HP To Sell Custom High-Security GNU/Linux Distro

bc90021 writes: "CNET has this story about Hewlett Packard's new secure version of Linux. Using 2.4.2, it can supposedly detect attacks as they happen. (At $3,000, I think it should counter-attack, too.) It will be available on HP servers (duh), or on servers that pass the RedHat 7.1 server qualification tests."

They ship a IDS ?

[jneves]

Is it really worth to pay $3,000 for a distro with an Intrusion Detection System like snort configured ?

Re:They ship a IDS ?

[oingoboingo]

Is it really worth to pay $3,000 for a distro with an Intrusion Detection System like snort [snort.org] configured ?
I'd say the distro would pay for itself in about 2 seconds if it actually did what it is advertised to do. $3000 isn't much to pay to have HP say "This thing is guaranteed to be configured correctly, and work as advertised.
Sure beats have the monkeys from sysadmin bollocks around for a whole day on getting the config 'correct', only to find out when it's too late that they misunderstood something.
If you're going to pay for redundant power supplies, redundant cooling, RAID hard drives and dual NICs to make sure your hardware is done properly, then what's another $3k to make sure your intrusion detection works properly and you can call someone for help if it doesn't?
(Of course I'm assuming HP will actually answer the phone....)

Re:They ship a IDS ?

[wangi]

You'll be getting more than that, but yes - why not?

Why should every sysadmin go through locking down and beefing up each and every install? What a waste of time... Much better to start with a known level and improve on that (or leave it as is).

Remember this isn't just about software - it's about support... $3000 isn't much anyway!

Re:They ship a IDS ?

[The+Infamous+TommyD]

Yep, HP does ship an IDS, but AFAIK it is not on Linux yet. It's called IDS/9000 and it is NOT a network intrusion detection system. I've seen a briefing on it and as a network security researcher I'd say it is the most advanced IDS out there. It looks for very general patterns that indicate attacks--not specific signatures that may indicate an attack.

This could be a sign that IDS/9000 may be coming for Linux though. And it would definitely be worth more than $3000 for IDS/9000 on a large multi-user server.

Counter-Attack?

[BiggestPOS]

Your DHCP server detects a buffer-overflow attack from some jack-ass running WindowsXP. It goes into action, hitting bugtraq to find the latest exploits for the offending OS, found. It firewalls itself off, then passes the appropriate counter-measure information to your mail server. The mail server hacks the machine, shuts down the offending process, and patches the TCP/IP stack with one that DOESN'T have raw socket access. After only a few moments, one less XP machine is 1337.

OEM Distributions

[Torulf]

It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.

The costs in doing so would, as far as I can tell, not be too large and this could give them more bargaining power against software companies (MS).

Re:OEM Distributions

[it's+a+culture+thing]

It's really surprising that so few hardware manufacturers have their own Linux distributions. At least to me it would really just make sense for a hardware company to tailor a version of Linux (or maybe *BSD) to their own hardware and sell it pre installed.

Yes but they're hardware manufacturers. I'd assume that they have a limited number of software guys especially ones with lots of experience in this area as they tend to be expensive just to have hanging around. Anyway with everyone downsizing at the moment who are the hardware guys going to get rid of first? The designers of the next generation hardware which they need or a load of expensive software guys which bring political problems with them (see next comment).

The costs in doing so would, as far as I can tell, not be too large and this could give them more bargaining power against software companies

You can imagine just how popular they would be with MS if they did this e.g. no more large discounts, last to get the latest updates, bug issues remaining unresolved etc. The cost itself probably wouldn't be the issue, more the political concequences.

Re:OEM Distributions

[geekoid]

The people who run Hardware companies are, mostly, still thinking total propriety controll over anything that deals with there product.

They also don't want to do things that cost them more money then they think they need to spend. those two concepts have been the biggest stalling ground for linux driver development.

A hardware company that had truly revolutionary products would just open-up the proper information to the public, and someone would create the linux/BSD/whatever/ driver for them. Except MS products, very few MS programmer could actual develop anything that didn't have pre-designed API's and a Help system full of examples to copy from.
Since I am talking kernel, there is no need for GNU.

