ZDNet Admits Mistakes in Recent SecurityTest

drsparkly writes "Linux Today is running this story claiming that the recent ZDNet Linux vs NT security `shootout' was biased against Linux. Apparently ZDNet had neglected to apply 21 available security fixes. They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point? "

Re:Red Hat fixes wouldn't have helped

Yes, they would have. They probably would have prevented jfs from getting root. If he did manage to get root then he would have uncovered a new security hole.

Yes, but getting root for an user on an Unix machine is f*cking damn easy (unless it has been stripped down and is a total pain to administer).

Re:I work enterprise - multiple patches are the pi

And what happens when one of the hundreds of fixes inside one service pack fails? At least with seperate fixes, you can remove the faulty one and keep all the ones that work correctly - with service packs, it's all-or-nothing. Upgrading like a cowboy when you have *more* individual control??

Re:I work enterprise - multiple patches are the pi

I can't address your managment concerns, since I've never (knock wood) had to work in an environment so amazingly anal. In a environment where the management isn't micromanaging everything, I would write an expect script to ssh to each one, and rpm -U all the updated rpms (updates.redhat.com) from my workstation's NFS share.

If your station is compromised your're dead (correction: s/if/when/ and s/dead/fired/).

A backup procedure is necessary, because when applying 21 patches to 200 mission-critical servers, it is expected that one patch at least will fail horribly (a badly written rpm script, or minor program change in addition of security fix). You cannot upgrade everything like a cowboy, this is serious stuff.

updates.redhat.com

I imagine that it is considerably easier to do a: cd /6.0/i386/ mget * exit rpm -Uvh * /sbin/lilo sync /sbin/init 6 (or skip the kernel RPMs and dont even reboot), then it is to install NT SP5

Perhaps ZDNET has never heard of a "HotFix"

There were at least 20 of them between SP3 and SP4. And if you did not apply at least a couple you basically were open to all sorts of nasty attacks.

I read ZDNET less and less every day. Their level of incompetence and/or maliciousness never ceases to amaze me.

www.techweb.com will get you the same news with out the all-praise-bill slant.....

That Is All

Re:I work enterprise - multiple patches are the pi

Well, we have 500, so there. :) The Solaris 2.5 box I'm logged into at the moment has 78 patches applied (and has been up since we applied the latest #$!@# set of Y2K patches on Feb 14.) We have a script to pull our preferred patch set off an internal nfs server and install them; if you can't handle that, you can't handle admining a network, no matter how idiot-friendly the software is.

Missing the point

Obviously you are missing the point. I do not want IE5 and it's almost weekly security problems (or in MS speak: features) on any computer that I own or use. You have ignored the initial point that Win98's original update feature was not at all tied into IE and that it is obviously not necessary for this feature. As for IE supporting more standards than Netscape - it does for now until Mozilla is finished. Netscape is attempting to follow all standards and MS, despite it's ability to follow them, continues to undermine them. And yes, Ms is trying to make Win95 users download IE5 to update Windows (although last time I checked you can still get around this.) And despite your opinions on IE's brilliant design, many of us do not want to download this bloatware and install it on our computers. Wasn't it last week that an ActiveX control was found to allow someone total access to your hard drive? I do not remember such a problem with Netscape any time in the near past. Any company that tells me that a bug allowing anyone to view my clipboard is a feature, will not have their browser installed on my computer. With your knowledge of things technical, it is hard for me to understand why you are such an apologist for MS. As for the update feature and IE5, despite all of your objections and reasons, the only reason the two are tied together is another cynical attempt by MS to lock people into using their software.

YES THEY HAVE A POINT!

Yes, they DO have a point. In the days of 5.1, updating all the rpm's was a HUGE pain. It's easier now-a-days, but we need also need something for security-only. How about some kind of server at Redhat HQ that a customer could connect to (using a propriatary GNU'd protocol) check for security updates, and see if the security *NEEDS* updated, then have it download and install the appropriate RPM. Although this isn't "one-big-patch", I think new linux admin's might be inclined to use it. Come on redhat, you have the money, NOW USE IT! You have to make your product QUALITY as well as an aggresive marketing scheme to compete with MS, at all.

Re:YES THEY HAVE A POINT!

[Rev.+Krusty]

Debian has the ability to do auto-updates based
on security fixes only. security.debian.org stores only security updates for packages in
the current stable release. This is perfect for
companies that only want to run stable software and yet want security updates. All of these updates can be automated even so that there is no
need for someone to even be there.

Companies definatly do not want to mess with updating package after package. The biggest problems with all of this is that there are a ton of different programs out there in the opensource arena to use to make life easier. It all depends on what you know and use. The majority of talk here is of RedHat...but not everyone uses RedHat. At my company we have chose Debian since it's better (In our opinion mind you) for a server operating system. It allows us to easily maintain packages and keep them up to date without the worry of...man I have to update how many???...it's all done automatically. We even maintain a set of our own packages for internal use...this allows us to keep all of our internal software up to date just as easily.

This problem exists in more than just the Linux arena..Solaris has tons of minor packages that they release as updates but they also supply one huge package as well.

By far Linux has the ability to deal with security fixes the best. RedHat has alot of goals that they are trying to acomplish and in time they will meet them all. (or come close)...If you want this type of functionality go with a distribution that's designed for it.

Re:YES THEY HAVE A POINT!

[Roundeye]

Why does autorpm not do what you want?

Re:YES THEY HAVE A POINT!

[kvajk]

And what about those kernel packages in the updates directory? Oops! (The redhat errate webpages specifically tell you *not* to use "-U" to update them.)

A lot of people think that point patches are a pain, compared to a VENDOR-SUPPORTED method of bringing your system up to date with one simple procedure.

Why do so many Linux fanatics have such a hard time hearing this?

Re:YES THEY HAVE A POINT!

[Digital_Fiend]

It's easier now-a-days, but we need also need something for security-only.

No. you don't. you need rpm --install.

"proprietary GNU'd protocol"? Uhh.. That's almost as bad as microsoft.

I think new linux admin's might be inclined to use it

I sure hope you aren't implying that there are network admins that don't even know how to go about applying patches.. *shudder*

-Warren

Re:YES THEY HAVE A POINT!

[ralphclark]

OK, let's just see how difficult Linux's 21 separate updates are to install - (assuming you're stupid enough to want to wait for 21 updates to accumulate):

$ rpm -Uvh ftp://ftp.mydistribution.com/pub/updates/*.rpm

Now that was such a lot of work wasn't it?

Consciousness is not what it thinks it is
Thought exists only as an abstraction

3 questions and a rant

Why type a line if you can click? Why use an OS that isn't sysadmin-friendly in ease of use? Why pay 50,000 a year for someone who knows Unix like the back of their hand when they can get a much more secure OS and pay someone 40,000 a year? I've heard that the basic RH 6.0 installation has like over 120 exploits that result in root access. That's way too ridiculous, people. Make Linux for users like me and then maybe you'll get the respect you think you deserve. Till then, I'll use Win98/WinNT and Windows Update, which I've never had a problem figuring out, it practically does whatever you need for you. And pictures are worth a thousand words here people, GUI makes everything so much easier. 50 clicks of the mouse is still a LOT better than one command on a line, considering it may take a user 30 minutes to find out what that one line is. It might not take a lot to convince another *nix guru that you are using the best OS, but insulting people's intelligence who use easier to understand OS's is most definately not the way to convince the rest of us. If I even knew half of what the rest of you do about Linux and Unix, I'd be scared shitless about Microsoft coming out with a POSIX compatible OS. Don't worry, it'll happen. :) Till then, I'll always support Be over Linux. Later.

Re:3 questions and a rant

You say that because YOU ARE STUPID! Click...Click...Click... PLEASE!!! I am on Win2000RC2 right now, and I can tell you that finding out whois on your ftp server is ALOT easier in Linux. Win2000RC2: Run the Computer Manager (Take 5 seconds to load up and 7 seconds to get to), then goto the IIS section (Another 4 seconds), then click the FTP section, and then click "current sessions" (ANOTHER 7 seconds!). Linux: "ftpwho" at a shell prompt. Less than a second to run. How about restarting httpd? Windows2000RC2: Dig down deep to "Services" in Administrator Menu and then find and run IIS Administrator. Oh, about 20 seconds. Linux: /usr/local/apache/bin/apachectl stop; /usr/local/apache/bin/apachectl start Ya, that is real hard! You know, it is stupid people like you that is ruining the industary. "Lets make things easy, not stable!". Wrong. Make it stable and let the user get a clue.

Re:3 questions and a rant

[Oestergaard]

Ever tried updating more than a few machines ? Well that's why you don't want to click it. You could ofcourse. I'm sure that tools like gRPM (GNOME RPM) and others will, in time if not already, give you the option of running the equivalent of the --freshen. You can already point-and-click upgrade packages, which is sufficient for upgrading packages you know needs upgrading.

I don't know about the 120 exploits you mention. If you look at the updates directory for RH6, there's far from 120 packages to upgrade. So there might be 120 holes, but they're all fixed by applying a far smaller number of upgrades (so either 120 is a little optimistic on someone's part, or some packages just have a lot of holes (I'd doubt that so many packages had so many holes though)).

Really, redhat has the erratta page, and you can already point'n'click upgrade. In the security updates that redhat release, they even give you an entire command-line you can just cut'n'paste into a root-shell, to have the upgrade retrieved from the 'net and applied. I'm having a hard time seeing what you think the problem is.

Re:Parity

The experience at our office is that applying a WinNT service pack screws up the system (i.e. anything from causing some programs to misbehave to not even booting) about 25% of the time.

Linux Packs?

This find-n-fix thing is just a pain in the butt. Why hasn't anyone thought about aggregating a set of fixes - say monthly and release them that way?

Re:Linux Packs?

[J.+J.+Ramsey]

Because between one month and the next, some cracker could have found a new exploit.

Re:Linux Packs?

[Malcontent]

Yes excellant Idea. It certainly would make the life of a busy network administrator easier. I say even make it once a week. Does anybody have a autorpm script for this? If you do please email to me.

You're asking too much

"They needed to install 4 with the config they were using"

Do you realise the work this is to sort all those 21 packets to find the ones we are using? Have you any idea of the work we will have to do to understand what each update is for? Are you nuts? We would have to understand Linux to do that. We would be contaminated be the philosophy behind it. We would not be able any more to be biased for MS but we would be biased for Linux. Your really want us to die isn't it?

Re:Windows NT Vs. Linux or why ZD is uncredible

What would make better sense is for Linux Journal or *somebody* to waste some money on NT and set up two similar servers; One - NT Server 4 with SP5 and all the other latest packs and bugfixes, and the other with RH Linux with the 21-odd security bugs fixed. In essence repeating the test more fairly. ONLY THEN will we see which is the more secure box. Steve

Re:21 patches vs 21 service packs?

MS Service Packs may take forever to come out, but what they do offer is a baseline reference: My box is NT 4.0 Service Pack 5. With any flavor of Linux, it's currently: RedHat 6.0 with a bunch of RPM updates. In that regard, I can see they're point about not bothering to apply patches in a 'real-world' environ. Until RPM 3, updating just the RPMs that you have installed was a royal pain, now it's not quite so bad, but still can be a challenge for newbie types, or those with multitudes of Linux boxes.

Hmm...

Out of the box NT is much more secure than any Linux distro. However this is not what the test was about. I administrate a few NT server, they are quite secure, but the way to get there was not the easy way. Geting a un*x "secure" doesn't take half as much effort from the admin. Not that anyone that would run a server would be stupid enough to run Linux when there are OpenBSD and Secure Solaris out there... Anyway, the test is fucked either way.

Re:I like the WindowsUpdate idea

Or if you run debian:

# apt-get update
# apt-get upgrade

If you want to upgrade your kernel:

# apt-get install kernel
# reboot

Debian has probably the best package manager I've seen, though dselect is a bit hard to use. No compiling, no disk space wasted to source... you can upgrade an box in 5 minutes.

Re:The CGI script-BIASED

my god..just looking at that configuration link.. that page alone just shows the blatant biased towards NT. they must've spent many hours configuring that NT box, then did the Linux box during the Tea break. Its so blatantly obvious to me and many others here the this just proves that this whole thing was just a bunch of crap.

Brain damaged people in ZDNET

This is *UNREAL*!

The time has come when EVERYBODY think that they know to do the job - best. That is just unreal. The morons in PC WEEK think that they KNOW how IT managers/people think, don't they!? Well, they are bunch of idiots... Yes, I'm really pissed-off when reading the explanations of various mediocres, that got a job somewhere, and now they think that they're so 'unique'.

Well, you're NOT!

