Ask Slashdot: Should Hosting Companies Have Change Freezes?

AngryDad writes "Today I received a baffling email from my hosting provider that said, 'We have a company-wide patching freeze and we will not be releasing patches to our customers who utilize the patching portal for the months of November and December.' This means that myself and all other customers of theirs who run Windows servers will have to live with several critical holes for at least two months. Is this common practice with mid-tier hosting providers? If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?"

Green light

[michaelmalak]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

At least 10 countries have just been given the green light for hacking.

Re:Green light

Provided you define Eastern-European as outside of EU. But that includes Switzerland, which is Western, and doesn't include Romania, where a large portion of hackers are.

Re:Green light

[xaxa]

No, that list includes 18 countries. The 10 that are eastern are:

Serbia
Montenegro
Croatia
Bosnia-Herzegovina
Macedonia (Former Yugoslav Republic of)
Albania
Belarus
Moldova
Russia
Ukraine

(The first few would often be called southeastern.)

Re:Green light

[pacija]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?.

Nazi scum. I do not find this funny at all, I find it offensive.

windows? what were you thinking?

Using windows to provide an internet facing service was the first mistake.

Re:windows? what were you thinking?

[gavron]

What he said.

I'm sorry the Windows-mods modded it down. It's instructional and it's informational. NOBODY should EVER use windows servers as Internet-facing devices.

Sorry, mods. Reality suggests the 0 is your score for having a clue.

E

Re:windows? what were you thinking?

[erroneus]

Seriously. Even Windows-only people should know this. If they aren't placing protective devices in front of their Windows boxes to control access and limit the damage of attacks, they just aren't in touch with reality.

The funny thing is that most of these security appliances are running... what?

Re:windows? what were you thinking?

Exchange

Re:windows? what were you thinking?

[ApplePy]

But how else is one to serve ASP.NET pages powered by IIS and SQL Server?

And what, pray tell, could possibly replace those singular technologies?

And don't give me that stuff about Linux! How can an OS be secure when they just let anyone look at the source code whenever they want?! Crazy talk!

/silly

I have to somewhat shamefully admit, my employer sells hosted Windows servers and space to customers (only upon request so customers can't get mad that we sold them crap). They're profitable. But we don't use them.

Re:windows? what were you thinking?

The hosting provider is most likely trying to deal with obstacles caused by the terrible windows infrastructure. I imagine they aren't freezing because they feel like being lazy, there is probably a large amount of overheard and cleanup when windows patches are rolled out (especially when they break things).

Re:windows? what were you thinking?

[History's+Coming+To]

They're probably just planning on upgrading to Windows 8 and trying to find the "start server" button. (I know, I know, a cheap and innacurate shot, couldn't resist, please mod away.)

Re:windows? what were you thinking?

Actually, it really is a shame that you can't reliably host .Net applications out of Apache on Linux. I know mod_mono made some headway into this, but it'd be huge if this were possible in a real, production ready way.

http://www.mono-project.com/ASP.NET

Re:windows? what were you thinking?

[MightyMartian]

Well, I do have OWA open to the world, mainly because of ActiveSync, but the actual SMTP server, no way. I've seen joe job and dictionary attacks bring an Exchange server running on damned heavy hardware brought to its knees. I run a Postfix server running postgrey, SpamAssassin and ClamAV that sits on port 25 and weeds out all the nasty bits and hands everything else off to Exchange. There's no way in hell I'd ever let Exchange's SMTP service feel the full force of what the nastier folks on the tubes can throw at it. If someone DDoSs Exchange's IIS daemon, oh well.

Re:windows? what were you thinking?

How else will "researchers" discover and test exploits?

Re:windows? what were you thinking?

[Kjella]

Linux isn't going to save you from a stupid hosting company who stops updating their servers for two months so they don't have to deal with regressions. At which point you're probably going to tell me Linux doesn't have idiot admins, doesn't have regressions or doesn't have exploits. It's no miracle cure and the whole "switch to Linux and all your problems will disappear" is getting seriously old. Lots and lots of people have tried Linux over the last decade if not longer, why is Windows still doing fine in the server room? [Insert wild conspiracy theory here, including a rant of anti-competitive behavior and pretty much everything including the kitchen sink except making a decent product.] I went back to Windows after fighting Linux a few years and I wonder if the people here have actually tried it recently or just foam around the mouth by default when someone mentions Microsoft.

Re:windows? what were you thinking?

[Penguinisto]

No effing way. Only a complete and total newbie would even contemplate that, and I'd fire the first admin who tried to put such a thing in place.

Exchange as an MTA sits behind firewalls and a spam filter (be it home-brewed atop a Linux machine, or an automated commercial appliance, e.g. Barracuda). OWA you put in its own DMZ, insulated on all ends by industrial-grade firewall/security devices. Even Microsoft anticipated that one, and allows you to rig it exactly like that (with the MTA and all other bits buried in your internal network).

Back to TFA, I'm curious as to what's stopping the article submitter from sticking in a simple SCCM** box (or at least script something in Powershell that ties into Windows Update) and do his own %}$#@! patching? Relying on anyone other than the OEM to do patches is kinda, well, dumb.

.
** I know, I know - SCCM blows goats. But it's not like it's completely impossible to set up, and besides - that's the price you pay for using so much Windows gear.

Re:windows? what were you thinking?

[Penguinisto]

I'm afraid you'll have to take that complaint up with Microsoft - they're the ones who lock it into Windows so tightly and refuse to work towards compatibility with other platforms, after all. *shrug*

Re:windows? what were you thinking?

[gavron]

No. Everyone else who switched to linux is doing fine. It didn't work for you and somehow this translates to the whole industry, or that everyone else is crazy and foam at the mouth.

The world runs on Linux servers. I'm sorry your experience didn't bear that out. It's ok. Not everyone is cut out to be a server admin. Only idiots use Windows.

I guess you know your place now.

E

Re:windows? what were you thinking?

You know, you could have just said that you are not qualified to administer a server. Would've been a lot shorter.

Re:windows? what were you thinking?

It apparently didn't work for Sony, either...

relying upon technology to provide your security over good practices is massive fail, regardless of the technology..

Re:windows? what were you thinking?