What an amazingly information-free article

[wowbagger]

It would have been nice if the article had described what, exactly, the HP additions are supposed to do. We get some vague platitudes about "tightly controlling communications" and "detecting attacks". This could be anything from a well-written iptables setup and a syslog monitor to a full-blown, user-space stateful filtering/SNMP and "page-the-sysop-we-are-being-DDOSed" application.

Does anybody have any REAL info on what HP is doing that is so wonderful?

HP-LX

[MikeCamel]

A search on HP's site yields a training course which has been available for around a month. The name of the product seems to be "HP-LX".

Here are some of the issues listed on the page:

• secure administration model
• lockdown
• process containment (compartmentalization)
• file system protection (MAC)
• auditing.

So I presume that these will all be central to the new product. It seems fairly sensible - and it will be interesting to find out the details of exactly what they've implemented, and how.

Re:HP-LX

[Shirotae]

A search for "documentation security" on the HP site takes you to an interesting page - follow the hp-tlx link in the index for Administration Guide, Installation Guide and Release Notes.

The paper "An Operating System Approach to Securing e-Services" published in Communications of the ACM Feb 2001 is also of interest since it describes some of the features of the system.

Re:HP-LX

[Surak]

So in addition to the fact that HP-SUX, apparently now HP-LIX, too!! :)

Re:HP-LX

[Shirotae]

The ACM paper is also available here. It is a good description of the compartment model, but the product has some extra features not described in the paper.

Re:HP-LX

[HiThere]

In the three years that I maintained a subscription I found one item of interest. So I let it lapse. I'm not about to start it up again for one article about a system I probably won't use.

It's a true pity. Once upon a time the ACM had a lot of good articles, especially in Computing Surveys. Maybe I just hit a 3 year fallow period. But that's not the way I intend to bet. I've got enough other choices on how to spend my cash, that don't require that I buy a pig in a poke.

Service=money

[peripatetic_bum]

In all honestly, I do hope the HP does well selling these $3,000 linux boxes. Not because of that its in there, but service/skill it took to actually took to configure the box right.
(I assum of course that the box does what it says it does)

Just like the thought that musicians will give their the music away (via the internet) but charge for real live preformances, the new economy (excuse me) may well be based very much on what the acutally person can do and what can not be replicated digitally. Ie, Doctors don't charge for the information they have and tell you, they charge for the skill in which they apply it to you. That is, all the information about treating asthma is in books, but I doubt ou would want to read the man page asthma and just treat yourself, but you pay the doctor to apply his skill to treat you.

Thus HP is charging for the skill it takes to make more-secure internet boxes and perhaps, in this age, $3000 is a good start and in the future that skill may be worth even more.

Anyway, thanks

Re:Service=money

[Surak]

Ummm... They're not selling $3,000 Linux boxes, they're selling $3,000 Linux....

Re:Service=money

[Alien54]

In all honestly, I do hope the HP does well selling these $3,000 linux boxes. Not because of that its in there, but service/skill it took to actually took to configure the box right.

This should not be a problem.

After all Microsft has sold a version of NT that was claimed as being completely secure in compliance with some high level government standard. That particular configuration was one that had no network attached.

- - -
Radio Free Nation
is a news site based on Slash Code
"If You have a Story, We have a Soap Box"
- - -

Re:Service=money

[dillon_rinker]

NT 3.5, IIRC? Maybe 3.51? Anyway, it was't just no network...it was no floppy and no CD-ROM, too.

Re:Service=money

[HiThere]

Ie, Doctors don't charge for the information they have and tell you, they charge for

Among other things, the legal right to write perscriptions.

Questions...

[Noryungi]

Really quickly:

• Is this under GPL? If not, does that mean the FSF can now sue HP, to get the GPL status clarified once and for all?
• As many have pointed out already, how is this different than from installing Snort and others pre-configured?
• Does this includes all the NSA-supplied patches? with source code included?
• Finally, how on earth is HP going to sell this for an outrageous amount of money while things like Linux-Bastille are free?? (Not to mention OpenBSD, yadda, yadda, yadda...)