Go ask sec admins at IBM what were they doing when the remote exploit for ftpd has been discovered few days ago!? Do you think that they were LAZY to patch them, or they jumped on that IMMEDIATELY? Oh, or maybe they are not considered as an 'enterprise', hmm...

The fact that someone has less than average knowledge of UNIX doesn't give him rights to JUDGE "what IT managers would do?" in certain situations. He can't know, and he won't know. And I'd fire a guy (if I'm in ZDNET) that wrote that, since this obviously means he's one of lazy guys who wouldn't apply patches.

So, what stops me from automating the updating of each machine?! Nothing! If I know how. And if I don't know how, I'll work in PCWeek, and write stupid things, and think how cool I am... PCWeek. Maybe 5 years ago I'd be happy to read some publications, but number of publications that are WORTH reading these days can be counted with fingers of one hand. So sad...

1. If you are not aware of security issues - you will not apply 21 patch. And you will suffer later. So simple. There's no excuse by saying 'Yeah, it's too much'. If it's too much, then don't use it. Use VMS, you won't need to update so much...
2. If you don't apply 21 security patch, install CGIs made by some COMPLETELY anonymous company, and then state how it's less secure than NT *patched*, with ASPs made by Microsoft - you are a moron, that is just trying to promote Microsoft. You should release sources to both apps, and NOT patch both OSs - or PATCH fully both of them.
3. If you don't patch your webserver - then you are oxymoron. The comments like 'we wanted it to look like in real-world' are idiotic, since in the "real world" you *will* indeed patch your DMZ machines. If I have 100 machines on Intranet to which you can not access in any way - what does it matter to you if I've patched them or not? But web server *will* be patched.

I am really stunned by the number of people that consider themselves 'professionals', but have absolutelly NO CLUE about what they are talking. This is SCARY!

And I am not sorry for 'hard words' - I really think that more and more people don't realize how LITTLE they know. It's really VERY scary... :(

I will not comment on NT/UNIX issues here - this is basically *only* ZDNET issue (not giving the source to apps, not applying proper patches, etc.).

If you have an IT guy in your company, that is basing his conclusions and 'facts' on results of this test - go and fire him immediately. It just means that he has no clue about his job...

Re:I like the WindowsUpdate idea

I liked that all, too, until I told it to update my Win98 install (told myself I'd never install it) to SP1. I got a VB script error...

I went back a few days later. Error was still there. Oh well.

-j

LiveUpdate

Is this Idea really From MS though? Symantec has Had LiveUpdate years before Windows 98 was released and it basicially does the same thing Windows Update does. (Updates all of Symantec's Products by checking the Symantec program to see if patches need to be installed)

Re:Should it matter?

Even non-pros, under the directions of a pro, are given a list of things to install when they are first setting up a system, NT or Linux.

Re: *please*

They are also trying to tie in the Win 95 updates to IE5. Many older computers do no have the space for IE5and do not want to spend the hours downloading it. Plus, there's the fact that many of us simply do not want IE5 or ActiveX controls on our computers do to the security holes and and MS apparent and real attempts to track consumers and the software they use. Once again, about Win98, the original update feature worked without IE. There was no need to change it except to bolster their court case. And yes, if need be, MS should "Write _another_ HTML/XML engine". There should be no need to be tied to IE5 or any other product just to receive an OS update.

The simplest solution of all times

tar -zcvf Update.tar.gz patch*.rpm update.sh bam, 1 package. then admins can download Update.tar.gz and do this: tar -zxvf Update.tar.gz; ./update.sh and update.sh can be a script like this: #!/bin/sh rpm -i patch1.rpm rpm -i patch2.rpm etc... (Please excuse my ignorance of rpm since I don't run redhat - Stampede baby!!!) fejj@stampede.org

Re:The simplest solution of all times

[sgifford]

It's not quite so simple; if I downloaded Update.tar.gz last week, and I want to get up to date again today, I don't want to download the entire tarfile, including the packages I just updated last week. Similarly, if I don't have Apache installed, I don't want to download a large replacement package for something I don't even use.

What you want is to only download and apply the patches you need, based on what you have installed and on when you last updated, automatically.

rhlupdate (search freshmeat) is one way to do this, although I had to modify it to get it to do what I wanted.

I believe that the "up2date" software in RedHat 6.1 is supposed to solve the same problem in a more GUI way.

Somebody else suggested doing:

rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.0/i386/\ *

although I wasn't able to get that to work.

I do agree, though, that software to do this automatically should have been included in RedHat a long time ago.

Difficult?

Securing Debian Linux in 2 Easy Steps

1. apt-get update
2. apt-get upgrade

Huzzah! Up to date!

Although I believe security fixes take slightly longer to propogate into the stable branch, you can usually get away with crontab'ing those commands nightly. Your system will never be more than a few days behind (security-wise) which is a billion times more effortless than say, waiting for Microsoft to announce a service pack and installing that...

You can obviously make the arguement that "A few days is entirely too long in the world of security!" which is indeed applicable, especially if you're an ISP and you have hordes of evil evil users looking to invade, but if that's the case, you're going to have dedicated hardcore below-the-belt System Admins anyway. If you're BusinessCo and have light admins, apt-get update/upgrade is the work of the messiah, or at least as good as chocolate.

I still prefer to watch closely over my update/upgrades, but that's just because I'm paranoid. and work at an ISP.

Obviously, other distributions (will) have similar mechanisms.

--Michael [mbac[at]nyct[dot]net] Bacarella

Even latest service pack leaves IIS exposed

The huge IIS hole which would have left the NT server hacked in 10 seconds is *NOT* included in service pack 5. If they can apply *special* fixes then why not the redhat ones?

Download the directory, and rpm with wildcards, how hard is that?

There is a lesson in there...

ZDnet has a point - doing a job 21 times versus doing a job once is well redundant. However, the 21 small jobs are able to be implimented faster than if you were to wait for a big package of fixes. In truth, MS has hot fixes that go inbetween service packs and so there are similarities there that they did not bother to mention either. The lesson really is that you can not compare apples to oranges very well and when you try, don't expect a fair comparison!

Opportunity knocking

This is another of these stories about Linux is wonderful, but too bad it isn't already set up for fill in the blank (user interface, security on), or its not easy enough to fill in other blank (getting updates). Linux is big on providing a lot of choices, but sometimes that is too much for the customer.

Instead of whining about how so and so are idiots, or they don't know what they are talking about why doesn't someone provide a better solution then the current one(s).

Hence I propose, Ready Linux the solution that has all the correct performance (perhaps has a program to determine it), security, and usablility settings correctly set after installing it. Plus as a bonus feature, a direct link to a website with updates and recommendations on what updates are needed for what types of users. Then push a button, and the system gets automatically updated.

This gets the machine up and running well for the masses because they aren't going to know about security etc. etc. The true Linux geeks who need further fine tuning can change the system how ever they want, or get one of the other distributions.

Re:Devil's Advocate

Of course you know what ZD will say don't you? If NT is so difficult to secure, then why didn't anyone break into it during our test?

Because its down more than up. Like a yoyo with a broken string.

Let me relate my experience working at a manufacturing plant with the windows solution in the last year: we want things to be up. If they are up, then we can worry about security. It first was a Windows 3.11 platform for the operator stations. Some of them would reboot every five minutes. Next try was NT 3.5. Slower, but work actually got done between the reboots. Service packs tried to remedy problems.

Something still had to be done, so 4.0 was next in line. Musical service packs and lost files later, I now see 95 and 98 on these operator stations on new boxen, yet they still crash daily. So much for market fragmentation. These operating systems do not seem to be very secure when they pee all over themselves.

So what's next? Windows 2000? Sure... I'm sure closed and leased software coupled with the endless upgrades are not the only choice we have. Thanks to freely available alternatives, there might be hope and my stocks and profit sharing may increase.

Re:The situation last spring

But for.edu sites, Windows > Solaris + Linux. I think this is a Very Bad Thing that could Spell The End, because if kids are getting Windows exposure instead of Unix exposure in college, we could end up seeing a Grim version of what caused much of Unix's real-world popularity in the first place--people took what they used in college and started wanting to use it in the real world, too.

Re:Who is "corporate IT", anyway?

I'm a "IT" person in a corporation, and that "we like one nice big patch" thing is a load of crap. Maybe my CIO, that some microslof "technology evangalist" is pitching the latest GUI, hot plugable object oriented com architecture interface likes the idea of "oh, and this one file solves -all- these problems...", yeah well thats nice. Maybe its just me, but I like the concept that I can patch a machine, and unless I'm tinkering with the kernel, I don't have to reboot. I don't have the heart to tell my CIO that his beautiful nt domain structure he's spent all this money on is standing on pillars of samba...

RPM easier than SPs

rpm -i *.rpm --force --nodeps is a hell of a lot easier than installing service packs. but they do have a point, as per my suggestion the other day, it'd be better to offer each rpm individually, and then offer one big lump rpm, also. or...business could properly traing their staff in unix administration... this has the added bonus of the admin having a clue when their machine is rooted.

apt-get dist-upgrade

Works for me.

Re:Small, isolated patches better

Exactly! When the big wu-ftp buffer overflow was discovered, the RH update RPM had a different bug that kept some connections open perpetually. Keeping this patch separate from the others I used on the new server allowed me to roll back just the ftpd, instead of rolling back ALL the updates. Then when the new patch to the new bug came out, just update the ftpd again. Simple, and controllable.

TCP analogy

Let's compare security holes to data segments, and security fixes to ACKs. If you have the equivalent of delayed ACKs (which would correspond to Microsoft service packs), then every time a new segment (bug) arrives, a timer is set, and if after a while another segment (bug) hasn't arrived, then an ACK (bugfix) is sent. The problem with this is that unlike TCP, the ACKs also carry data (the bugfix), so every ACK also includes all the previous ones; the other problem is that you don't get the ACK immediately. So you download O(n^2) data, if you apply all the fixes when they come out. Caldera/Debian/Redhat's model is more like a timerless thing: every time a segment (bug) arrives, an ACK for that segment (fix for that bug) is sent. The problem is you have to get all the ACKs independently. But you download O(n) data. What ZDNet seems to want is a big globby ACK like MS's service packs, but to have it updated on every segment (no delay). This is the best solution *if* you have enough bandwidth to download the ACK because each ACK includes all the previous ACKs, so multiple ACKs will carry O(n^2) data.

TCP analogy

Let's compare security holes to data segments, and security fixes to ACKs. If you have the equivalent of delayed ACKs (which would correspond to Microsoft service packs), then every time a new segment (bug) arrives, a timer is set, and if after a while another segment (bug) hasn't arrived, then an ACK (bugfix) is sent. The problem with this is that unlike TCP, the ACKs also carry data (the bugfix), so every ACK also includes all the previous ones; the other problem is that you don't get the ACK immediately. So you download O(n^2) data, if you apply all the fixes when they come out. Caldera/Debian/Redhat's model is more like a timerless thing: every time a segment (bug) arrives, an ACK for that segment (fix for that bug) is sent. The problem is you have to get all the ACKs independently. But you download O(n) data. What ZDNet seems to want is a big globby ACK like MS's service packs, but to have it updated on every segment (no delay). This is the best solution *if* you have enough bandwidth to download the ACK because each ACK includes all the previous ACKs, so multiple ACKs will carry O(n^2) data.

Re:and that makes nt better how?

I'm not convinced that NT security holes are found more often than Linux ones.

When they are found they may be worse, but they may not.

I think this is another Mindcraft thing... everyone here will argue about it for ages, but in the end the conculsion will be reached that there were some valid points.

I agree that NT is easier to secure than Linux. Most NT security problems seem to come from "Client" type applications - eg IE5, ODBC drivers etc. Linux problems on the other hand seem to be equally spread around.

Basically, if I use NT with Netscape to browse the web, I feel fairly safe from hack attacks. There maybe Denial of Service attacks, but it's not likely I'm going to lose data or get locked out of my computer.

On the other hand, Linux has so many services started by default that it is a nightmare. Who knows what is going to be a security hole?

I now see the point of the "Post Anonymously" checkbox......

Re:Update - ZDNet admits using Real PHBs

They asked an IT manager what fixes to apply?? In our organization, its not the managers job to make that determination. Its the technical people who make the determination of what fixes/SPs/patches/hotfixes should be applied. The managers are mainly concerned that we follow a process of applying it to make sure we don't break things, but understand that we know better what should/should not be applied. I would think most IT/IS organizations are similiar, if they have any sense. Michael Brown

Re:ZDNet Car Security Contest: You forgot...

...as long as you installed them yourself.

Re:/. effect != sysadmins nodding their heads

Find an etymology for the word (ie when it was first used) and wait 3-5 or so years for it to get into widespread usage and see what Merriam-Webster does.