Yep. My network is 99.9% GNU/Linux and 0.1% Microsoft Windows.

Re:windows? what were you thinking?

[GNUALMAFUERTE]

Why the hell would you want to code in asp in the first place?

Years ago (circa y2k) I worked for a hosting company as a sysadmin. We had some customers that demanded ASP support (less than 10%), and we tried a solution, I think it was called chilliasp, that was essentially a classic ASP implementation for Apache on Linux. It was able to run simple stuff, but complex sites failed. So my boss insisted on getting some windows servers. We ended up running 2 NT4 servers. Those 2 servers took more effort to administrate than our +30 LAMP boxes. In the years I worked there, we had 6 security breaches, and 4 of them were on windows. Of course, the security breaches we had on windows where MAJOR (as in, they took over the entire server), while the 2 security breaches we had on Linux weren't really Linux vulnerabilities, but vulns on phpnuke installations our customers left wide open and unpatched, so those only affected a single site.

I don't get why people would want to code in ASP, what does it have that Perl or PHP don't? I mean, besides expensive licenses, platform restrictions, and huge security issues.

Re:windows? what were you thinking?

[JDG1980]

Using windows to provide an internet facing service was the first mistake.

What would you suggest if someone wants to run ASP.NET code on their website?

Re:windows? what were you thinking?

[JDG1980]

Why the hell would you want to code in asp in the first place?

I don't get why people would want to code in ASP, what does it have that Perl or PHP don't? I mean, besides expensive licenses, platform restrictions, and huge security issues.

"Classic" ASP sucks ass. It's basically Visual Basic for Servers.

ASP.NET, however, is actually a pretty good platform, since it lets you write your server-side code in C#. While PHP does give you the advantage of a free (in both senses) platform, it isn't nearly as well-designed or as elegant as ASP.NET. It's fine for small projects and it can, with difficulty, be scaled up for large ones (there are real-world examples aplenty), but if you are designing a big project from the ground up, ASP.NET might be a reasonable choice.

Re:windows? what were you thinking?

[budgenator]

Back to TFA, I'm curious as to what's stopping the article submitter from sticking in a simple SCCM** box (or at least script something in Powershell that ties into Windows Update) and do his own %}$#@! patching? Relying on anyone other than the OEM to do patches is kinda, well, dumb.

.
** I know, I know - SCCM blows goats. But it's not like it's completely impossible to set up, and besides - that's the price you pay for using so much Windows gear.

Shared hosting? Not sure if windows can do that, but that would explain why patching might be terminated. I recall a few PHP upgrades that broke a lot of things on LAMP stacks.

Re:windows? what were you thinking?

[dbIII]

Since in this case you can patch without reboots, the answer is just switching to linux (or anything else that can patch without reboots) CAN solve the problem.
Of course it doesn't solve every server problem, but nobody above said it would, just you dishonestly shifting the goalposts and pretending it's no good unless it fixes problems that were not even being discussed here. That's a bit of a slimy little tactic IMHO so you must feel very strongly if you are prepared to lower yourself to that level, but let's keep all the mindless emotive fanboy bullshit out of it since it just makes you look like more of an idiot than you actually are.

Re:windows? what were you thinking?

[aiht]

Using windows to provide an internet facing service was the first mistake.

What would you suggest if someone wants to run ASP.NET code on their website?

Reverse proxy.

Re:windows? what were you thinking?

[theArtificial]

Not sure if windows can do that, but that would explain why patching might be terminated.

I think we'll have seen everything by that point. The only Windows servers I've seen are either VPS or dedicated machines.

I recall a few PHP upgrades that broke a lot of things on LAMP stacks.

Sounds like someone didn't do their unit tests. The same thing can happen with any software which hasn't been vetted. Most shared hosts support multiple versions of PHP.

Re:windows? what were you thinking?

[theArtificial]

It's fine for small projects and it can, with difficulty, be scaled up for large ones (there are real-world examples aplenty), but if you are designing a big project from the ground up, ASP.NET might be a reasonable choice.

While I know it wasn't all ASP.net are we talking London Stock Exchange big? There are some additional hidden costs when using a Microsoft tool chain such as SQL Server license(s) and Windows Server license(s). If you're designing a big project this is where Java shines (I'm not a Java guy either). At the end of the day they're tools to get the job done and infrastructure considerations are part of the project.

Re:windows? what were you thinking?

[Runaway1956]

How can an OS be secure when they just let anyone look at the source code whenever they want?! Crazy talk!

Sometimes, you simply have to believe the empirical evidence that is available. *nix servers are seldom hacked, Windows servers are frequently hacked. No matter what you like or don't like, no matter what you understand or don't understand, a mountain of empirical evidence says that *nix operating systems are better for serving.

A large number of us also believe that *nix is a superior desktop and workstation OS, as well, but we lack the mountains of empirical evidence that we have for servers.

Are *nix servers more secure because they are open source, or in spite of being open source? Personally, I buy into the "many eyes" thing. The more people who are looking for vulnerabilities, the better. With Windows, only Windows and the bad guys are looking for those vulnerabilities. Seems that Windows loses as often as not.

Re:windows? what were you thinking?

[Hognoxious]

Using windows to provide an internet facing service was the first mistake.

Correction, it's the second.

What would you suggest if someone wants to run ASP.NET code on their website?

I>That's the first.

DrrrrTISH!

Re:windows? what were you thinking?

[_Shad0w_]

They were actually tacitly supporting the Mono project at one point I believe, because - I think - they saw it was their way of getting Silverlight support on as many non-Windows platforms as possible. Only Silverlight seems to have fallen flat on its face ("and nothing of value was lost") and thus I suspect MS are no longer that interested in Mono.

The .NET framework actually has built-in support for running on non-Windows and non-x86/x64 systems: there are various internal enumerations which indicate running on Windows, Mac, or Linux systems and there are also flags for indicating Big and Little Endian CPUs. It was *designed* to be cross platform; it's just MIcrosoft themselves have never bothered to take advantage of this.