Just my US$ 0.02...

Re:Questions...

[RollingThunder]

GPL just means source code.

It does NOT mean implementation.

Presumably, what HP is selling here, is a tricked out, tuned, stripped to minimal configuration, that they've had "many eyeballs" look at.

They don't have to release word one about how they set up the software, or even WHICH software. Just any changes to code that they had to do to get it to work.

Re:Questions...

[barneyfoo]

or even WHICH software...

That is wrong. If I buy this software package, I am being licensed a good portion of it under the GPL, which means I can request the source code for any software package in the distribution. However, if you did NOT buy the software, you have no rights to request the source from HP. Someone else bought the software from HP has every right to offer it to you (all non-proprietary parts).

Re:Questions...

[barneyfoo]

Er, uh, point of clarification:

I wrote:

I am being licensed a good portion of it under the GPL, which means I can request the source code for any software package in the distribution.

I meant: which means I can request the source code for any software package in the distribution that happens to be GPL.

Re:Questions...

[RollingThunder]

Good point, I was presuming the viewpoint of a non-customer, IE: just somebody off the street looking for a cheap route to getting the same product that HP is providing.

But just to be pedantic: you're not buying the software, you're buying a particular arrangement and configuration of the software. One isn't OK under the GPL (HP doesn't have the rights to sell something it has no copyright to) but the other is entirely up to them.

As to the last item, I would guess that all depends on the EULA that they release their configuration under.

Technical paper available

[MikeCamel]

More information seems to be appearing (or I didn't find it on my original search): there's a technical discussion (pdf) with more information. Seems to be based on compartmentalisation: "The key concept of our trusted operating system is the compartment. Services and applications on the machine are run within separate compartments."

This is the place to go for more information on the product. Quite a lot of technical information, including kernel information. It seems that it's intended to be installed over RedHat in a "layered installation" - diagrams included, as well as performance data.

Re:Technical paper available

[roguerez]

Compartmentalization? Would that be like the FreeBSD jail feature?

JAIL(8) FreeBSD System Manager's Manual JAIL(8)

NAME
jail - imprison process and its descendants

SYNOPSIS
jail path hostname ip-number command ...

DESCRIPTION
The jail command imprisons a process and all future descendants.

[...]

Re:Technical paper available

[Shirotae]

This sounds like it's just using HP's VirtualVault ...

VirtualVault runs on a modified version of HP-UX, on PA-RISC hardware. It is also rather expensive (a lot more than $3000). That the new product has some of the features that made VirtualVault a success is not really surprising, after all, the people who worked on it can get all that secret internal information from the VirtualVault team because that are part of the same company.

Kernel Component of Secure Linux is Under GPL

[Bruce+Perens]

I am announcing this product in an hour. Shankland loves to jump the gun.

The kernel component of HP Secure Linux is under the GPL license. All of the other Linux security vendors currently hide their security mods to the kernel in binary-only modules, IMO abusing the modules exception to the kernel. HP would rather not play games of getting around the GPL. The user-mode component of Secure Linux is not GPL-ed, but we understand that given the kernel drivers, programmers can roll their own.

Thanks

Bruce

Re:Kernel Component of Secure Linux is Under GPL

[bhsx]

You sir, are a fool. Yes, he works for HP. He is Bruce Perens... the REAL Bruce Perens, idiot.
But for the uninformed who may be thinking the same thing as this fool, here are a few links to a clue, please drop a quarter in the slot...

http://linuxtoday.com/stories/4179.html

http://slashdot.org/interviews/99/07/30/2220240. sh tml

http://lwn.net/1998/1119/Trojan.html

http://www.linuxdevices.com/news/NS8872688150.ht ml

http://embedded.linuxjournal.com/advertising/pre ss /perens.php?sid=17

and finally... you should probably check this last one out...

http://www.hp.com/products1/linux/news_events/pr es s_releases/perens.html

That last one is the HP announcement titled "Bruce Perens, Open Source advocate, joins hp".

Re:Kernel Component of Secure Linux is Under GPL

[Bruce+Perens]

LWN.net has an interview with me in their coverage of the O'Reilly show last month. It says a bit of what I've been doing.