There's a good chance it would get in. They're gotten pretty liberal with entries.

Typical ZDnet stupidity.

They knew the patches existed
but didn't apply them for some weak off the cuff
judgement based on what they assumed would be an
"Enterprise Business" decision. How can they make assumptions on what clued people would do when they aren't clued themselves. They should stick to their forte':

"Top ten tips for foo"
"Secrets of foo"
"Hiden foo"
"THE best foo"

Because "experiments" are usually better carried out by those who know the subject matter from which the experiments are based. ZDnet has proven time and time again that they don't. They are a pop/psuedo-tech company trying to judge technology that is over their heads. Watch them flounder,
floppity-flop.

Kidding?

Yes, wonderful. If you want to install IE5 with all of its security problems on your computer and waste the 50 MB of hard drive space on it. Only for it to install automatically with the uninstall option switched off so that it is impossible to uninstall under all conditions. And hope you have standard hardware and setup or the updates could bring the whole show to a halt (Dell recommends not using it for their computers.) And why is the update tied in to IE5? So MS can further leverage their OS advantage and push Netscape further out of the picture. Update with IE5 and activeX - uh - no thanks.

Re:Kidding?

No, ease is rpm -uvh *. As I recall the original Windows 98 UPdate feature was totally seperated from IE5. Only when the issue came up during the trial whether IE was an integral part of Windows was this feature changed. There is no real advantage to making the process more complacated by tying it into IE.

The question is concept, not execution. Windows Update is a great concept. It figures out what you have and don't in the way of patches, and lists what you may want and/or need with levels of importance. It's also fairly tidey and easy to understand.

rpm -uvh * is nice and easy, if you have all the packages already downloaded/collected from wherever they need to be gotten from. Not always the simplest thing.

Of course, if you're applying to be/are a linux admin for a corp, you had better damn well know where to get patches from until something is done to simplify it. (I've not see/read much on RH6.1, and it sounds like this might have been done.)

Re:Kidding?

No, ease is rpm -uvh *. As I recall the original Windows 98 UPdate feature was totally seperated from IE5. Only when the issue came up during the trial whether IE was an integral part of Windows was this feature changed. There is no real advantage to making the process more complacated by tying it into IE. Even people here are suspicious of MS it is only because MS has given them reason to.

Re:Kidding?

Just because it's from MS doesnt mean it's bad...

What?! EVERYTHING that comes from Microsoft is EEEEEVILLL ! Haven't you been reading your Linux users handbook? Praticality has no place in the computing world. Everything must be as difficult as possible to use in order to keep out the "stupid" people.

DOWN WITH EASE!

Yeah, this might be flamebait, but enough of you seem to think this way.

Re:Kidding?

[Quixotic]

sure.. valid points. My point (sorry if I wasn't too clear) is that there's a central place for end users to easily update their files. It's all point and click. Sure, some of it's implementation might be a bit flaky for now.. but I think it's a good idea and a step in the right direction.

In fact, I believe there have been several pieces of software that does this already.. like Oil Change or something like that. Just because it's from MS doesnt mean it's bad...

Re:Kidding?

[Squeak]

I must disagree - not everything they make is evil. They do produce very good mice.

Re:Kidding?

[Jae]

I must disagree - not everything they make is evil. They do produce very good mice.

heh - that's because they subcontract them out and just stamp them w/ the microsoft name.

Re:Kidding?

[cernnunous]

Maybe I'm not understanding how this Windows Update thing works since I've never used it.

Frest install of RH6.0 onto my girlfriend's computer (dont' ask why, she requested RH). Took about 20 minutes.

1. Boot up the computer straight to X
2. Along the left side of the screen is a an icon of a little man with a hat, underneath reads "Red Hat Errata".
3. Clicking the little man takes me to a website with a list of every package which has been upated, along with a fairly detailed description of why it's being updated.
4. Click the link of the package I want to update. Choose to save it to the default directory that comes up.
5. Once downloaded I follow the simple instructions that were printed right under the link on the webpage, type: rpm =Uvh *
6. Now have completely updated system.

What is the difference between this and this Windows Update page? I had to type a command into the evil command line? Guess I could have taken an extra 5 seconds to create a "shortcut" so that I could click it.

John

Re:Kidding?

[jsm2]

Very good mice? Surely you're kidding. I tried one yesterday. It tasted filthy.

jsm

Re:No they don't have a point

do an: rpm -UvhF *.rpm if you want to only update those packages you already have installed.

Where is the SysAdmin?

Hello? Where is the System Administrator? "enterprise businesses" are big enough to pay someone to spend 20 minutes a week to look after security.

At least in the linux community when a security hole is discovered a fix is available within hours or days. With Micro$haft you have to wait forever, if you get one at all. BackOrifice exploits security holes that M$ has been aware of for literally years.

Long live linux!

Trying to imitate Industry Practices

As anyone who read the original ZDNET article knows, they claim they did not do the security updates to imitate how a real company would do it. This is a total farce. Even MS recommends you install their hot fixes and security patches immediately. There is no way that any business would leave their machines with blatant security holes unpatched. Whenever a security problem comes up with NT4 or IE, MS recommends immediate action (when they can bring themselves to admit to the problem.) Any administator that fails to apply patches is going to be fired, and any company that doesn't fire them is going to be in a world of trouble. If you disagree, are there any system admins. out there whose company recommends not resolving security issues immediately? And if so what company do you work for?

Re:I work enterprise - multiple patches are the pi

I can't address your managment concerns, since I've never (knock wood) had to work in an environment so amazingly anal. In a environment where the management isn't micromanaging everything, I would write an expect script to ssh to each one, and rpm -U all the updated rpms (updates.redhat.com) from my workstation's NFS share. About a 15 minute script writing exercise. Compare that to installing SP5 on 20 NT boxes. Any admin who can't handle that should be fired.

Sixth point

If you only install the NT service packs, and never install the service updates in between service pack releases you are going to have huge security holes in your machines, no?

Scripts!

You want a single large patch so that you can do several machines in parallel? Don't you know that you could write a script for the whole procedure and have the updates done automatically for you overnight? And you could have another script log everything for you so that you can confirm that all the patches were applied successfully? Scripts are the tools of the trade for a lazy administrator. If you're not using scripts very much, you're working too hard.

The day i see a 'Service Pack' for Linux...

will be the day i stop using it.

The point of having many individual patches is the ability to fix any specific problem that pops up, without having to download a 30-friggin-megabyte service pack.

Granted, a simple tool to install patches either from the net, a CD or an rpm would be cool, but making monolithic 'Service Packs' the norm in the linux world would be a grave mistake.

I would much rather have a large number of small, easily accessible patches, with a good GUI/CLI (both interfaces, please) tool that clearly shows what each does, in what circumstances you would need it, and whether it, in an experts' opinion it is a good idea to install it in your current kernel.

That is, it would tell you the patch closes a hole related to SYN flooding or something, that you would want to install it if you ran any type of web server etc, and that the patch is meant for a 2.2 kernel, so since you have RedHat 5.2 with a 2.0.36 kernel its not relevant.

Stuff like that.. plus (dare i say it) a 'Wizard' that lets you ask a question like 'I'm running a web server based on RH 5.2 - Which patches do i need to make it secure?'

Something like the PPM (Perl Package Manager) you get with ActiveState Perl on NT (presumably this is also available on *NIX, but i've only used the NT version) would be the ideal way IMHO.

Accuarate

Anyone know if this is even true? I have seen no offical announcements from ZDNET.

Re:Accuarate

[LongShip]

It's my article. I would not publish this if it weren't true. If you take the trouble to click the link in the very first paragraph you will be miraculously transported to the ZDNet site where a Mr. Chowdhry of ZDNet Labs will tell you that it's true.

The only problem is that you have to take the trouble to click the link.

Re:21 patches vs 21 service packs?

Not wanting to defend MS here, but the reason they are that size is because they are cumulative. You only install the latest one.

My main gripe is that they don't separate service packs from option packs well enough. I just want fixes dammit - not new features!

Re:Small Updates + Package Management = Bliss

Thanks for the reminder. I almost forgot to run apt-get and make my Debian box into "The (tied for) Most Up to Date Linux System on the Planet" Again.

Re:No they don't have a point

I run autorpm against .../redhat/updates/6.0 in a crontab every night. It's much like install it once and forget. Pretty much unattended.

Re:I work enterprise - multiple patches are the pi

Correction - it is possible to do that on NT, but that doesn't mean I like NT.

Re:I complained...

Please add, under MS, not every service pack is identical, and as the gentleman said, plus hotfixes, plus the cost of reinstalling apps. I read about a root patch for NT. Not pretty. The old Commodores had a build in asm/disassm in bios. If this was 're-invented' you could compromise your NT workstation. With NT, it would be your Network too! Spell design flaw. Linux is less trusting, plus you don't have to rely on code secrecy to know that you still have a secure system.

Re:Do they have a point?

RedHat could bundle them as a shell archive.

It could then self extract, detect from RPM which upgrades were needed, and then apply them

It's trivial, and gives you the 'sweeping fix' effect described

Re:Debian has had this for ages...

HeHe. So true. So true.

Its good to see RedHat finally adding this feature. Its been about 3 years since I've used Debian but this is definetly I feature that I missed.

So is dselect any more useable? I remember it was powerful but only text based and it seemed easy to get lost in the menus. If I remember right, it had really powerful dependency checking and offered you the additional packages you needed if you chose one that had pre-requisites.

Definitely was the best way to maintain a system over a 28.8 modem especially when I was a newbie and had no idea what some of the libraries where and why I needed them.

Nah, 21 patches? WTF?!?!?!?!

I'm sorry, I've ran Slack 3.6 on my server with the latest 2.0.x kernel for a year now. This server runs Apache and Eggdrop (yeah, its been a pain). We have a butt ton of script kiddies try'n to CRACK into it in all the time. We have been cracked once. Not due to software exploits mind you. It was due to our head admin choose'n deadhead as the root password (yeah, shoot me now for not stop'n em). I don't think it can be cracked.

In fact I'll post my IP (static) 24.5.166.175. Visit our channel on the undernet as well (#sandiego). Please, try to break into my box and show me my issues. If you get in echo "I owned you" > /root/owned, and e-mail me nexion@home.com.

I'll write back to slash to confirm the crack. Please do not DOS the hell out of me. I don't use trust relationships. Here is some output from nmap:

23 open tcp telnet
80 open tcp http
113 open tcp auth

Telnet is open!!! I'm not use'n ssh (yet). If you do get in, try not to pervert my box too much. You may want to change the motd on the bot to something cute, /home/howardk/bots/blacks-vi/motd.
Also, e-mail me if you try. I'm anal about my logs and it will greatly help if I can rule you out of them.

Thanks...

Nexion

Re:How many current NT patches ?

Damn right. I'm in the process of updating all the windoze machines in the office with all the relevent patches. Unfortunately I only joined the company recently and there was no sys admin here before me, so our main server is running NT 4 with no service packs at all. Because they're anal about restarting the server during work hours I have to do all this after hours or on my lunch break. If you're lazy about patching your linux box just grab all the rpms and install them --nodeps. Far less hassle than NT, or all those bloody IE updates. hellbunnie. ps. Not logged in 'cos I'm currently in Microsoft installing some software. God it feels good to post something like this from Microsoft's offices...

Re:My Opinion

Closes the vulnerability gap a bit.

But add another gap: when RedHat servers will be cracked, you're going to have "trojan" updates. Remember even freebsd.org source repository was once compromised.

Let's see here.....

[C.Lee]

The ZDNET Labs crowd can install a bunch of games and other nonsense on their machines,but can't be bothered with actually maintaining them. What's *WRONG* with this picture?

No, they are morons, they don't have a point!

[Colin+Smith]

subject says it all.

WTF

[tonhe]

I hate it when I see things like this,
If you're going to run a test, at least get
the most recent updates you can.. I dont suppose they'd use an old service pack.. do you?