The Common Language Infrastructure that underpins the .NET Framework is a published ISO/ECMA standard (current version is ISO/IEC 23271:2012) - one you can actually download for free. C# is also published as an ISO/ECMA standard (ISO/IEC 23270:2006), but hasn't been updated since 2006, so doesn't include the newer extensions Microsoft have added; it's also freely downloadable from ITTF Freely Available Standards Both the CLI and C# are part of Microsoft's "Community Promise", for whatever people consider that worth.

Re:windows? what were you thinking?

[TheRaven64]

What would you suggest if someone wants to run ASP.NET code on their website?

Therapy.

Re:windows? what were you thinking?

[jellomizer]

I haven't heard about major security problems in IIS for years. Today you are no more or less vulnerable with IIS ASP. and SQL Server as you are with a LAMP.
Back before Server 2003. You put yourself at risk, however the newer version have gotten far more secure and reliable.

Sure you get your security patches and upgrades but you get those for the LAMP systems too.

The biggest flaw isn't in your software choices but how well you coded you ASP.NET and your PHP and your SQL (My Sql or SQL Server) queries. Being that that Microsoft Development is very common, that means there will be more amateur coding of asp.net code making a lot of basic security mistakes. But if you take those people give them a crash course in PHP there code isn't going to be any more secure.

Re:windows? what were you thinking?

[jellomizer]

You mean you had problems last decade. There is no way a company in 10 years can improve their product. It is just impossible.

Post Bill Gates Microsoft - Less innovative but more reliable systems.

Re:windows? what were you thinking?

[Com2Kid]

The .NET framework actually has built-in support for running on non-Windows and non-x86/x64 systems: there are various internal enumerations which indicate running on Windows, Mac, or Linux systems and there are also flags for indicating Big and Little Endian CPUs. It was *designed* to be cross platform; it's just MIcrosoft themselves have never bothered to take advantage of this.

Look into .NET Micro Framework, it is a completely open source implementation of .NET (by Microsoft!) running on a wide variety of platforms.

Netduinos are the easiest way to get started with .NETMF.

(To be fair, .NETMF is more of a platform in of itself, a cool little mini-runtime of sorts, very awesome and fun to play around with)

Re:windows? what were you thinking?

[_Shad0w_]

Ooh, that's interesting - I've not come across that at all. All my .NET development is for the desktop platform; I shall have to take a closer look at that. I feel the need to make all the fanboys howl with rage by seeing if you can use it in bare metal mode on a Rasperry Pi (looks like people have already been looking in to it).

Re:windows? what were you thinking?

Not sure if windows can do that, but that would explain why patching might be terminated.

I think we'll have seen everything by that point. The only Windows servers I've seen are either VPS or dedicated machines.

How do you think services like AppHarbor and Azure work? You don't get one OS instance per website process, thats for sure.

IIS and ASP.Net have multitenancy/shared hosting support built in - you can restrict the trust levels of apps, filesystem access and even system calls.

Re:windows? what were you thinking?

Well, I do have OWA open to the world, mainly because of ActiveSync, but the actual SMTP server, no way. I've seen joe job and dictionary attacks bring an Exchange server running on damned heavy hardware brought to its knees. I run a Postfix server running postgrey, SpamAssassin and ClamAV that sits on port 25 and weeds out all the nasty bits and hands everything else off to Exchange. There's no way in hell I'd ever let Exchange's SMTP service feel the full force of what the nastier folks on the tubes can throw at it. If someone DDoSs Exchange's IIS daemon, oh well.

There are appliances that support and proxy active sync. Your just lazy

Re:windows? what were you thinking?

Why the hell would you want to code in asp in the first place?

Years ago (circa y2k) I worked for a hosting company as a sysadmin. We had some customers that demanded ASP support (less than 10%), and we tried a solution, I think it was called chilliasp, that was essentially a classic ASP implementation for Apache on Linux. It was able to run simple stuff, but complex sites failed. So my boss insisted on getting some windows servers. We ended up running 2 NT4 servers. Those 2 servers took more effort to administrate than our +30 LAMP boxes. In the years I worked there, we had 6 security breaches, and 4 of them were on windows. Of course, the security breaches we had on windows where MAJOR (as in, they took over the entire server), while the 2 security breaches we had on Linux weren't really Linux vulnerabilities, but vulns on phpnuke installations our customers left wide open and unpatched, so those only affected a single site.

I don't get why people would want to code in ASP, what does it have that Perl or PHP don't? I mean, besides expensive licenses, platform restrictions, and huge security issues.

So you have minimal, dated experience with an OS that's several major releases ago, completely dead and unsupported, minimal experience with .net's predecessor ASP, but you know what's up today on windows?

Re:windows? what were you thinking?

[fritsd]

I once saw an advertisement for a protection service for MS IIS servers, to protect them from attack. (Sorry no link, I forgot, and it was years ago):
It was some kind of proxy that made it look as if the website was on Apache instead of IIS.

I'm not joking; it really seemed like a legit product, for money, that protected large banks etc. by making it appear as if they used Apache. So that attackers wouldn't bother trying to attack it.

To be honest,I have no experience with MS IIS, but to me that says that at least 10 years ago, the perception was that IIS was less secure than Apache, so much so that 3rd parties developed and marketed this kind of webserver shell around it.

Call it "Mimicry"; protective coloration :-)

Re:windows? what were you thinking?

[theArtificial]

How do you think services like AppHarbor and Azure work? You don't get one OS instance per website process, thats for sure.

I'm aware that Windows can host more than a single site. Azure runs on a VPS or a dedicated machine. Otherwise, how do users remotely login and manage their sites, remote desktop? I don't know of any setups where they operate that way.

Re:windows? what were you thinking?

[GNUALMAFUERTE]

Why compare to PHP? Sure, PHP is for small projects (but it can be scaled without much problems, it's awfully designed and not very elegant, but it gets the job done. Anyway, if you are going to talk big projects compare Perl, or if you want something more modern Python. If we are talking truly big and complex, I'll take nothing over C++.

Anyway, why ASP when there are better solutions that don't depend on a particular vendor who is well known for being the dirtiest motherfucker around, second only to oracle, and who is definitely going to let you locked in, and in shitload of troubles. Not to mention it'll be incredibly expensive while offering no measurable advantages.

Re:windows? what were you thinking?