Thanks

Bruce

Re:Kernel Component of Secure Linux is Under GPL

[proberts]

Hi Bruce [we met at Defcon last year]

This (All the other...) isn't totally true, there are Linux security vendors doing Open Source work, such as Enguarde and some promising things coming out of the RSBAC camp (Alt.Castle?)

Will there be a feature comparison to RSBAC (http://www.rsbac.de) and the NSA-sponsored stuff available anywhere soon?

Thanks,

Paul

HP No Choice

[Proud+Geek]

They have to call it that because Bruce Perens is very significant in their Linux strategy. He calls it that, so thay have to as well, or else they piss him off.

Quite frankly, they probably get most of their non-technical information about Linux from him. If he called it Green-Cheesux, they would as well. While this is perhaps not a good example, I am happy that they are listening to their advisors from within the community.

Re:$3000?

[kaisyain]

That doesn't do much good if you need something more than the default install provides.

Caldera's announcement of 8/22 - lost to /. outage

[hillct]

Readers of /. yesterday, will recall Caldera's announcement regarding releasing pieces of the Original UNUX codebase to OSS. That announcement along with today's announcement from HP that they're gettinng into the Linux distro business signals a major shift in the market perception of the value of Open Source.

--CTH

Just guessing...

[UM_Maverick]

I'm just guessing here (since the article didn't say SQUAT), but I would think that you get some extra stuff from HP:

• Support (yes, I realize Snort gives you source, but this way you can let *someone else* deal with the source/configuration)
  
• A responsible company (PHB's love this. I work for a huge company that only deals with MS for software because we would pretty much swamp any other company...MS is one of few, if any, companies big enough to support us)
  
• I'm sure there are others, but I need to get back to working for said big company...
  

Why I chose FreeBSD

Yup....

As a person who's first love was Linux, I feel qualified to commment on the reasons to migrate away from Linux. I started with Slackware in 97 from a cd in the back of my html book, basically a cheap way to get apache running without having to own an expensive risc machine. Anyways, I've toiled with linux thru the early hacker/academic days, thru the hype-days from 98 to 99, and still every-now-and-then install it for a friend in need. I've probably install Redhat over 100+ times at the Linux Users Group here in Dallas, and have installed Slackware upwards of 50+ times, Deb/suse/others upwards of 20+ each. Inversly, I've probably installed FreeBSD only a few times since I toned-down my OS-install fever. It gets old, really fast installing linux for the install project. Anyways.... as a seasoned Finux vet, I think that FreeBSD is better in many ways, except the userbase, and application base. There are more Finux users, and more Finux developers by several orders of magnitude compared to all the BSD distro's combined.

What I have noticed from this large group of Finux users is the fact that they are overtly insecure about their feelings of "elite-ness". In other words they tend to feel threatened by people who donn't join their band-wagon.... of finux evangelism. In fact, such a large majority of Finux userrs started using Finux simply because they percieve that Microsoft is a Monopoly, and or in some way they have negative feelings about microsoft. Other time sI find that they had feelings of inadiqatcies in their microsoft envrironment, and seeked an area where they are different.... again thsi goes back into the elitism aspect, and the need thereof to be elite, and/or different. In this wway they can justify putting Microsoft users down, by advertising that they are now Finux users.

The above being said, leads this very specific class of Finux users feelings insecure when they hear about an even more elite group of people, a smaller comunity, of more-often ex-finux users..... using something called BSD. The typical reactio is that they are not with us, therefor against us... type reaction... and the hostility, and missunderstandings ensue.

Most anti-BSD rehtoric posted on Slashdot is from the narrow minded Group of finux users taht simply feel threatened by something they simply don't understand. My Favorite argument to shootdown first is the hords of Finux folks, and windows folks that say Unix is 20 years old! Ha... 20 years ago unix was entirly different, and FreeBSD, compared to some old Unix systems of the 80's is like HUGE in all the different ways. Most of the time people have read this in some website, from an un-educated reporter. In reality, unix has had many huge changes over the years, as have os design and implementation over the years.... a direct result of CS students striving to push the limits. The word micro-kernel comes to mind, yes.. we now have modulare kernels too.... oh my... and don't forget about ever popular virtual memory idea... geeze... Unix sure is darn different that it was 20 years ago.