Re:WTF

[trelyle]

-Just my 2 cents; I run an AMD K-6 200 with an FIC motherboard, and there is no way in hell NT will install on this box, forget about the service paks.NT apparently does not support this model mother board. Linux installs in approximately 1 hr, start to finish, with a somewhat usable X window system. The biggest problem I consistently have with a Linux install is clock (or is it hwclock) installs broke every time. Only by applying a "patch" from an older flavor of Redhat will my clock set up properly.Granted, the first time my semi educated ass tried to do this fix, it took several hours, now I've got it down to about 5 minutes or so. To update things, I usually create a dir called updates, and cram it with RPMs. From there it's "rpm -Uvh *.rpm". Now it makes my brain hurt to hear that that is more difficult than applying one (five) Big patches to NT. Let's say I have a mission critical machine. When updating it, would the sysadmin rather have control over every last file that goes in, or would they like a unlabeled envelope of fixes accompanied by a README that *must* be applied as one big whole. I know what I would prefer. I also know that I do not think in the same fashion as a suited manager, who I really believe would make a decision like this. To really even things out, I have nothing to prove/disprove like this test did. I just use what I like,what I can fix, and what I can afford.
One other thing I would like to point out is the turn around time. I mean the amount of time elapsed from the definition that a problem exists to the acknowlegement and *release* of a fix. With all of this in consideration, I think it rather insulting to think that once again the masses have been fed misinformation and FUD. But rather than take offense, I for one will add this to my arsenal of "Things I have learned about the real world". Face it people, we are surrounded by incompetence at all levels;from your average Mc'Donald's worker , to the most high office(presidency,etc..)
I think that is sysadmins really think that they would rather wait for 1(5) *big* updates for NT really had best look out for their jobs, there are too many hungry college students just itching to take your job .

no

[BlackSpyder]

yes. no, wait. no.

i'm so confused....

Re:Devil's Advocate

If you look at the configuration that ZDNet published, you will see that they applied 4 service packs, moved dozens of files around and made over 90 configuration changes. This seems to me to be a rather intensive process.

ZD Full of It - only need 3 or 4 of the 21 patches

ZD is full of crap. Look at the list of the 21 patches, and compare it to the services they were running on the web server. Now make a list of patches that actually affect the programs running on the server. How many of these services are affected by the patches? Maybe 3 or 4. Duh.

My recent (re) installation of Windows NT

I recently reinstalled Windows NT on my computer, and I would have been thrilled had I only had to install 21 patches. Lets count what I had to do to make system as stable and secure as possible. Admittedly this is a Windows NT Workstation System and not a Windows NT Server system. (Windows NT Server would have had far more patches.)

I started by booting off my Windows NT 4 Workstation CD. This put my into the base operating system install. It copied all the files and rebooted.

After installing the base operating system, I had to apply Service Pack 5 which has some 600 fixes in it. After that I had to upgrade all of my drivers for SCSI card, my NIC, my Sound card, my video capture card, my video card, and my Zip drive.

After that I had to install IE 4 because the copy of Windows NT I have only comes with IE 2 which cannot be used to download IE 5. After installing IE 4, I installed IE 5. After installing IE 5, I had to goto windowsupdate.microsoft.com and install half a dozen fixes beyond the initial IE 5 installation.

Then we have the whole virus issue. I had to intall Norton AntiVirus and upgrade that with another 4 or 5 MB download.

Then, when this is done, there are a total of 17 post Windows NT Service Pack 5 hotfixes that have to be applied. These fix bugs ranging from file system corruption to dialup security.

As I said, 21 RPM packages would have been far more enjoyable then installing Windows NT.

Lets not even get into the myriad of patches and upgrades for the applications I have installed. (MS Office, MS Visual Studio, etc, etc)

Even easier...

Not only can you use ftp/rpm/apt to get security updates, but places like LSL put them all together on nice $1.95 CD's for you...see here. Granted, they're probably a few updates behind, but the idea is sound. Don't know for sure, but perhaps places like Cheapbytes, the Linux Mall, LinuxCentral et al. have something similar.

Small correction.

NT service packs, are, I beleive, cumulative. Ie: you only apply the latest one to get all the fixes of all the previous ones... I am not an NT expert, so please correct me if I am wrong.

Even latest service pack leaves IIS exposed!

The huge IIS hole which would have left the NT server hacked in 10 seconds is *NOT* included in service pack 5. If they can apply *special* fixes then why not the redhat ones?



Download the directory, and rpm with wildcards, how hard is that?

Re:Parity

Considering there are close to 400 changes that need to be made to an NT 4 installation 'out of the box' in order to make it secure, somehow the 21 fixes needed for Linux don't seem like they'd be that big of a deal to apply...

RPMs or patches (and source)

Zdnet should have installed any recommended patch and rpm from the distribution's web site or technical support channel (e.g. RedHat)! However, rpms and updates from other sources (including kernel.org, etc..) should not included. You might as well start fooling around with your IBM mainframe. Enterprise servers should not be a playground for patches and updates. Expecting exterprise customers to follow mailing lists and install every single patch available is unreasonable.

Here's were Sun/Solaris gets is right...

...you can download and apply individual fixes if you want - or you can download a "patch cluster" that includes a collection of patches (making it easier to get a lot of patches installed in one hit). Sample clusters generally include:

• Recommended - as the name suggests, recommended for everyone's use (this is what most people install)
• Security - security issues only (no other bugs fixed or apps updated)
• Y2K - duh

If something like this was available, then just as they'd installed SP5 on NT they would have been able to install the latest patch cluster onto Linux so as to ensure that all the latest patches were included - nice an' easily.

Even Debian has it over Red Hat in this regard (fire up package management and say "install the latest stuff", which downloads the packages over the Internet and installs them - can't get much simpler).

Re:Here's were Sun/Solaris gets is right...

[yod@]

mandrake 6.0 also has this feature. Infact rpmfind kan do this for you I belive

why did they install that cgi script anyways?

i've installed redhat 6 many times and just chose install everything and i dont ever remember seeing a photo cgi script in there. all i've ever seen is cachemgr.cgi in there. Why did they install that program anyways? Did NT have any other 3rd party cgi scripts installed with it? If they did that for no reason, i would say that the test was obviously tainted because it was not just a real install but had other services installed with it.

zdnet is NOT about technical matters...

[hogwaller]

Just look at this as an example.

A more poorly written article about two
OSes can't be found...

--------------------------
Your Favorite OS Sucks.
^D

21 patches vs 21 hotfixes?

[Elvii]

not always a service pack... nt5/w2k is gonna have about 10+ hotfixes before it's first service pack... are people not going to install those because it's not just one update?

I don't think so. They'll do more than one, any good admin will do whatever is nessecarry to secure his servers.

Re:21 patches vs 21 hotfixes?

[IntlHarvester]

You might be right. There are already NT4 "Post-SP6" hotfixes out, and SP6 hasn't even been released yet.

They do have a point..

[Bill+Currie]

but as has been discussed in previous articles, it's not particularly valid. Not applying those patches (whether they come as a single bundle or a multitude) is sheer laziness and a poor excuse. I believe that if the same thing happened to the network I look after at work for the same reasons, I would be (justifiably) fired. If not the first time, then definitly if it happened again (ie, I didn't learn from my mistake).

windows update site?

[Quixotic]

Good idea... kinda like the MS Windows Update website. Using IE, you can connect to this site, which will run some ActiveX program, check which MS software needs updating / patching, and let you choose which ones to update. Once you have made your choice, it goes off and does it's thing and installs all the updates you choose. Actually pretty nifty and painless if you've tried it.

Re:windows update site?

[barbaBob]

Yeah quite nifty. Just reinstalled Windows 98 First Edition this weekend, connected to that site and had more that 13 security fixes to download and install. Not to mention all the other stuff that needs updating. Requires at least three reboots because some of the components don't install together with others.

Yech :)

Cya,
barbaBob

Re:Security Patches were not the problem!

[J.+J.+Ramsey]

The cracker exploited two holes, one in the CGI script, the other having to do with cron. Red Hat had a security update for cron that would have plugged the hole that the cracker exploited.

No, they do not

[The+Man]

Regardless of whether someone would want to apply 21 security-related fixes, this is not a valid point. The fact is that any even remotely professional system administrator will ensure, especially on a main web server, that any and all applicable security patches are installed. What all this really means is that the people responsible for this "contest" didn't feel like being professional administrators - which, not surprisingly, they aren't. I'm just wondering where they found somebody who was willing to deal with installing the 5 NT service packs. Talk about something I wouldn't want to do. But it's part of the job to keep systems up to date, whatever those systems might be.

Now, back to practicality: Is it really that hard to do rpm -Uvh *.rpm? I just can't imagine this being difficult in any way whatever. Except for someone wishing to slant the outcome in a particular direction. Anyone who's ever been within 100 meters of a unix system knows better.

Re:Security Patches were not the problem!

[imroy]

If you read his page correctly, you would have noticed he used a known exploit in the cron daemon. An exploit that was fixed by one of the RedHat updates.
Everything below this line is a lie

CGI security through chroot?

[kris]

The following is a drop-in replacement for the suexec.c that comes with Apache. It is a bit less tight about permissions (I want to be able to execute code under different UIDs), but executes the CGI within a chrooted environment (so that the UIDs cannot cause harm). Please have a look at the code and tell me what you think about it.


/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
*
************************************************** *********************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own
* risk.
*
************************************************** *********************
*
*
*/

#include "ap_config.h"
#include
#include
#include

#include

#include "suexec.h"
#undef LOG_EXEC

/*
************************************************** *********************
* There is no initgroups() in QNX, so I believe this is safe :-)
* Use cc -osuexec -3 -O -mf -DQNX suexec.c to compile.
*
* May 17, 1997.
* Igor N. Kovalenko -- infoh@mail.wplus.net
************************************************** *********************
*/

#if defined(NEED_INITGROUPS)
int initgroups(const char *name, gid_t basegid)
{
/* QNX and MPE do not appear to support supplementary groups. */
return 0;
}
#endif

#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
#define AP_MAXPATH MAXPATHLEN
#else
#define AP_MAXPATH 8192
#endif

#define AP_ENVBUF 256

extern char **environ;
static FILE *log = NULL;

char *safe_env_lst[] =
{
"AUTH_TYPE",
"CONTENT_LENGTH",
"CONTENT_TYPE",
"DATE_GMT",
"DATE_LOCAL",
"DOCUMENT_NAME",
"DOCUMENT_PATH_INFO",
"DOCUMENT_ROOT",
"DOCUMENT_URI",
"FILEPATH_INFO",
"GATEWAY_INTERFACE",
"LAST_MODIFIED",
"PATH_INFO",
"PATH_TRANSLATED",
"QUERY_STRING",
"QUERY_STRING_UNESCAPED",
"REMOTE_ADDR",
"REMOTE_HOST",
"REMOTE_IDENT",
"REMOTE_PORT",
"REMOTE_USER",
"REDIRECT_QUERY_STRING",
"REDIRECT_STATUS",
"REDIRECT_URL",
"REQUEST_METHOD",
"REQUEST_URI",
"SCRIPT_FILENAME",
"SCRIPT_NAME",
"SCRIPT_URI",
"SCRIPT_URL",
"SERVER_ADMIN",
"SERVER_NAME",
"SERVER_ADDR",
"SERVER_PORT",
"SERVER_PROTOCOL",
"SERVER_SOFTWARE",
"UNIQUE_ID",
"USER_NAME",
"TZ",
NULL
};


static void err_output(const char *fmt, va_list ap)
{
#ifdef LOG_EXEC
time_t timevar;
struct tm *lt;

if (!log) {
if ((log = fopen(LOG_EXEC, "a")) == NULL) {
fprintf(stderr, "failed to open log file\n");
perror("fopen");
exit(1);
}
}

time(&timevar);
lt = localtime(&timevar);

fprintf(log, "[%d-%.2d-%.2d %.2d:%.2d:%.2d]: ",
lt->tm_year + 1900, lt->tm_mon + 1, lt->tm_mday,
lt->tm_hour, lt->tm_min, lt->tm_sec);

vfprintf(log, fmt, ap);

fflush(log);
#endif /* LOG_EXEC */
return;
}

static void log_err(const char *fmt,...)
{
#ifdef LOG_EXEC
va_list ap;

va_start(ap, fmt);
err_output(fmt, ap);
va_end(ap);
#endif /* LOG_EXEC */
return;
}

static void clean_env(char *cwd,int len)
{
char pathbuf[512];
char stripbuf[1024];
char **cleanenv;
char **ep;
int cidx = 0;
int idx;


if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
log_err("failed to malloc memory for environment\n");
exit(120);
}

sprintf(pathbuf, "PATH=%s", SAFE_PATH);
cleanenv[cidx] = strdup(pathbuf);
cidx++;

for (ep = environ; *ep && cidx pw_dir);
p=strstr(newroot,"/.");
if ( newroot[0]!='/' || p == NULL ) {
log_err("$home (%s) has no /. for uid= %ld\n",pw->pw_dir,uid);
exit(102);
}
*p=0x00;

if (getcwd(cwd, AP_MAXPATH) == NULL) {
log_err("cannot get current working directory\n");
exit(111);
}

uid = pw->pw_uid;
gid = pw->pw_gid;
actual_uname = strdup(pw->pw_name);
target_homedir = strdup(pw->pw_dir);

/*
* Log the transaction here to be sure we have an open log
* before we setuid().
*/
log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
target_uname, actual_uname,
target_gname, actual_gname,
cmd);