[Frosty+Piss]

How the fuck would you know about anything related to "big projects" from your cum-stained computer in you mom's basement? I suppose you can dream, but really, why not get some help and join / rejoin society and the sun light outdoors? And by the way, you should stop wearing your mom's panties, that's kind of creepy.

Re:windows? what were you thinking?

[GNUALMAFUERTE]

You are so mature. When I grow up I want to be just like you.

Re:windows? what were you thinking?

[Frosty+Piss]

At least I'm not some self-important moron who lives in a fantasy world. Dude, get help.

Re:windows? what were you thinking?

modmono

Re:windows? what were you thinking?

quit projecting your own sad state of affairs onto others you weirdo.

Why Eastern European?

I am Eastern European, and strangely I feel offended by that :)

But to be honest, yeap, you're pretty much asking for it...

Sure

[Capt.DrumkenBum]

may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

Just reply to this message with the IP addresses of any servers you want to make sure will not be hacked and I will make sure the list gets to the right people.

Happy to help.

Re:Sure

[phorm]

127.0.0.1 ::1
fe00::0
127.0.0.2

Re:Sure

[houghi]

127.31.33.7
HTH. HAND.

Re:Sure

[antdude]

Here it is: 127.0.0.1

Thanks! :)

change freeze

I work for a company with 1200+ VMs and the change freeze concept is nothing new. For us, it's only 1 month around new years and mainly due to staffing issues if something goes wrong.

Re:change freeze

[skywhale]

Same here for the same reason.

It's not that bad

[bigtrike]

The server will be spending 50% of its life rebooting to apply minor updates and install software, reducing the risk of a security breach.

Go dedicated or go home

[A+bsd+fool]

Under any shared hosting, or control-panel-abstracted hosting, you're at the mercy of your provider for things like this. I realize they offer stuff on the cheap, but it's times like these when you realize you're getting what you've paid for. Many more hosting companies have hypervisors amongst their offerings than did just five years ago, and you can get a basic ESXi server for $50/month or thereabouts. Add memory, disk space, IPs, and bandwidth to suit.

Re:Go dedicated or go home

[GNUALMAFUERTE]

I'm using server4you. Their support sucks if you have to call them (they speak german, and very very limited english). If you need support, this is not your company. But if you can manage your own boxes, their uptime is great, and so is the hardware and bandwidth. In the last year we had less than an hour of downtime, and it was after midnight.

The interesting thing: The prices. $28 for an Athlon X2 with 4GB RAM, 2 SATA disks and unlimited bandwidth.

Again, the support desk is impossible mostly due to the lack of English proficiency, and their billing department suffers the same problem if you ever have an issue, but they do offer web reboots (you click a button, your servers gets rebooted usually in under 5 minutes). I once requested a server re-imaging and it was processed in 20 minutes. Hardware issues are taken care of very fast too. So, if you know what you are doing, and need nothing but hard-reboots and re-imaging if something goes horribly wrong, it doesn't get any cheaper than that.

Re:Go dedicated or go home

[Runaway1956]

Have you ever considered learning German? Then, you could butcher their language as readily as they butcher yours! it's always an advantage when you can insult the sheistikopf in his native language!

Re:Go dedicated or go home

[GNUALMAFUERTE]

English is my second language, I don't live in an english-speaking country, and considering nobody has treated it worse than Americans are British, I couldn't care less. I don't mind small errors, typos, etc., but when your grasp of a language is so bad that you make communication impossible, it does bother me. It bothers me more when native speakers do things such as mix up the possessives and contractions (their vs. they're, for example), and other similar mistakes that drive me go berserk.

And If I ever learn German (I've wanted to for many years, but I could never find the time), I'll be too busy reading Nietzsche in original language to even go to work anymore. That and using the Ach sound as much as possible. German fucking rocks.

Better safe than sorry.

This is for automated patching, you may certainly request to be patched by the support teams. Typically these two months are the busiest for online shopping sites and a botched patch could cost the business tons of money. Since you know your business the best, you make the call. Better safe than sorry in my opinion.

Translation

[bersl2]

Translation: "Dear Slashdot, I'm looking for a good Windows host. Any suggestions?"

Re:Translation

I've heard on the interwebs about this student, I think his name is Linus who created some OS called 'Linux'. It's like BSD (1-800-ITS-UNIX) but free as in freedom and beer.

Unless you're running some stupid server which requires ASP.NET, in that case go dedicated.

Re:Translation

The oxymoron contest is in the next room. HTH.

Re:Translation

[History's+Coming+To]

Out of curiosity, can you run a .NET framework on a linux server via WINE? Or can you legitimately use the Windows licence to run it virtually?

Re:Translation

Thanks to the Mono project, ASP.NET (and C#.NET) applications can be served using Apache. I believe you need mod_mono. http://www.mono-project.com/ASP.NET

No Windows (or WINE) needed.

Exercise that redeployment plan

[RichMan]

As company using a hosted service you do have a redeployment plan should movement to another hosting service be required, don't you ?

Now would be a good time to exercise that plan.

Re:Exercise that redeployment plan

As company using a hosted service you do have a redeployment plan should movement to another hosting service be required, don't you ?

Now would be a good time to exercise that plan.

Any company which allows non-critical patching during times when you're running skeleton crews should be avoided at all costs. Good companies will still allow for critical patches and emergency systems maintenance. Angry Dad didn't bother telling us who he hosts with, and he didn't bother giving us the actual email or the complete policy towards patching, so nobody can really say if their policy is normal or not. But given that he's obviously never heard of a moratorium period, I'm going to say that he should probably figure out what the policy is before trying to compare them to other companies.

This is what happens when you outsource

[BitZtream]

While I think its rather unacceptable for this to be done, its not all that surprising and you kind of deserve the result.

When you outsource you sacrifice things. Why are you letting them patch for you anyway? Its not like they are going to do anything special. All the do is release patches from their own internal WSUS server (or whatever its called now) rather than you have to do it yourself or letting the machine auto-patch on its own.

Realistically, if you're going to have someone else auto-patch, you might as well just turn automatic updates on fully and be done with it. They only thing they are going to 'save' you from is if a patch happens to interfere with something locally on their network which is going to be pretty damn rare.