The fact is, and I can do a google search I find the Linus quote of how he would nto have ever created the Linux kernel if he had know about the Berkly System Dist. He was only aware of the Car-mellon like Minux system. Yup, he has said it, and you can find the quote on google, and past /. articles. Anyways.....

I find taht most of the FreeBSD folsk are people tired of all the Linux hype.... I mean... we have tried all the distro's, played with all the various package systems, recompiled the finux kernel a time or two... doen some programming, etc, etc, etc..... Then, its liek FreeBSd is sitting right there, simple, eligant, beutiful. The first thing that most linux converts claim got them is the FreeBSD ports system. Really it is such a simple idea that we are suprised it hasn't caught on in the Finux world originally. Basically you have a cvs tree of all the software taht has been ported to the FreeBSD OS. To get updated versions of software, it is simple to just cvsup the entire ports collections, and then travel to the the software you want...say apache, and run "make install". Simpel as that... the latest, greated Apache with all the freebsd patches, and optimisatiosn are applied. No toiling with rpms, and the dreaded hunt for dependencies. The porsts systems checks for dependencies, downloading the latest version of Gmake if needed, or whatnot.

Other nice fetures about FreeBSD, and the other bsd's is taht the stability is paramount... a recent comparison of Unixes on sys admin magazine ranked FreeBSD the lowest of "out-of-the-box" installs for performance. Thsi is nto suprising since FreeBSD is build for stability (out-of the box), and many Finux distro's are optimised at the time of burnign the distro to CDROm, is highly optimised, and unstable.... so little tweaks are needed out of the box to make the system unstable... in other worlds the Finux systsm typically are more prone to instability under heavy loads that freeBSD. I won't bore you with teh technical details, as the lay-man won't get the jist of what I'm sayigng.

That being said... I'd advise the person who wrote the high-performance tuning guide, linked inthe article, to tone down a bit his kernel conf. It appeas to lean on the unstable side, especially with the extreamly high buffs lines under the useers line in the kern conf. oh well... it will push things to the extream limit.

Re:"what-about-settling-on-debian dept"

[Brian+Knotts]

Hey. I'm a guy that started on Slackware, used RedHat for several years, and have used Mandrake on the desktop.

I've switched to debian unstable and I'm not looking back.

I had already switched my servers to debian, because of the better security practices I see in the debian world.

Now, I'm using it on the desktop, and it's absolutely brainless to keep updated.

And when a new version of debian comes along:

apt-get update
apt-get dist-upgrade

It don't get much easier than that. And I can do it remotely.

The issues are very important.

[Futurepower(tm)]

Certainly RMS does many imperfect things. But there is another side: The issues are very important. There are many ways that freely available software can, and does, drift away from being truly free. Even a small amount of legal tangle can make software useless to many people.

Consider this: How would you react if you were trying to explain something complicated, and very important, and you were getting responses that indicated that people didn't understand.

Richard Stallman is certainly not a good publicist for his ideas. However, it seems to me that when he takes a stand, there is generally some sensible underlying motivation. Here is a suggestion: Don't sweat the small stuff. Don't get caught up in his shortcomings. See the big picture. Remember that RMS stands to gain nothing personally. His ideas only keep software free for all of us to use and improve.

Mr. Stallman has become a popular outlet for anger. However, most of the angry people don't seem to have a true understanding of the underlying issues.

Re:The issues are very important.

[szomb]

However, most of the angry people don't seem to have a true understanding of the underlying issues.

And this is, of course, something completely new and unheard of, and only relating to RMS.

Excellent idea!