/*
* Error out if attempt is made to execute as root or as
* a UID less than UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid UID_MIN)) {
log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
exit(107);
}

/*
* Error out if attempt is made to execute as root group
* or as a GID less than GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid GID_MIN)) {
log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
}

/*
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
log_err("failed to setgid (%ld: %s)\n", gid, cmd);
exit(109);
}

/* now we chroot */
if ( chdir(newroot)!=0 ) {
log_err("cannot chdir to newroot directory %s\n",newroot);
exit(112);
}
if ( chroot(newroot) != 0 ) {
log_err("failed to chroot to %s\n",newroot);
exit(113);
}

if ( strlen(cwd) strlen(newroot) ) {
fprintf(stderr,"chroot not below docroot cwd=%s [%d] newroot=%s [%d] \n!",cwd,strlen(cwd),newroot,strlen(newroot));
exit(114);
}

if ( chdir(cwd+strlen(newroot)) != 0 ) {
log_err("warning: cannot chdir after chroot %s | %s \n",cwd,newroot);
}


/*
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%ld: %s)\n", uid, cmd);
exit(110);
}

clean_env(cwd,strlen(newroot));

/*
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
* automatically when log_err is called. Note that the log
* might not actually be open if LOG_EXEC isn't defined.
* However, the "log" cell isn't ifdef'd so let's be defensive
* and assume someone might have done something with it
* outside an ifdef'd LOG_EXEC block.
*/
if (log != NULL) {
fclose(log);
log = NULL;
}

/*
* Execute the command, replacing our image with its own.
*/
#ifdef NEED_HASHBANG_EMUL
/* We need the #! emulation when we want to execute scripts */
{
extern char **environ;

ap_execve(cmd, &argv[3], environ);
}
#else /*NEED_HASHBANG_EMUL*/
execv(cmd, &argv[3]);
#endif /*NEED_HASHBANG_EMUL*/

/*
* (I can't help myself...sorry.)
*
* Uh oh. Still here. Where's the kaboom? There was supposed to be an
* EARTH-shattering kaboom!
*
* Oh well, log the failure and error out.
*/
log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
exit(255);
}

Re:CGI security through chroot?

[h2odragon]

1) Good idea, I think.

2) Have ye never heard of diff and patch?

Re:CGI security through chroot?

[Barbarian]

send it to the apache cvs tree or however it's maintained?

It could be a compile-time option.

Re:CGI security through chroot?

[kris]

I have, yet this is currently experimental. Also it is small enough to be distributed as a single piece, enabling you to read it without tools.

Something like this would have been able to contain the ZDnet script in a tight environment, probably making the exploit much harder.

Automatic RH Fixer-Upper

[Threed]

Such a beast already exists. It's called (drum-roll please...) MandrakeUpdate!

--Threed

I like apt

[ftc]

I run debian. Slink (stable) on all the production machines, and potato (unstable) on two "testbed" ones.

I like how i can run "apt-get update; apt-get upgrade" and have the latest security updates I need automatically downloaded, installed and configured on my system.
Or, if I want to review the changes and decide for each package individually if I want to upgrade them or not, I run the "select" method in dselect first.

I can even get told within minutes of a new critical patch being posted by subscribing to the debian-announce mailing list.

There are a couple things that I really like about it:

1) The advisories sent out to the mailing list contain enough information to know what problem the updates are fixing. The changelog files in the packages (which I *can* read before installing the package, if I unpack it somewhere else) contain a list of all changes. And if this is not enough for me, I can go and get the source package, and diff it to the previous version.

2) Debian potato will contain the apt-zip package, a set of scripts that simplify the process of downloading updates to removable media (e.g. zip drives, though you could probably also write them to a CD-R if you needed or wanted to). I can apply them to as many machines as I want to by inserting the medium, mounting it and typing "dpkg -i /mountpoint/*.deb"

3) dselect, console-apt and gnome-apt as well as kpackage are applications that provide me a list (sorted by anything) of Items I have installed so I can check off the one I want to uninstall.

I think everyone agrees that individual patches would be better since it allows ultimate user control. And the way they are organized in the Debian system is really great.

21 fixes too hard?

[sterwill]

"apt-get update ; apt-get upgrade". I've always got the latest security fixes, and they never render my sytem unstable or completely unusable.

--

Think Debian.

[demon]

Try Debian, esp. Potato, if you really want all the latest updates. Slack doesn't really have a "proper" package management system. Debian is continuing to develop the 'apt' system, which not only provides for package management, but has a mechanism for fetching the latest updates from Debian's package archives. All you have to do is

apt-get update ; apt-get upgrade

then answer some questions to get everything updated to the latest (at least, everything that's installed as a package - and Debian has a package for most everything out there).

If you really need a more stable system, go for Slink (aka Debian v2.1, Potato is being actively developed), but for all the latest updates, go with Potato.

Re:The explanatiion is not relevant

[demon]

What Linux need is some stuff arround RPMs (or DEBs). This will be a way to access a repository of RPMs to automatically download (asking first would be a good idea) any dependencies. This woulld allow one to create a RPM with nothing in it but dependencies. So one install this RPM and all the other RPM refered in it will be downloaded and installed.

Sounds something like Debian. apt-get is your friend, and an ncurses frontend is being developed as well. (Don't know about the status of the gnome apt frontend tho.)

Re:Debian has had this for ages...

[demon]

dselect is slowly being tossed away in favor of the new 'apt' (advanced package tool) system that's being developed. And that's just fine by me - I hated dselect. It screwed up my first-ever Debian (slink) install. I was brave though, and went back and used the (still infantile) apt system instead, and it worked MUCH better. apt-get makes updating an install easy as pie, and console-apt is developing nicely (it has some bugs, yes, but it's quite usable even so).

Re:Parity

[/dev/niall]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

If it were only that simple...

That works fine on your NT workstation that only has user applications installed. If you have SQL server, Site server, SMS, or any other server package that does anything useful you have to install service packs in a special order or risk breaking all sorts of strange dependancies. And it's not just sweeping service packs that need to be installed; most SPs require a myriad of smaller fixes (MDAC etc.) in order to work without bringing things crashing down around you.

To top it all off, you'll need to make several registry changes, IIS confguration changes (I don't believe there's ANY service pack as of yet that fixes the vurnerabilities in the .HTX script mapping problem in IIS), etc. etc. ad nauseum before your system is safe.

Bottom line, without spending a decent amount of time and energy on either platform you're not going to have a secure box. I completly agree that your average corporate group would fail to do this under either platform since your average corporate machine is a festering bag of comprimises waiting to happen.

Why was a third party script installed on the linux box to begin with? It's not like they took advantedge of anything intrinsic to Linux? It was a perl script that just as easily could have lived on the NT box.

Devil's Advocate

[Sanity]

Of course you know what ZD will say don't you? If NT is so difficult to secure, then why didn't anyone break into it during our test?

--

Redhat FTP install doesn't install updates

[copito]

The Redhat FTP install doesn't install updates, and there is no option to do so. It is reasonably easy set an FTP server so it does so, but it takes a bit of tweaking. See RedHat CD mini-HOWTO
--

Re:I do NOT like the WindowsUpdate idea

[Jason+Earl]

Actually, I have not. My Windows virus scanners seem to think that BO2k is a virus. Even so, I would suspect that the possibilities that B02k open up are not nearly as comprehensive as what a systems administrator could do with root access and Perl.

How scriptable is BO2k? Chances are it is nowhere near as scriptable as Linux is right out of the box.

Re:I do NOT like the WindowsUpdate idea

[Jason+Earl]

Actually, most of the time that *nix is deployed as a desktop solution the employee does _not_ have root access to the machine. In other words, you probably have less power on your *nix box than your Windows machine.

If you were using something like Debian Linux (or any distro with a decent packaging system) it would be pretty trivial to implement something very SMS-like. The administrator could _easily_ see what software was installed on your machine, what hardware you were running (I have seen software that makes very pretty text files of the hardware), who had logged on recently, etc.

Heck, they could even archive all of the software that you had run, and other such esoterics like what websites you have visited.

If you have root on someone's desktop Linux box, you _own_ them. This is not necessarily true of Windows machines.

nt service packs

[Paul+Jakma]

service packs are *easy* aren't they?

so easy, you have to reinstall them if you add a component from the NT cd.

And so easy when some application (usually MS) takes it upon itself to upgrade files that are also upgraded by a SP. Which version is the correct one? The one from the SP or the one the application installed? And maybe the app can't work with the version from the SP? So how do you install the SP? Or reinstall it if you've changed some vital config, eg changed the NIC?

And this kind of thing has infinite permutations, leading to hours and hours of NT admin fun. And hey, if it wasn't for NT admin's would never be able to claim overtime! Damm those Unix boxes that just purr away for months and months without a glitch. How can you ever earn money from them?

Yes service packs... gotta love them. you really do. {God, Allah, prefferred deity} bless NT!

This is a poor excuse

[Jeff+Davis]

Most enterprises want to put on fixes that solve a problem. Sure it is nice to be a patch set on, but ultimately, the idea with patches is to fix/improve/add something. A good sysadmin will always keep current on security patches as a priority even if they have to be applied one at a time. The is most especially true on systems that are attached directly to internet.

Re:Automatic updates are a Bad Thing(tm)

[Oestergaard]

PostgreSQL database formats changes only between some (usually major) version numbers.

It would be very bad indeed if RH released an update package that would break data when applied. Haven't seen that yet. They're usually (probably for the reasons you state) very careful about warning you of any implications an update might have. Usually the're no implications except for the fix of the hole.

Re:I work enterprise - multiple patches are the pi

[Oestergaard]

I can think of:
*) ssh (using .shosts for root)
*) rpm --freshen ftp://
and eventually
*) at

There you have your shink-wrapped enterprise management patch package distribution scheduling parallel system [feel free to add more buzzwords]

Really, with rpm (and I'm sure with dpkg too) it's really _so_ easy. You need a very small amount of imagination, and then you have your management system that you can customize in anyway you please (hell, you just wrote the main routine of the application yourself - even though it's a one-liner).

Useless test

[android]

If they had bothered to maximize security, we could have found a NEW flaw, thereby actually accomplishing something.

I do NOT like the WindowsUpdate idea

[Ken+Broadfoot]

This is because I really am worried still that microsoft is databasing stuff about me and what is on my server. I would rather just "one way" FTP the stuff I need then install it on my machine much like the Redhat errata site is right now.

At work I have to use NT on my desktop. I ran the task manager and decided to try and kill some tasks. Heh, I could not kill the smss.exe. Gee, I wonder what that is for?

I bet many companies fear the penguin because they will lose the ability to snoop on you, much they way WinozeUpdate probably does as well.

Ken

Re:I do NOT like the WindowsUpdate idea

[Chandon+Seldon]

Yes it is. Have you ever really played with such remote administration software as BO2k?

Re:The CGI script

[Mawbid]

This is looking less and less like a test and more and more like an ambush. Still, I like to keep in mind the much repeated advice "never ascribe to malice what can be adequately explained by incompetence".

I found the page you linked to very informative. I had no idea security-conscious NT admins worked so hard.
--

The CGI script

[Mawbid]

I'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?
--

Re:The CGI script

[bmetzler]

I'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?

In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.

If you read the page where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.

They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums

-Brent
--

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

Oops, that's Steve Wildstrom <steve_wildstrom@businessweek.com>.

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

Oops, that's Steve Wildstrom <steve_wildstrom@businessweek.com>.

Re:Should it matter?

[stevew]

Yes it should matter - I've been around PROFESSIONAL Sys Admins in a mixed Sun/Windows shop. These guys applied EVERY fix to the Sun OS as they came out, or as they installed new system. PERIOD! These guys set up the community - AGAIN - and they used an application which indeed had holes in it. Probably much to the suprise of the guys that wrote the religious (holey) software. The OS should have been the final line of defense with no known ways of gaining root privilege. The second part of this proposition was the sys-admin's responsibility. It just isn't THAT hard!

autorpm

[Alan+Shutko]

Autorpm has been around for a while, which can also check for updates and install them. The major differences with RH's (that I know of, I don't have it yet) are:

* A priority FTP server for registered users
* It comes with RH standard. Not everyone knows about autorpm.

I work enterprise - multiple patches are the pits!

[dustpuppy]

I work on one of the largest Unix sites in my country - 200 machines - and I can tell you, if I had to apply 21 individual patches to 200 machines, I would be ready to punch someone.

These machines are mission critical which means that the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights. Sure a single large patch still has to install the same amount, but you could start patching the system and then move onto another one which means you could do several in parallel. With individual patches, you would have to keep coming back to each system to start the next patch.