Re:This is what happens when you outsource

[MightyMartian]

He's a victim like a guy who had the choice between a $3000 used car with seatbelts and a $100 heap with a garbage bag for a passenger-side window, and picked the latter.

Re:This is what happens when you outsource

[dalias]

No, apparently he picked the $10,000 heap with a garbage bag for a passenger-side window.

Re:This is what happens when you outsource

[Pentium100]

Do you use SSL to access your bank account?
Do you use strong passwords?
Do you use a firewall and patch whatever OS you are using regularly?

If so, why? Nobody will hack you, after all, hacking is illegal and nobody will blame you for having "password" as your password even if someone does hack your account (and steals your money) or hacks the company that you work for. It's all the fault of the hacker.

Locking your car and house is stupid too - stealing is wrong so nobody would steal even if you left the doors not only unlocked but open. And nobody would laugh at you even if you get your stuff stolen after leaving the door open.

I mean look at Sony - they used bad security practices and got hacked, but nobody blamed them, after all, the hacker should not have hacked even if the password was "12345".

Conclusion: using any security is stupid - it will make the system less convenient to use and nobody will hack you anyway (since it's wrong), so why bother?

This is common, but....

This ("change moratoriums") is a common practice around the holiday season. A number of the datacenters and other vendors I work with implement similar policies starting right before "black friday" and ending a week after new years. The logic is that changes could have undesirable consequences and the volume of e-commerce around this time would result in a potentially detrimental impact on operations. However, I have never heard of a company that holds out on security updates and other critical fixes due to such a moratorium.

Re:This is common, but....

[sjames]

It's a tough call, but it's worth keeping in mind that not all windows updates go smoothly.

Managed services usually have contracts

You could always stipulate this in your contract. I'm on the fence about this since you consciously made the decision to have managed equipment. It's not like they're a Colo... with the advantage these services provide, they're some downside revolving around control.

You could politely ask your lawyer to review the contract to look for liability should you get hacked while the change window is frozen.
( hint: it's your liability )

What does your contract say?

[HaeMaker]

Two months is a looong time. 17% of the year not getting full fidelity on your contracted services seems excessive. Usually, changes freezes are a few hours in the middle of the night, once a week.

Re:What does your contract say?

[viperidaenz]

a change window is usually a few hours in the middle of the night. A change freeze is usually the length of a holiday period or other such period of either reduced support staff and/or high risk. eg: christmas = high sales time, so high cost of outage and reduced staff due to holidays.

Re:What does your contract say?

[HaeMaker]

Oops, yea, you are right, but there are usually provisions for security related changes or emergency changes, and two months is still too long. Week before and after black friday, then two weeks leading up to Christmas should be plenty.

Re:What does your contract say?

Emergency change controls are exempt from change freezes and are up to the service providers' discretion.
A managed patching service that implements a two month change freeze means one thing, they use a cloned base-VM image with all patches installed there, and as such you simply can't patch your VM without all VMs being patched.

This is a bad model and you should ask for your VM to be cloned to a non-linked image environment where you can have your own patches installed.

POS

They're probably also hosting someone in the POS business and, historically, despite oodles of testing, applying patches during critical sales periods results in outages that lose a lot of moola... the freeze periods get born and propagated across all customers they host via management... just the way the cookie often crumbles...

You're with a managed services provider? Consider yourself duly managed.

Re:POS

[viperidaenz]

Are you referring to Point of Sale business or Piece of Shit business?

Re:POS

[Dewin]

In my experience, they are one and the same.

What Ever You Have to Say About Hostess Company

[Jeremiah+Cornelius]

It's just too late. No more Twinkies.

And if you are concerned about freezing them, as the article seems to state? Don't bother. The shelf-life is astronomical!

Re:What Ever You Have to Say About Hostess Company

[SomePgmr]

25 days. I know you were joking but I was curious.

Re:What Ever You Have to Say About Hostess Company

WTF does this have to do with the topic? You may as well have posted "Sceond Psot"

Re:What Ever You Have to Say About Hostess Company

[WhatAreYouDoingHere]

You don't see the connection? The summary mentions "hosting", which is obviously a reference to hostess twinkies. Furthermore, the word "freezes" is in the summary title, which could only indicate the process of freezing a hostess twinkie. I mean, what else could these terms mean on a slashdot story?

Change freezes?

Is this something to do with global warming?

Hardly baffling

[Gothmolly]

Real (TM) IT shops have change freezes all the time. It's called release management. Perhaps you should a) host on some more stable platform, or b) co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.

Re:Hardly baffling

[nabsltd]

Perhaps you should co-lo your own gear where you can run daily patches and reboots and only affect your own stuff.

Unless the OP is sharing an actual Windows instance with other clients (which would mean he should be paying about $1/month in fees), rebooting his instance should only affect him.

It's possible that he is paying for a Windows instance on top of Hyper-V, and the underlying OS isn't getting patched, but that really shouldn't be much of a security risk for the OP, as the hypervisor OS isn't visible to the outside world. Likewise, even if he is sharing access to back-end services like SQL server, it's unlikely that the API he is using to connect to those services is vulnerable in such a way that a patched client would be a problem for an unpatched server. It's far more likely that there are SQL injection or other issues on the clients than a non-administrator connection to an unpatched server causing a compromise.

Re:Hardly baffling

[MightyMartian]

I certainly put freezes in place for a week or two surrounding major holidays like Christmas. But we're talking about a damned long freeze here.

Re:Hardly baffling

[AK+Marc]

Everywhere I've seen a "change freeze" stated, "critical" changes/updates are allowed, just with "critical" being variable.

Not if they want to keep customers

I'd vote with my virtual feet. Of course, I wouldn't serve from Microsoft software anyway. I'm not a MS basher. I love it on the desktop. I just wouldn't use it as a server. It wasn't designed as one from the ground-up, the culture surrounding it is not as proficient. It shows.

Careful you don't hurt yourself

[Sycraft-fu]

When you fall off that high horse.

What is the reason for an anti-outsourcing rant in this thread? To me, it sounds like the guy has his own website and that's what he's talking about. Do you host your own website? By that I mean do you have your own server, on your own property? If not, then you are outsourcing it. Even if you do, you are still probably outsourcing your Internet access and power generation.