[Jeppe+Salvesen]

Some people are so stuck in their ways that they cannot imagine that "it's free" and "it rocks" are NOT mutually exclusive. Well - these people will perhaps be MORE willing to adopt Linux if they pay a lot of money for it along with receiving some propaganda (true or not) of how much more secure than free Linux this distrobution really is, than if they download the ISO and hand it to the local (very capable) sysadmin.
Basically, HP will make some dough on Linux. They deserve it. HP/UX is supposedly a pretty sweet OS. It's been part of what kept Unix afloat in the middle of the NT reverse-revolution. I don't think that making a bit of dough on Linux is in any way bad - as long as there are free, good quality alternatives available.

So we can use Trustix and OpenBSD and Bastille and even roll our own distrobution, while some people will pay $3000 for a brand name.

If we're supportive/lucky, we might even see HP releasing some products under the GPL. If they're relatively moral, they'll give back some of their new technology to the society that gave them the platform for all that profit.

And heck - if they fall to the ground, they'll prolly release the full code. Win-win for us, folks!

Re:Excellent idea!

[SuiteSisterMary]

while some people will pay $3000 for a brand name.

Let me quantify this further: Some people will pay 3000 dollars for SOMEBODY ELSE'S EXPERTISE AND GUARANTEE.

And if you argue that if you don't know security, you shouldn't have a server, I can extend that arguement to if you can't write your own kernel, you shouldn't be using an OS.

Re:Excellent idea!

[spudnic]

And heck - if they fall to the ground, they'll prolly release the full code. Win-win for us, folks!

No, not win-win for us. It repulses me every time I hear someone say this. How short-sighted can you be? There can only be so many large companies that embrace Linux and fail before they all get the idea that it's just not worth it.

Want to support and promote Linux? Wish HP all the luck in the world pulling this off. By selling and supporting a distro like this, Linux may get a strong foothold inside corporate data centers. Now that's definately a win-win for us. With a substantial Linux corporate userbase we will see more industrial strength apps and tools being released for the platform we all love.

Do you want the Linux community to be viewed as nothing more than a bunch of scavengers? Vultures circling overhead just hoping that a great initiative will fail so we can scoop down and eat up the remains?

I think not.

Best of luck, HP! You've made a great decision in choosing to support Linux, and we all hope that it brings in loads of money for your company for many years to come.

But is it just a labor charge for new HW?

[gelfling]

This appears to be a feature install for new HP servers only, just like any other OS option so it appears that they're merely charging you for the labor to install and vett the system with some development recovery thrown in. That is, it doesn't look like you can call your local HP boyscout and ask for brand new rockhard HP Linux CD for $3000, though the articel indicated that that might be a future option.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The Price Tag

[AnotherSteve]

To most /. readers three kilo-bucks is a little much to pay for something you can download. To understand why this makes sense for business sales you have to think like a manager. A lot of managers don't care so much about what something costs as the reputation of the vendor.

Consider these two options:

A) The bearded, long-haired, overly-caffeinated freak from down the hall says "Hey, I can download this stuff for free off the internet. It'll make us really secure, honest." (Disclaimer: I am a bearded, long-haired, overly-caffeinated freak.)

B) A well-respected vendor has a $3000 product that will make the computers really secure. If it doesn't work, we can call them up and bitch at them. Furthermore, we have someone outside the company to blame if it breaks.

Now, you're the manager. You choose. This is a savvy move by HP - in addition to whatever actual value-added there is in their product, they are also cashing in a little on their name and reputation. They're selling percieved value as much as actual value.

Re:The Price Tag

[Reality+Master+101]

Well put. The other thing is that a lot of l33t haxxhor types think $3000 is a lot of money. That's peanuts for a guarantee of security.

To put it in perspective, on a site that I'm involved with that runs credit reports, we were required to pay $20,000 to a company to "review" our architecture (joke) and do periodic port scans. I'm sure sometimes the port scans find vulnerabilities, but it's still pretty pricy.

On the hand, it's a good barrier to entry for the business. :)

Counter-Attack this FUD

[Psarchasm]

Your DHCP server detects a buffer-overflow
Uhh... okay... thats a real bright design.

then passes the appropriate counter-measure information to your mail server. The mail server hacks the machine, shuts down the offending process, and patches the TCP/IP stack with one that DOESN'T have raw socket access.
Hmm more bright design. Why not just turn my web server into a honeypot while I'm at it.