On top of this, due to the mission critical nature of the boxes (they are used nation wide), we have extensive change management controls. Any patch that we apply would have to have a corresponding backout procedure. It is much easier to consider a patch as one big patch than 21 individual patches. Sure, us tech people know that they are really one and the same. But try telling the change managment people that.

When you are dealing with a small site, individual patches are probably preferable - I would prefer them myself.

But on an enterprise level of any decent size, there is no way I want to have to deal with individual patches.

This is not intended as an insult to those who are contributing to this topic, but how many of you guys actually work in the enterprise area? Or are the majority of you making comments based on what you think happens in the enterprise arena?

Okay, I shot my mouth off without thinking

[dustpuppy]

Yes, I totally agree with the previous replies - I too would use scripts.

In my haste to post my reply I overlooked the mot obvious way to handle multiple patches - yes, I look stupid.

I should have known better because I just performed 5 patches to the machines two weeks ago - hence my post on this topic - and yes, I used scripts then.

I do stand by my argument on red tape though.

Re:Okay, I shot my mouth off without thinking

[Sesse]

Red tape? Are you referring to the `backup plan' system?

Should be pretty easy to fix -- if you find that the patch breaks, just install the old RPM, .deb, .tgz or whatever you use for package management.

/* Steinar */

Re:I work enterprise - multiple patches are the pi

[dustpuppy]

Heh heh, regardless of whether you have one or multiple patches, applying them to WinNT is painful! :)

I too have been in that situation. The GUI nirvana kinda falls down doesn't it when you have to push buttons a-l-l t-h-e t-i-m-e!! I synpathise with you.

My post was more about comparing a single patch for Unix to multiple patches for unix.

No they don't have a point

[Jack+Hughes]

If you think that "good" system administration is:

1. Download a great big service pack
2. Don't bother to read any release notes or even to think why you might be applying the fixes
3. Install and reboot your server
4. Place a Big Fat Tick (Check?) mark by the "I've installed the Service Pack on this server" item on your job sheet
5. Repeat for another n servers

Then they might have a point.

If you think that good system administration involves: Understanding your system; Understanding the problem; Understanding the solution, then of course you don't want to blindly install hundreds of megabytes of new code...

It really is a question of mindset. Given a handful of servers it is far easier to do

ftp some site
cd update directory
mget *.rpm
quit
rpm -Uvh *.rpm

And then telnet to another server and repeat the same. Without rebooting your machine.

[That's if you really wanted to of course, and weren't that bothered in working out what the impact of each RPM is].

Re:No they don't have a point

[Jack+Hughes]

One of the strengths of UNIX is the availablity of various scripting languages/facilites which can be used to automate things - a System Administrator would probably not type in the RPM command on all 2000 machines, but would automate it.

Some keywords to help you: "perl", "cron", "bash", "at", "expect", "init".

Try searching for these either using the web or the "man" command.

Re:No they don't have a point

[sparks]

> Riiight, and if you had 200 or 2000 servers,
> the rpm solution would be *sooo* good.

The RPM solution would be ideal for 2000 servers. Even if you did have to do them all manually (which you wouldn't unless you were clueless), it would still be faster to issue a wildcard rpm command and walk away than to install SP5 and reboot.

Any half competent Linux systems administrator could trivially set up an automated system to roll out patches to any number of connected servers. There are lots of ways you could do it, using cron and either scp, ftp or nfs depending
on how paranoid you are.

Sure, you'd have to install a script on each machine and set up a cron job - once. From then on you'd just place the relevent rpms in a nominated directory and go home. At 3am, or whenever, each of your systems has a look in that directory to see if there's anything there which updates its installed software, and upgrades using it if so.

Can you get that degree of functionality with NT?
You could install PERL and cron on an NT box and get the scripting working - that would be the easy bit. But Microsoft just don't provide patches in a useful enough manner. Even if they did, how would a particular machine decide wether or not it needed to install a particular patch? Trivial with RPM. All but impossible with NT. Not to mention the need to reboot after installing each one.

ZD (and for that matter Microsoft) just don't understand the art of systems administration. Someone who stays at work all night doing point, click, reboot, point, click, reboot several hundred times over to upgrade his machines is not a good sysadmin. Someone who types a few commands then goes home at 5pm, confident in the knowledge that by 9am the next day, the systems will all have upgraded themselves - that is a good sysadmin.

Re:No they don't have a point

[Dionysus]

Riiight, and if you had 200 or 2000 servers, the rpm solution would be *sooo* good. That's why the sysadmin gets paid those big money, right? Staying up all night, doing rpm -Uvh *rpm.

nobody puts a new service pack on a production system. They test it out on a single non-exential server first, and then carefully roll it out.

I do think zdnet is wrong, though. Security patches (especially on firewalls, webservers etc... anything that can compromise the internal security of the company), will be applied. Others problems, unless they impact productivety, won't get patched until a service pack comes out and tested.

Re:They do have five points ;)

[Jack+Hughes]

Mmm.. Your missing something here when you say "..instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling. That requires more work and a knowledgable systems administrator.

ZD were testing RedHat Linux. This is a distribution. This means that it is put together by (the evidence suggests) some knowledgable people. So you DO have one trusted source, and one set of files. This is why it is worth paying RedHat for their distriubtion - because it relieves your of the burden (but not the responsibility) for continually monitoring and updating your system.

It is far, far, far easier to maintain a few RH systems (especially remotely) than it is the same number of NT servers.

Cool...............

[Synflex]

I suppose now we can have all the time in the world to compile _one large sweeping-in-scope fix_ while risking security breeches huh? Let's see..... RH6, then about few months RH6 SR1? then SR2? Perhaps that's what 'enterprise bussiness' needs. It's always fine for us ;P

come on

[arielb]

ok this makes me sick. If you are really interested in security then you better not be hiring Mr. point and click. This is serious business and if some IT thinks he can simply install a service pack and poof! security! then he should be fired. Don't you think?

Re:come on

[PigleT]

Well said!
Security, like firewalls, is not something that comes in a big box to be applied en-lump.
(Firewalls: which do you want, an ipchains that lets 110/tcp through as filtered regardless of setting (beats me!) or which advertises what sort of firewall it is when you telnet into it??)

Anyone here been to sunsolve recently? I mean, I diff'd someone else's solaris 2.6 box against one of ours, and found a meagre 98 patches different... it's not as though "Real OSs" don't have individual patches to apply...

Debian has had this for ages...

[Sesse]

Not wanting to start a distribution war here, I should perhaps notice that Debian has had automatic update for ages. Run dselect, choose `update' and everything (including downloading, installing and configuring) is done automatically for you, at the spot.

If you do a net install, you get the right packages right away, of course.

Since I know close to nothing about RH, I shouldn't say that RH _hasn't_ had a similiar system, but from the comments I've been reading in this article, it certainly sounds that way.

/* Steinar */

Windows Update a great concept?

[Sesse]

Perhaps, but at least not new. (Try Debian with dselect.) What worse, you have to make LOTS of scans, and click a lot around. At least with dselect, you know what's happening...

/* Steinar */

DHTML/XML

[Sesse]

XML being a key feature??

I think that Microsoft should get real support for the base standards (their HTML-generation makes BAD HTML, and their CSS1 support is far from complete) before they go on to `supporting' more or less new standards (like XML, or XSL which is experimental ATM).

If you want Netscape with `proper' DHTML (which Microsoft invented), try Mozilla/Raptor, which supports DOM level 1, 99% CSS1 and well over 50% CSS2.

And your second argument sounds a bit funny to me: Java was too secure, so they made ActiveX instead! Go, go! (If `Java wasn't enough', they could easily have extended it with a few classes. But I guess they don't have HD space for any new classes anymore...)

/* Steinar */

Re:Small, isolated patches better

[Sesse]

>Of course new users are still left to install all 21.

Why?

Just install off the 'Net, and if your distribution can do it (at least dpkg/dselect can do it), then the older packages will never be downloaded at all -- security right away.

If you install from CD, of course, you will have to do a network update. That's approx 10-15 keypresses, for setting up the servers and hitting Update.

/* Steinar */

Re:and that makes nt better how?

[Sesse]

>On the other hand, Linux has so many services started by default that it is a nightmare.

That is a common SuSE/Red Hat problem. Most other distributions (at least not Debian and Slackware) have this problem.

/* Steinar */

Re:Do they have a point?

[myconid]

And what if I only run one of the programs that there is a security fix for? I have to download the entire group of updates, which would be rather large in comparison just because I don't use the remaining 20 applications?
Stan "Myconid" Brinkerhoff

I don't think so.

[LongShip]

ZDNet Labs deliberately chose to ignore the 21 security flaws that would most likely be used by any cracker to crack the Linux box. ZDNet's Chowdhry's claim that this was because IT managers prefer monolithic patches where the administrator has no hope of tracking individual changes is a ridiculous equivocation. This same argument didn't stop them from applying the service release 5 patches to the NT setup.

The lesson to be learned here is that ZDNet Labs has violated the public trust. Somebody's head should roll.

yes and no...

[lucid]

i think they have something of a point, but not really. sure, people would love to install 1 patch instead of 21. however, i think any company with a clue is going to want 21 patches installed if thats the way the patches come. saying anything else is like saying they don't want their box to be secure. which is interesting, especially in light of ZDnet's admission. aren't they kinda saying they wanted the PR from the "contest", but they didn't really feel like securing the linux box?

Re:ZDNet's credibility

[Juniper]

"I would like to claim that /. (or at least certain editors) lost a lot more."

A lot more WHAT? Credibility? I don't think so: it said right it the synopsis that "It's a hoax, folks."

If not credibility, then what did /. lose?

Even if they do have a point...

[Michel]

Well, even if it were true that people wouldn't want to apply 21 different patches (Whoever said that sysadminning was supposed to be easy?), if you're going to run a security test you still have to apply ALL the patches available (if they make sense, that is).

Otherwise I could just go out and say that lots of people are stupid and will execute unknown binaries on their NT boxen, and you can assume that BO2000 will be installed. Hey look, insecure NT box!

I don't need to tell you that this gets silly really fast...

No, they don't have a point

[Critter]

Red Hat could make it even easier by placing security fixes in one place. However, lets put this in perspective:

First, Microsoft service packs are several in number and are usually applied in turn. So, even on that platform there is not ONE patch. For the testing teams manager to decide that five service packs is ok, but twenty rpms is too many shows an unprofessional attitude.

Second, the security of a system could be compromised by any application listening to a port. On the Microsoft platform this is more likely to include individually distributed proprietary applications; each of which would maintain their own security patches.

Re:How hard is this?

[elflord]

rpm -Uvh *rpm
Now really how hard is that?

Well, it's easy enough, but it's wrong. This will possibly install a bunch of packages that you

• don't have installed, and
• would rather not have installed (ie daemons).

If you're going to trash ZDNet, at least do it right.

To make sure you only update packages and don't install anything new, you need rpm -F

Most of you are wrong, they *do* have a point

[whitroth]

Lessee, most places I've worked, and that ranges from county gov't, to small co's, to huge co's,
to city gov'ts, *INSIST* on testing, and being as sure as possible that the latest "fix" doesn't break something else.

Anyone want to argue that there are times when it does?

Fixes, where I work now, would *have* to be scheduled a week or two in advance...AT LEAST.

And then there's the problem of large shops. Someone said they worked in a large shop, w/ 200 machines. I have a close friend who works for Walgreens, with something like three thousand UNIX boxen. Anyone who's arguing that each should be applied as soon as they come out, individually, want to discuss what would be involved with 21 patches to 3000 boxes, running 24x7, over remote links?

Emergency fixes, like that on the ping-of-death, are one thing. Smaller fixes should be bundled, and come out a *lot* less frequently. Hell, when I come home, if I want to read my email, or whatever, I don't want to have to spend time, when I could be making dinner, or whatever, putting in the patch-of-the-day.

On the other hand, a regularly scheduled patch-level maintenance would be a Good Idea, if managers could be made to swallow it.

mark

IIRC Microsoft "experts" helped with the NT system

[Barbarian]

I believe that they said that Microsoft assisted them in setting up the NT system.

"Community resources" assisted them with the LINUX system.

In any event, not installing the fixes is incompetence.

Enterprise Computing.