If you don't like outsourcing that's fine and there's plenty of arguments against it, but save it for when it is relevant. Don't just go off on it.

Most individuals outsource their webhosting, and for good reason.

Re:Careful you don't hurt yourself

I outsourced my datacenter's power to a "green" facility that promised only to use hamsters running on their merry wheels. Little did I know those little fuckers only live for 1-2 years on average.

Re:Careful you don't hurt yourself

[BitZtream]

Yes, I have a server sitting on my property. I have a government regulated Internet connection and power connection with HARD SLAs regarding availability. You want to try that one again?

That is entirely besides the point. There is nothing wrong with outsourcing. I also host certain parts of my infrastructure in someone elses data center. What I do not do is depend on someone else to do the job of Windows update when they provide absolutely no advantages of turning on auto-updates and the provide obvious downsides like the very one the submitter submitted.

I evaluate the benefits and risks of outsourcing and then decide where I'll get the better fit for my situation.

I walked into managing a cluster of servers with that outsourced patch crap, worst idea ever. They provide no advantage over just turning on auto-updates. They don't actually test it with 'your software'. They don't generally provide any better way to roll back a patch set other than 'use the system restore'. They do absolutely nothing that turning on auto-updates wouldn't do for you.

Its just another way to blame a problem on someone else rather than being responsible for it yourself. Its like buying support contracts for Linux. Its just an excuse. It doesn't actually solve the problem, it just shows you aren't capable of doing the job yourself.

In this case it shows the submitter didn't bother to even consider what the benefits of having the company do patch management for him were, which are none. That is why I can stay seated on my horse.

Top it off ... he couldn't bother to do some Googling for the answer. He isn't qualified for the job.

Re:Careful you don't hurt yourself

[marcosdumay]

You know, I outsource a server.

Yet, I choosed a provider that gave me the things I care about. I have a nice SLA to rely upon, and I don't outsource configuration, because that is just stupid.

Yet, there it is somebody outsourcing configuration, and complaining that the provider won't configure the machines exactly the way he wants. Duh. You can be sure that if they were configuring the machines the way he wants, somebody else would be here, complaining about it.

"Your" servers?

How are they "your" servers if you cannot patch them whenever you deem necessary?

Standard practice

[Jethro]

Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.

However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.

Re:Standard practice

I work in finance, and I can attest this is normal. In addition to holidays, we also have freezes at month end and "Operations Expiration" weekends, which typically occur on the 3rd weekend of the month. While it's not an absolute freeze, you'd better be willing to be your job on the change you need to make during those weekends.

Re:Standard practice

[Crypto+Gnome]

Having change freezes is standard practice. Most places I've worked have a short month-end freeze, and a couple of month year-end freeze.

However, critical security vulnerabilities are exempt from these freezes. Those still get done using whatever emergency protocols are in place.

Especially for systems hosted in The Northern Hemisphere.

It's winter, people should know enough to expect freezing this time of year.

Is this common practice for change freezes in Dec.

[shuz]

Yes! If your company does not have a change freeze in effect for at least some portion of December or November it should. Nearly all countries and religions observe significant national holidays during this time. It also tends to be a very significant or the most significant time of the year economically for many countries and companies. That said non-functional security patching and security related activities would be good exceptions to this rule. Large hosting providers, not wanting to single out customers, often have blanket change freezes in effect including patching.

rackspace

If you read the email properly, they are not doing automatic patching of these releases, but nothing to stop you applying them yourself.. or getting them to apply them if you specifically ask for them.

Change Hosts

[pubwvj]

Time to change hosts.

Not hosting

[LordLucless]

You didn't get this email from your hosting company. You got it from the company managing your servers. The fact that it's the same company is largely irrelevant.

If the server management company isn't flexible enough to meet your needs, do it yourself. You keep track of the patches, you decide when they're ready for release, you release them, you test them. If you don't have the skills for that, or the money to hire someone with the skills, then get another company to do it. If you're using a dedicated server, there's nothing stopping you giving someone else the access to manage and patch it.

If you yourself don't have root/Administrator access, then you don't have a server; you have access to a server. Fork out a little bit extra, and get a dedicated box that you control.

Re:Not hosting

Three letters...

VPS

It's dirt cheap now, you control the full OS level, just trust the hosting company with the hardware and hypervisor... much lower risk. No reason anymore to just do web hosting, get the rest of the machine.

A retail customer probably uses their service

It is standard practice for a lot of retailers (Big Box and E-tailers) to institute this type of freeze. If the host also offer co-location services, there are a couple big e-retailers, that require these types of holds for anything and everything in the building during the holiday season. They are fierce about it to, one time a co-lo provider was making changes to a door in the DC, the customer freaked out, and tried to fine (per the contract) the co-lo provider. A lot of providers cave and don't do anything for nov-dec.

Words vs Actions

[holophrastic]

You can't put up a sign that says "only a few people allowed beyond this point". And you can't put up a sign that says "very little loitering accepted". So you put up signs that read "no access beyond this point" and "no loitering", and then you simply don't enforce it for the first few people.

If this company has a reduced staff, or wants to ensure that large problems don't happen during sensitive times, then they might want the freeze. And saying that there will be a freeze is the way to do that. But calling them and saying "hey, I know there's a freeze, but I'd really appreciate this patch when it's convenient." won't likely be met with a solid "no, screw you, we're in a freeze".

Ice is usually still a little wet. Not every molecule freezes at the same instant.

Look at it as an opportunity for you to be nice. They said "we'd really like to ease the harsh environment of christmas IT", and you can optionally say "I'll help you out by not patching for a while". It's an opt-out instead of an opt-in scenario, but it's the same.

You're complaining about the default, not the final. And you can override the default with a phone call. Don't sweat it.

Utility companies

[Macgrrl]

I spent 2 years working for a utility company in Australia where we had an annual change freeze to core systems during the bushfire season. We couldn't afford for systems to be down for non-essential changes when there was the possibility of a 'real world' emergency breaking out. This went doubly so for anything involved in the SCADA network.

RackSpace aren't stupid, just ignorant.