SOMEONE has been reading too-fucking-much Steve Gibson. WindowsXP has 0 to do with this. So not only is this post off subject its complete FUD. Take a look here for a more enlightened view of XP and a realistic view of Gibson's worthless RANTs on XP and its access to raw sockets.

If the 5 this comment rated was for FUD I wouldn't even need to be posting this. Pfft.

Re:Counter-Attack this FUD

[tim_maroney]

Both your comment and the article you referenced should be dismissed as flamebait. The article, written in a juvenile, profane and offensive style, utterly misses the point that Gibson is careful to make, which is that with Windows XP providing raw socket access, it becomes easier to create malware that runs on Windows. It's not that it's impossible now, but there's this funny thing about people: when something becomes easier, they do it a lot more.

Tim

Re:Counter-Attack this FUD

[Psarchasm]

I'm possitively stunned at the near sighted responses to the minimal effect, if any, that could be attributed to giving the "at home user" access to raw sockets.

MacOS (about as "home user" as you can get) has had access to raw sockets for years - where is the war cry there? Should Steve Gibson want to rally a war cry (or rant) about WindowsXP's security, or lack thereof, let him... assuming he's found some bugs to bitch about. But here sits a man spouting FEAR, UNCERTAINTY and DOUBT - about an un-released OS that gives the casual programmer more access to his networking stack.

Plain and simple... Gibson is fighting the wrong battle and he does it in a journalistic style that leaves me wishing for better material to read... hmm where is the Weekly World News?

The answer isn't taking access to core parts of the OS away from the user (or the developers that can make legitimate use of it). The answer is fixing the core problem.

ftp://ftp.isi.edu/in-notes/rfc2460.txt

Re:Testing

[bero-rh]

Come on, everybody knows that those tests are culturally biased. When are people going to learn that computers who don't have a beige box are economically and societally discriminated against?

Umm, please don't mention this in response to the Red Hat 7.1 qualification test - we've made sure quite a number of black boxes (such as IBM's) are included. ;)

Let's Mirror It

[Procrasti]

If we can just get 150 people to put $20 in each, we can buy a copy of this and then mirror it!!!

Isn't the GPL great? ;0)

rsbac, snort/hogwash, iptables

[matman]

Hmm, how about I just install RSBAC, snort/hogwash and iptables for free? :)

Re:rsbac, snort/hogwash, iptables

[mikeee]

Sure. You want to do that for me? Not for free? Well, you'ld better beat $3000 then, 'cause I've *heard* of HP...

I can do better than HP

[defile]

Check this out..

For $2,500/year, I can certify that your Linux box is 100% secure, and do whatever is necessary to make it secure and keep it secure.

If your box is ever hacked, I will dole out $10,000 on the spot.

There, beat that HP. :)

I'm only half serious, but would be glad to work something like this out if there were any takers.

The point of this exercise is to show that you don't need to buy Linux from a big slow vendor to get support. But most of you already knew that.

docs on HP website

[patmfitz]

There's no concise product brief yet, but the following might answer some questions.

• Release Notes
• Admin Guide

Re:3k$ for a distro?

[spudnic]

Show me one case where a company has successfully sued an OS maker after an intrusion.

Re:How to solve most problems

[Royster]

Non-executable stack is not a significant barrier. If there is an expliotable buffer overrun in an executable stack kernel the form of the exploit changes, but the kernel is still vulnerable to the same overrun. Go to the Linux Kernel Archive and follow any one of the many discussions on non-executable stack.

Re:GNU/Linux WTF is that?

[bwt]

Actually, HP is NOT selling a "GNU/Linux" distro. According to the article they are calling their product "HP Secure OS Software for Linux". I believe their choice of terminology represent a deliberate statement about their feelings of the significance of the GNU software within their total offering. Most distros feel similarly, as do most customers of Linux.

Clearly HP feels that the fact that GNU re-implemented "ls", "grep" and a few other commodity commands is not worthy of recognition within the name of their product. Perhaps the glibc library is a critical brand worthy component, but since the leader of that project hasn't asked to refer to distros as "glibc/Linux", this is a non-issue.