[malkavian]

Heh..
You know, I've not heard such a good joke in a while...
I work at the level they say that "You wouldn't want to install 21 seperate patches"..
Wrong. The brief is "Make is secure". If that means 21 patches, so be it. If it means 100 patches, then so be it. But, make it as secure as you can.
Now, how easy is it to NFS mount a partition with the patches on, and an automated script to run the RPMs??
Now, how easy would it be to install the said same service packs on the same number of NT boxes??
Hmmm.. In the real world, 21 patches to 1000 UNIX boxes is orders of magnitude faster than 1 patch to 1000 NT boxes.
And if you can't do the above NFS mount and scripting, YOU SHOULDN'T BE IN ENTERPRISE COMPUTING!
I could rant a lot more, but I think everyone knows what I mean, and I have work to get on with..
Just my tuppence worth,

Malk
(Who has applied a lot more patches than that to his very-strategically-important-to-a-large-company Red Hat 5.2 box)

21 patches vs 21 service packs?

[/dev/kev]

Somehow I get the feeling that they would bother to install 21 NT service packs if Microsoft had that many of them (don't laugh), and they wouldn't even think it strange.

And let's not forget the 21 consecutive reboots that would require, plus how long it would take to download all 21 x ~ 50Mb of them... :)

Re:ZDNet Car Security Contest: You forgot...

[AviN]

... and it won't crash.

Automatic updates are a Bad Thing(tm)

[RobM]

You type 'rpm --freshen' and the next that happens is that you lose your PostgreSQL Database, since version 6.n data files are NOT compatible with version 6.n+1. And this is just an example.

Never use automatic updates on production machines: even if RedHat (or Debian or SuSE or [put your favorite distribution name here]) use maximum attention creating packages and packages rules, you can't be guarantee that all will work everywhere. And if you need a demo, read what happens whith NT and their monolithic service packs: in SP1, it was 'dir A:' -> machine resets... ;-)

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[RobM]

It was not a security patch, but the standard upgrade that RedHat 6.0 installer does on a 5.2, after you select to update an old version.
The right thing to do for the installer was to NOT upgrade the Postgres, and maybe signal the necessity for a manual backup/upgrade/restore.

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[RobM]

Yes, as I said in my previous reply, it was the standard update from 5.2 to 6.0, and OBVIOUSLY it was NOT on a production machine, but on a test one that thank goodness had a test PG database on it, so that I could spot the problem.

Back to security fixes: when you (RedHat) discover a security breach in a package, you are in a hurry to fix it, so the likeliness of a misconfigured update is high: they sure do their tests, but erorr is alwais possible ;-)

Then your option is to wait for the security fix to be tested by someone else, or by yourself on a production machine. Not an option if you are a 'target' site for whatever reason, but that's the same thing that happens with NT: I usually install a SP al least a month later, unless it fixes a really important (and usually stupid ;) secbug.

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[tialaramex]

Nah, RedHat are pretty conservative about security fixes
(If you update just because stuff is new, go play with potato and DON'T DO IT ON YOUR PRODUCTION MACHINE)

An RH security fix usually just bumps the patch revision, and therefore doesn't cause any damage
Upgrades from say 5.x to 6.x should be approached with rather more caution (still much better than a re-install IMHO)

21 Updates is a Royal Pain in the Ass.

[Mike+Buddha]

They're right. 21 updates is too inconvenient. This is an issue that should be addressed with more than simple anti-MS rhetoric.

What's keeping Linux down at this point, is lack of user-friendliness. I don't advocate making it a useless, pablum, MacOS-like OS, but a little more concentration on the end user is going to go a long way at this point.

People ARE sick of MS, but they are not going to give up ALL of the creature comforts that they have aquired. This "Unified Patch Distribution" idea seems a simple enough idea that it could be facilitated, quite easily, in fact. Some RPMs, an install script, &c.

So if MS waited another week...

[PsychoSpunk]

Alright, we all know about the security problems that have plagued hotmail since MS bought it out and put it on NT, right?

Well, the way I see it, they should have just waited to apply "one large, single fix" to their problems rather than patching it here and there.

They probably could have actually avoided some of the problems they had when their software patches caused more problems. Every software engineer knows a patch causes as many problems as it solves.

I guess that enterprise solutions don't have an MIS dept, and that their work isn't that critical.

Of course, then again ZDNet could have just dropped the ball (as usual) and tried to cover their asses by saying that people don't want to apply 21 separate patches. Any mission critical box generally has a sysadmin whose carcass would be flung out into the street if they didn't want to apply 21 separate patches to fix security.

Parity? How about Accuracy!

[Lumpy]

NT doesnt have only 3-5 service updates! there are over 30 that I have to install on every machine here! NT,IE,Outlook,Word.... every single MS app has about 3-5 patches that need to be applied... Linux needsing 21? that's a joke... each app needs 1 or more applied. Let's get things into contex people! Install linux workstation - 2-4 hours Install NT workstation (Automated) - 4-6 hours Patch the thing - Linux 20 minutes NT - 3 hours!!!!

Re:No they don't have a point -YES

[Lumpy]

Ummm have you talked to a MCSE? yes that is the scope of their abilities... download, click setup... drool.... un-jam a printer, drink coffee, download next patch, click drool.... oops, that was setup!

Re:I work enterprise - multiple patches are the pi

[Dionysus]

I don't know. With enterprise, wouldn't you have something like Tivoli or some other enterprise management package installed? Just set up a timer to do the update at 3 am for all the systems that need the update.

Granted Linux, at this point, doesn't have *any* enterprise management packages (although IBM demonstrated TME on Linux at LinuxWorld).

Windows NT needs 50..3000 security changes.

[wtanaka]

From: crypto-gram

Many people asked me about my comment last issue about Windows NT needing over 300 security changes to make it secure. I queried the Usenet newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or truth, and got several answers. The consensus seemed to be that the number was somewhere between 50 and 3000, and 300 wasn't an unreasonable estimate. A good checklist is available here: http://people.hp.se/stnor/ And see also: http://www.trustedsystems.com/NSAGuide.htm

Re:I work enterprise - multiple patches are the pi

[JamesKPolk]

How would such scripting be possible? Perhaps I should have been more specific, and said "possible with the documented tools that come packaged with the operating system."

Re:I work enterprise - multiple patches are the pi

[JamesKPolk]

I always thought that one basic qualification of a sysadmin was the ability to write scripts!

It wouldn't be hard to write a script to apply 21 rpm patches...

By comparison, it wouldn't even be possible to hack out a quick shell script to install the latest service pack, plus 2 or 3 of the hotfixes microsoft has available.

Service Packs?

[kevlar]

Should Linux have Service Packs?
Absolutely. Thats a great idea. However with RedHat they're called RPM's and are smaller (maybe someone can think of a way of bundliing all of the errata updates together).

Does this EXCUSE PC Week for blatently being biased against Linux in their "Professional" testing?
Absolutely not. Not only would installing the latest SP from MS _NOT_ fix every vulnerability in NT, but the mere fact that they installed it for the sake of security, and installed nothing for Linux makes this test look outright fradulent.

I wonder if you can sue for that? Defimation of Linux?

Re:FreeBSD cvsup

[theJeff]

Do you have to do the whole make world seven hour process for any update? Or is there an easy semi-automatic way to just rebuild and restart the services that were patched? Obviously a kernel patch would need a reboot, but why reboot for other updates?
I think these questions are probaly why binary updates are popular. Using Debians apt-get I download updates weekly and spend about 5 minutes watching them install. (Could automate it, but I like to see what I'm going to change.) No reboot needed, all services are restarted etc.
The only advantage I see to the make world approach is that everything can be built optimized for your system. But for most applications that isn't really significant.
Where's the advantage?

thejeff

Re:I like the WindowsUpdate idea

[cdegroot]

Cool. It essentially means you're forced to run MSIE with Administrator rights, the equivalent of which (running Netscape as root) I'd never dream of under Unix. Basically, my strategy is to mirror the FTP update site of my favorite-Linux-vendor-of-the-day (SuSE at the moment) and only become root to install the rpm's after I have verified what the rpm patches, what the impact could be, and why I would want to apply the patch in the first place. No vendor can make that decision for me, what's critical to one user is totally unimportant to another one.

And, as others have said, security of a system comes down to the competence of the people administrating it. However, Microsoft is doing such an optimal job of shielding information from the average user that it takes above-average competence just to get the information needed to make informed decisions (applying an SP, IMNSHO, is not making an informed decision).

Both many small and one big fix is possible

[Helge+Hafting]

While I'd agree that most CIOs would prefer a single opaque fix-pack every six months, I'm betting that most of the people who actually do the work would prefer to get a fix this afternoon for a problem discovered this morning

Both is possible. The guy who takes care of the linux boxes from day to day may install fixes as soon as they get available.

Those who want a single fixpack (perhaps because they are going to install 50 machines, with the latest fixes applied) can use a "fixpack" consisting of all the small fixes and a script that goes
rpm -i firstfix
rpm -i second fix
...
The various distributors should keep a "fixpack" like that for the benefit of new installs, as well as those who don't follow development closely.

Re: NT service packs vs Linux patches

[Mojojojo]

I read on CNN about 2 days ago that there are over 300 things that you would have to do to a vanilla NT server out of the box to make it secure. 21 fixes isn't much at all. Besides, people running Linux for the most part understand more about their systems and sysadmins should be up to speed on these application patches anyway. That's BS that they failed to secure the server, then said, "Well, noone in the real world applies patches."

There's something of a decent point here...

[Cyric]

I think it is reasonable to assume many companies won't add every fix to their servers. It's much easier to download one 100+Mb patch and apply it than it is to apply the dozens of fixes individually.

Instead of bitching and bickering about the unfairness of it all, I'd bet that if someone took the 21 patches and put them into one service pack ZDNet would re-do the tests. If not, they're caught in a bold-faced lie.

Keep in mind, if someone starts making service packs available, it's got to be consistent. If 40 different service packs are flying around, no administrator is going to sort through them figuring out which one is the newest (at least, not in ZD's world).

Reboot?

[orcrist]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

Figures a Microsoft proponent doesn't consider rebooting a server to be a difficulty...

Re:Reboot?

[mpe]

Figures a Microsoft proponent doesn't consider rebooting a server to be a difficulty...

Or that the thing is so unreliable that rebooting it isn't an issue.

Re:My Opinion

[orcrist]

AC wrote:
But add another gap: when RedHat servers will be cracked, you're going to have "trojan" updates. Remember even freebsd.org source repository was once compromised.

ignoring (or overseeing) that

aqua wrote (in part):
...it's a nifty little app that picks up the updates from FTP, NFS mount, etc., checks the PGP signatures ...

Chris

Re:I like the WindowsUpdate idea

[sharkey]

Of course, that assumes MS actually posts ALL the available updates/patches/etc. Did anyone else notice that the fix for their latest JVM security hole didn't show on Windows update for more than 2 weeks after MS published the security bulletin about it?

"Unbiased" reporting? (Rated R for language)

[Chip+Stillmore]

After reading anything on ZDNet, it's obvious to me that the company is extremely biased towards Microsoft. This ZDNet SNAFU* is just another example of their unbiased approach towards information dissemination.


*SNAFU - situation normal all fucked up

Re:"Unbiased" reporting? (Rated R for language)

[Chip+Stillmore]

Of course, in the above, when I say "unbiased", I'm being sarcastic.

I forgot to make that clear.

Re:Parity

[Tenareth]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

Three things:

1. If I am fixing a bug in the crond, why would I have to reboot, I just restart the service. Much more useful in "real-world" scenerio.

2. I have seen on several occasions, that after the reboot, it either doesn't boot, or there are a whole slew of new problems (SP2 anyone?).

3. If you want to keep NT secure, you have to apply the HOT-FIXES. There are just as many of those, if not more, than RPMs.


-- Keith Moore

This is pathetic

[platypus]

They seem not to have any more advanced expierence with nt server, too.
For a laugh, goto Sequences for Installing and Configuring Server Applications Running on Windows NT Server 4.0.
Ask yourself: What do I have to do if I want to install more than one of the packages? And you know, one failure and you are fscked.
And while talking about "enterprises" and the packages they don't want to install, here's a very nice one:Installing MS-Site Server 3.0.
A summary, look at the original, you will fall from your chair, because the are more trapdoors than a suse-distro has packages. And remember, for every point you see above there's an average of one reboot (my guesstimate).
First a bunch of pre-installation tips in the form of do not install ms-software xy version a.bcd together with mss 3.0, otherwise you're screwed, and then this:

1. Install Windows NT-Server 4.0
   
2. Install Microsoft Windows NT 4.0 Service Pack 3.
   
3. Install Microsoft Internet Explorer 4.01 Service Pack 2 using the Standard installation.
   
4. Install the Microsoft Windows NT 4.0 Option Pack.
   
5. Install Index Server, Windows Scripting Host, and under the IIS options, install the SMTP server.
   
6. Install the updated FrontPage 98 Server Extensions, version 3.0.2.1706.
   
7. Install Microsoft Windows NT 4.0 Service Pack
   
8. Install Microsoft Internet Explorer 5.0. For this configuration, Internet Explorer 5.0 is required.
   
9. Install Microsoft SQL Server 7.0.
   
10. Install SQL Server 7.0 Service Pack 1. Q232570.[...}Installing SQL 7.0 SP1 can take up to 30 minutes, which does not include the time it takes to download the service pack.
    