Also host with them, good luck :)

Troll

[vawarayer]

If so, may I ask Eastern-EU folks to please refrain from hacking my servers

If so, may I ask the Slashdot editors to please refrain from letting people post trolls.

we have a year end freeze too

[milkmage]

we lock down from about mid december to mid jan.. partially because of staffing, but mostly because our enviornment needs to be stable for year end processing (I work for a bank). no elective changes are allowed during this time.. only fixes if something breaks.

we don't run our shit in thrid party datacenters, so it's not exactly the same scenario, but it's understandable that no changes are allowed. what if your stuff breaks and you don't have staff due to the holidays? if we fuck up, we only fuck up our shit... if a hosting outfit fucks up, they fuck up a lot of other people's shit..

maybe they host a lot of retail outfits who need to be up for the holiday shopping season.

Re:we have a year end freeze too

Same here. I work for a bank as well and we have regular HAPs (Heightened Awareness Periods) where we can still change anything we want as long as we're willing to make the case to senior management. We also have a yearly change freeze starting in December and going into January. Even during the change freeze we can still make changes and deploy critical security patches, but we have to demonstrate that not doing the change would cause an unjustifiable risk to the stability and security of the environment.

Yes, but ...

[dbIII]

Yes you can (or even better with mono), but your application may not like it, so it depends on what you are running. Some do run as well that way as on an MS system and I'm using it so users can get to a single licence application using dotnet (fucking stupid name you can't use in a sentence) remotely via X instead of hotseating. Yes I know a lot about VNC but it sucks in comparison on a decent local network for several reasons, and that linux box in the server room has far more memory and CPU power than any of the available MS Windows workstations.

216.34.181.45

[kf6auf]

Whatever you do, don't take down 216.34.181.45.

Re:216.34.181.45

China ended up with deadbeef? Really? You all suck. 222.173.190.239

Yahoo! Small Business has freezes.

I used to work for YSB and they have patching freezes around this time of year on their e-commerce platform. They want to make sure everything is as stable as possible for the influx of business.

Article is based on incorrect reading

[phoebusQ]

I know which host and to which announcement this refers. All this is is a suspension of fully automated patching during the holiday season. If you want patching performed anyway, jut contact your support team. They prefer to make patching opt-in during this period to avoid site outages due to patching miscommunications.

Customer satisfaction is important to us.

[Mr2cents]

may I ask Eastern-EU folks to please refrain from hacking my servers during the holiday season?

Sure, just provide me with your domain name, provider and root password and I'll add you to my do-not-hack list.

do it your goddamn self

if you dont like the service from the minimum wage gardeners you hired, get someone else

or just weed your own fucking flower beds

dont whinge about it here

Re:do it your goddamn self

[Hognoxious]

As my grandad used to say: if you want it done right, do it yourself.

Why still allow top hacking countries?

[Moskit]

I'm sorry to say that OP seems to be nationalistic about his "hacker countries" conception, promoting negative stereotypes, not to mention that he confused EU with Europe.

Top hacking countries are very different from Eastern Europe countries: USA (yup, still number 1 spot), China (Eastern, but not European), Russia (not Europe, just Eastern), Brazil, Germany (Europe and EU, but not Eastern), UK (an island off Europe coast), India (totally away from Europe)...

With your attempt at "humour" you basically allowed all those people right to hack your servers over the next two months ;-)

Re:Why still allow top hacking countries?

[Tyr07]

Offending people does not entitle you to commit unlawful acts. (Albeit if you want to avoid them perhaps you should avoid offending them)

That's like saying some guy was being naive and offended me so I have the right to punch their face in.

Wow, you must REALLY hate sys admins

[SmallFurryCreature]

What have you got against sys admins anyway that you go out of your way to make them cry like that?

Locate your customers...

[jafiwam]

And block everybody else at the firewall.

There's no reason to let any of China, Pacific Rim, Middle East, Former Soviet Bloc, Africa, etc. onto my servers.

So they don't get on, and nothing of value was lost.

Know what else? My log files don't fill up with useless shit anymore, and the numbers of automated attacks and form spams have dropped dramatically.

Last time I checked, you can download fixes for your servers. Just FTP them up or whatever and install them manually. Get a new web host over the long term, but this is just an annoyance, not some big rights-violating controversy as you make it out to be.

Ok, then they should use Linux instead?

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach:

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

Linux != BETTER choice (2011-2012)

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach:

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

Bullshit (2011-2012 shows differently)... apk

2012:

New Linux Rootkit Emerges:

https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012

"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."

---

'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:

http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/

---

Medicaid hack update: 500,000 records and 280,000 SSNs stolen:

http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444

So, what's dts.utah.gov running everyone?

LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov

What's health.utah.gov running too??

YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov

* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!

===

2011:

KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)

http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised

---

Linux.com pwned in fresh round of cyber break-ins:

http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/

---

Mysql.com Hacked, Made To Serve Malware:

http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware

What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com

---

London Stock Exchange serving malware:

http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware

(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)

---

DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:

http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers

---

Linux Foundation, Linux.com Sites Down To Fix Security Breach:

http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach

---

Linux's showing in CA's breached recently too? Ok: (very, Very, VERY BAD for ecommerce, online shopping, banking, etc./et al)

Fortune 100-500 companies using Windows

367++ TOP FORTUNE 100/500 (or best 100 to work for per CNN Money) COMPANIES, EDUCATIONAL INSTITUTIONS, &/or GOVERNMENT AGENCIES USING WINDOWS (over other solutions like Linux) both in HIGH TPM ENVIRONS, & FROM "TOP 100 COMPANIES TO WORK FOR" (per CNN Money 2011):

---

38 HIGH TPM & 99.999% "uptime" examples:

---

XEROX: Managing 7++ million transactions a day for office devices for its customers using Windows Server 2003 + SQLServer 2005 64-bit with 99.999% uptime!

NASDAQ: The U.S.' LARGEST STOCK EXCHANGE, Since 2005 has had Windows Server 2003 + SQLServer 2005 in failover clusters running the "official trade data dissemination system" for them in 24x7 fabled "5-9's" 99.999% uptime, doing 64,000 transactions PER SECOND (compare London Stock Exchange using Linux @ 3,000 per second)

FUJIFILM GROUP: Tracks data for its imaging, information, & documentation for its products & services using Windows Server 2003 w/ a custom SAP solution on SQLServer 2005, achieving 99.999% uptime.

