOAD "LUNIX",8,1
and you'll see this
http://lng.sourceforge.net/
Here's a scan of one of HP's mail servers (kinda cheating since I already knew they used linux having been peripherally involved in setting up the agilent server)
/root]#nmap -v -sS -O -p '20-25' smtp.hp.com
... good.
[root@dragon
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host letter.hp.com (192.151.27.3) appears to be up
Initiating SYN half-open stealth scan against letter.hp.com (192.151.27.3)
Adding TCP port 25 (state open).
The SYN scan took 2 seconds to scan 6 ports.
For OSScan assuming that port 25 is open and port 42153 is closed and neither are firewalled
Interesting ports on letter.hp.com (192.151.27.3):
Port State Service
20/tcp filtered ftp-data
21/tcp filtered ftp
22/tcp filtered ssh
23/tcp filtered telnet
24/tcp filtered priv-mail
25/tcp open smtp
Sequence numbers: DEC22EAD DE404791 DEB46026 DE3FF6CC DE2FE8C8 DE84AE79
Remote OS guesses: Linux 2.1.122 - 2.2.14, Linux kernel 2.2.13
Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
Looks like they trust their linux enough to let it play outside the firewall
More info about the new HP security product:
http://www.hp.com/security/products/linux/
You have obviously never tried to make a living as a performing original musician. It joust does not and will not work like that for 98% of musicians. For Metallica it will (If they can get Hetfield out of rehab) but for most.....sorry.
Learn to Improvise
Who mentioned @home? I'm talking about ASP datacenters, heavy crunching, warehouses, transactions.