HILTON HOTELS: Manages 1.4 Billion records a day for customers in 1000's of their hotels worldwide - for 370,000 rooms & catering services forecasts (switching from 6 *NIX systems to 1 Windows Server 2003 + SQLServer 2005 clustered failover system using a data warehouse with 7 million rows & 99.998% uptime).

MEDITERRANEAN SHIPPING COMPANY: Manages & Tracks 7 million containers out of 116 countries daily using Windows Server 2003 + SQLServer 2005 in failover clusters with 99.999% uptime.

SWISS INTERNATIONAL AIRLINES: Serves 70 airport destinations worldwide, with 6,500 employees + 110 branch offices via Windows Server 2003 & Active Directory with 99.95% uptime (all while growing their business 30% per year). THEIR PREVIOUS LINUX SYSTEM COULD ONLY HANDLE 250 concurrent users - the Windows one handles over 500++ users concurrently/simultaneously!

UNILEVER: Global consumer good leader, migrated to mySAP on SQLServer 2005 + Windows Server 2003 & scaled UP their operations by over 200% & yet saved money + have 99.999% uptime!

MOTOROLA: Using System Management Server, Windows Server 2003 & SQLServer 2005 to conduct inventory of 65,000 desktops from a single location (e.g. for system updates corporate & worldwide).

NISSAN: Uses Windows Server 2003 to manage 50,000 employees' email & calendaring (w/ out VPN, & using Exchange Server 2003) for local AND remote + mobile users.

TOYOTA MOTOR SALES: Reduced the # of techs needed per dealership (1,000's worldwide) from 7, to 1 using Windows Server 2003.

SIEMENS: 420,000++ people, 130 business units over 190 countries managed in Windows Active Directory

REUTERS: Managing 3,000 servers worldwide @ customer sites internationally (using only 4 managers to do so, remotely).

DELL COMPUTER: Managing 130,000 servers & 100,000 PC's worldside using Windows Server 2003 + 40 million customers' data worldwide.

LEXIS NEXIS: Searches BILLIONS of documents each second delivering news, legal, & business information.

HSBC: Deploys System Center solutions to 15,000 Servers worldwide & 300,000 desktops using Windows Server 2003.

RAYOVAC: Chose Windows Server 2003 over Linux to manage their infrastructure - saving 1 million dollars estimated in software, staffing, & support costs.

JETTAINER/LUFTHANSA/U.S. AIRWAYS: managing shipping to 3,000 flights to 400 airports every day.

CONTINENTAL AIRLINES: Manages crew communication systems, log on/log off, schedules, & shifts using Windows Server 2008 worldwide.

JET BLUE AIRWAYS: Managing 12 million flights & their data annually + ticketing, finance, & personnel too.

TIMEX: Using Windows + Exchange Server for remote personnel & executives (for their ENTIRE workforce)

7 ELEVEN STORES: Chose Windows Server 2003 over Li

Continued data... apk

Since all the evidences I posted won't FIT into a single /. post I originally did here:

http://ask.slashdot.org/comments.pl?sid=3266485&cid=42066039

Here are the rest:

---

TOP 50/200++ RANKED SOUTHERN REGIONAL UNIVERSITIES USING Windows (from -> http://colleges.usnews.rankingsandreviews.com/best-colleges/rankings/regional-colleges-north )

---

The Citadel: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.citadel.edu

Mercer University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=mercer.edu

Marymount University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.marymount.edu

University of North Carolina - Wilmington: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=uncw.edu

Elon University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.elon.edu

Samford University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.samford.edu

Belmont University: Runs their domain on Windows (mix) -> http://uptime.netcraft.com/up/graph?site=www.belmont.edu

Bellarmine University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.bellarmine.edu

Union University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.uu.edu

Converse College: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.converse.edu

Spring Hill College: Runs their domain on Windows (mix) -> http://uptime.netcraft.com/up/graph?site=www.shc.edu

Lipscomb University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.lipscomb.edu

Harding University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.harding.edu

Queens University of Charlotte: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.queens.edu

Winthrop University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.winthrop.edu

University of Tampa: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.ut.edu

Murray State University: Runs their domain on Windows -> http://uptime.netcraft.com/up/graph?site=www.murraystate.edu

Christopher Newport University: Runs their domain on Windows (mix) -> http://up

they must have some big-time customers

[swschrad]

major companies generally require a change standstill during holiday seasons, as well as certain accounting-rules critical times. so do outfits like the FAA, which for some ungodly reason doesn't want its comm channels flipping like fish at all hours of the day and night. some damn silliness about "life safety" or some other freakin nonsense.

I work for a telco, and this is very very old hat to us. "why are our lines down, we have 30 planes stacked up for landing?" "uh, backhoe party on the front lawn ripped up all our stuff?" "you must get this up immediately, and we do NOT authorize any downtime to fix it!"

I'll call the fairies in immediately. wish real hard.

New NEWS/NewsFlash... apk

Phishers/Spammers FAVOR attacking LAMP: (Linux, Apache, mySQL, PHP)

http://www.theregister.co.uk/2011/06/10/domains_lamped/

PERTINENT QUOTE/EXCERPT:

"Phishers compromise LAMP-based websites for days at a time and hit the same victims over and over again, according to an Anti-Phishing Working Group survey. Sites built on Linux, Apache, MySQL and PHP are the favoured targets of phishing attackers"

---

* There you go...

APK

P.S.=> Linux is no more 'secure' vs. attack, nor is Apache (or sites built on "LAMP") - In fact, care to see more?

Look here -> http://ask.slashdot.org/comments.pl?sid=3266485&cid=42065829

"Fine linux security infrastructure" 2011-2012

Linux "infrastructure" isn't better -> http://ask.slashdot.org/comments.pl?sid=3266485&cid=42065985

* You MAY want to look @ the evidences posted there, regarding my subject-line above then...

APK

P.S.=> You Linux "FUD" spreaders - your days of b.s.'ing people are done, & the above link only shows a small partial list of what's actually GOING ON, for real...

... apk