11. Configure the SQL Server client default Network Library to Named Pipes.
    
12. Verify that the MSDTC service is started and that MSDTC is configured to start automatically.
13. Configure database connectivity.
    
14. Install Site Server 3.0.
    
15. (Optional) Install Commerce Server.
    
16. (Optional) Install Visual Studio 6.0 or Visual Studio 97.[...]
    If you installed Visual Studio, apply Visual Studio 97 Service Pack 3 or Visual Studio 6.0 Service Pack 3 appropriately.
    
17. Install Site Server 3.0 Service Pack 2.
    
18. (Optional) Install Commerce Interchange Pipeline Manager (CIPM) for Site Server 3.0, Commerce Edition.
    
19. Install MDAC version 2.1.2.4202.3, which is also known as MDAC 2.1 SP2.
    
20. Install ADSI 2.5.
    
21. Install Microsoft Windows NT 4.0 Service Pack 5.
    

After that there follow 8 "post-installation instructions, i.e. bugfixes and workarounds".

Re:Yes they have a point

[kvajk]

If a user does "mget *" and then "rpm --freshen *" they're going to get into trouble with the kernel updates.

Sure, Linux is more secure than NT. But you're wearing blinders if you think that updating a Linux box is easy enough and shouldn't be improved.

It's easy for me, a Linux geek, to keep my single home PC up to date. But I don't typically bother with the Linux PCs at work, because it's too much trouble. I see this as a problem, and I'm not the only one.

Kinda...but..

[Rolan]

They do kinda have a point. It would be great to be able to update everything that has a security problem in one sweep, but it might not be practical for linux, since not everything has to be installed (like NT).

As an after thought. Don't you have to apply 21 fixes to NT just to get it to run?!

Re:Small, isolated patches better

[Zoinks]

Over 5 years ago I was de-facto sysadmin for an IBM RS-6000. There was a program on it which would do just what you're talking about. I was very impressed, because this was BTW (Before The Web). You clicked a button and it would download the bug fix database or whatever, and you could select pertinant fixes for your machine. Very slick. Should be even easier in this web-enabled day and age.

My Opinion

[maan]

There's a big difference between an MS service pack and 21 rpms to update. On one side is a huge file that might install correctly, and might update your system, and on the other are 21 (usually) small files. It takes a rpm -Uvh * to update everything (hopefully, of course). Also, the service pack only takes care of the kernel, the user interface, and some miscellaneous stuff. On the linux side, however, you have a single file to update the kernel, and the rest are for shells, daemons, misc apps... So I would think that you need more updates on NT to update your other apps.

And as for the complexity of the whole process, I think it's easier on linux. You usually end up with a mess after service packs, whereas updates on linux are cleaner, and actually perform their goal: they make the system more stable and more secure, and up to date.

Finally: isn't there a new tool in RedHat 6.1 which updates rpms all by itself? That should make it easier (although I don't think I'd use it, I'd be worried of what it might do, especially on a server). And I believe there were other programs already available that do that...

Maan

Re:My Opinion

[aqua]

Yes, there is -- they're calling it the RedHat Update Agent, and its main job seems to be to perform RPM upgrades automatically as they become available. It's hardly new, and if ZDnet had done any research (they read the HOWTOs, and Apache's security docs, and ignored the rest), they might have found it. AutoRPM has been in common usage for quite a while now -- it's a nifty little app that picks up the updates from FTP, NFS mount, etc., checks the PGP signatures, and installs the upgrades, then notifies you that it happened so you can check its work. Closes the vulnerability gap a bit.

Do they have a point?

[Leper]

No.
Using the distribution of your Operating System as a crutch, regardless of the OS, is still wrong. It isn't enough to just keep your software up-to-date. 21 patches from Red Hat, or 5 service packs from Microsoft, neither one is replacement for knowing what the hell you're doing.

But thats the way it always is isn't it? Scads of people indigent about the superiority of their system but who can't be bothered by little details of how it all works. "Don't confuse me with the facts!"

I suggest otherwise

[jetpack]

I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically

I suggest this is a Bad Thing, in general. I haven't used this service since I dont do NT. However, from this sounds of it, all this tells you is what you do and don't have, and what microsoft has to say about whatever the current patches are. It is not the case that you want to apply all patches merely because they are new. You need to know which ones work, which don't, which are buggy and which are stable.

This is merely an excuse for lazy admins to think they are doing a good job by hitting the microsoft site every week or so, and fooling themselves into thinking that applying whatever patches are new makes their systems secure and stable.

There is no substitute for knowledge. And convenience is definitely not a good substitute for knowing your way around your machines.

Re:I suggest otherwise

[fredm8]

My previous experience with Windows Updates for Win98 has been okay, however it would be nice if the update gave you a serious indication of what it would actually do, and a log to follow to figure out why the updates fail - when an update fails it is power off reboot, I'm glad it is only my notebook, not a server supporting hundreds of users.....

Debian

[guacamole]

Doh, Debian GNU/Linux could update/upgrade itself for AGES. RedHat was the ZDnets problem...

Site Server

[Robert+S+Gormley]

Argh. SiteServer. Evil :)

MS has a 19 point plan which is extremely pedantic in the install requirements:

• Install Win NT 4.0 Standalone;
• Install SP3;
• Install IE4.01SP1 (not5, not 4.00);
• Install Option Pack (but NOT FP Server extensions;
• Install Server Extensions (WTF?);
• Install SP4;
• If you want, Install IE5;
• Install SQL 7.0;
• Install SQL-SP1;
• Configure DTC;
• Install MDAC 2.1.3711.11 (!?!);
• Build SiteServer Databases;
• Install SiteServer;
• Install SiteServer SP2;
• Install ADSI 2.5;
• Install SP5;
• Install FrontPage.

What was that quote again? "The average administrator doesn't want to install [xxx] individual fixes"?

That bastard took five hours to install on a Dual P-III, 256mb ram.

Re:ZDNet Car Security Contest: You forgot...

[Le+douanier]

You forgot to mention that the NT car was furnished with a driver seat as default when the Linux car was furnished with ten different seats that you can can install instead of thedefault seat, an autoradio with Tapes and CD's, lateral security, ABS, Airbag for everyone (but you can disable them), and plenty other stuff included in the default package.

Re:Security Patches were not the problem!

[Cannon]

Actually, he used a combination of the CGI script(s) AND a known exploit with the cron package. It took both for him to get in. Applying the cron fix would have stopped this particular exploit.

Who is "corporate IT", anyway?

[mwood]

Indeed, I think this points out a split that causes no end of confusion. While I'd agree that most CIOs would prefer a single opaque fix-pack every six months, I'm betting that most of the people who actually do the work would prefer to get a fix this afternoon for a problem discovered this morning, even if it does mean applying 21 piecemeal patches ASAP instead of one big one long after the problem has shut them down. I also think they'd prefer to know exactly what is being fixed. As one of the people who actually do the work, I know I would.

Re:Who is "corporate IT", anyway?

[aqua]

True, most manager-people would probably prefer a single huge package that fixed everything. It'd be a misnomer, since huge fixes never fix everything (any more than lots of little fixes do, though those can achieve better granularity). But the people who do the work wouldn't need to apply 21 different updates, unless they were running all of the packages needing upgrades -- that's part of why upgrades published on a per-package basis works out well -- if you need to upgrade crond, the fix is about 500k and just fixes cron. If all you're running is crond, then 500k later it's fixed. A typical MS Service Pack is huge, and contains a ton of things which may or may not have needed replacing. Moreover, because the MS service packs are so wide-ranging, they require a greater quantity of more difficult testing to validate that it works. With an apache update, say, you know what to test.

However, in deference to the long expertise of corporate IT managers, I hereby propose the following Industry Standard for Manageable Updates. Call it the RedHat Service Pack specification. I expect to see it hailed as a wonder of technological innovation and a great leap forward for the Linux communiy in providing security management:

Packaging (this part is proprietary, you don't need to even see it. avert your eyes):

ls *rpm | sed 's/^/rpm -Uvh /' > UPDATE.sh
tar cvf RH-SP3.TAR UPDATE.sh *.rpm

Installing:

#!/bin/sh
# install_servicepack.sh
mkdir /tmp/sp-$0-$$
tar -C /tmp/sp-$0-$$ $0
cd /tmp/sp-$0-$$
[ -x UPDATE.sh ] && ./UPDATE.sh

I expect news of this great manageability innovation to be trumpeted throughout the tech news industry. It should be referenced in the sales pages for Maximum RPM, but may require a separate publication of its own to explain this great technology to the world, especially the technology press.

Re:Small, isolated patches better

[mwood]

Yup, Digital Had It Then too. DSIN subscribers could get any patch with a few keypresses, and we got emails whenever critical fixes (security, innocent-looking-command-hangs-system) were released. VMSINSTAL SOME.PATCH applied 'em -- no muss, no fuss, no bother.

Media tweaking

[quux26]

Unfortunately, most people don't read slashdot. So we can hem and haw about ZDNet's inability to think logically, but someone is going to swear by it because they saw it there. The popular media can (and does) slide the most amazing bull[ ] under the radar.

Do I even need to point out that most people use MS products to illustrate the power of disinformation? I swear, people have lost even the most cursory signs of skepticism.

My .02
Quux26

The Evil of Fixing Things :P

[Chocodile]

As we all know, it is an absolutely digusting and vulgar thing to ever change anything. In fact, I am appalled that we are speaking in Modern English. How can we desert its root ("God, root, what is difference?" - Pitr), Old English? Why do we use computers instead of abacuses (abacii? whatever, I'm not going to fix it, since that would be worng)? One monumental fix should be issued at the End of the Universe. It would be so much more convienient for enterprise businesses...

Re:The Evil of Fixing Things :P

[reptilian]

and if that fix were released by microsoft, it would be the cause of the end of the universe.

Re:Red Hat fixes wouldn't have helped

[nas]

I'm sure Red Hat (or Debian or Bugtraq) would be happy to hear this information. Talk is cheap.

Nothing new...

[yorkie]

This happened all the time to me in real life, in my Banyan days.

I supported a number of networks for various customers. Most would not bother to apply patches, even when multiple packages were bundled together in one big fix, changing the version number at the same time.

This applied to all forms of patches - security, performance, stability etc.

Change control procedures had a lot to do with this, but the main reason was that sys-admins were lazy. In fact I was often sent out to apply upgrades/patches myself, even though the process was no more than sticking a floppy in a drive and running a single command, and possibly a system restart.

Another issue was that a number of sites feared change, and wanted everything running the same version. This caused numerous problems supporting modern client architectures.

There were even cases of patches not being applied when they were supplied in the box with new installations. There were at least two versions of the OS that customers were supposed to apply a critical patch to, and I saw both versions up and running in the field.

Another problem is that some users insisted on running obsolete versions of the OS, even wanting to run this on new systems. It took a lot of effort to persuade management that there was no active maintenance on the code, and that finding current hardware that the software supported. Once site even fitted ISA SCSI adapters to their PCI systems, instead of installing the latest version which supported the PCI card directly - the performance was dreadful!

I seem simillar things now with other software. Everyone seems to think that as soon as something is running that it is installed correctly. No one bothers with either additional maintenance, or system tuning. (Witness DMA on IDE drives under NT or Win95).

It all springs down to one thing - most enterprise sysadmins (and their management) are lacking in the clue departement.

Re:No no no no no no!

[yorkie]

I had a bad experience this week.

I had to install some SQL server drivers on one PC, to allow it to act as a Unicenter management console. The NT machine I had never used before, and had no idea what software was installed.

The driver install kept hanging after copying the drivers in place. Eventually after stopping almost every service the install proceded. I eventually discovered that the ODBC subsystem was being updated, yet there was one service that was currently running on the machine that used ODBC.

Once all the software was installed, a CISCO management server on this box was no longer available. Hours of investigation revealed that my updates had allowed another web server process to start (it had previously been disable), and the presence of this server was preventing the CISCO server from running.

The major problem with NT is that it uses an antiquated shared library management system, one that hasn't changed since at least Windows 2.x. Only one library with any given name can be open at any one time, and the library can only be updated if no process has it open, otherwise a reboot is necessary. Executables are treated in exactly the same way. Compare other REAL operating systems, where running libraries and executables can be replaced - the old code is not open to new executable invocations, and is deleted when the last process mapped into it is closed. (Just don't try to update the running C library - big contention problems - this is why LDCONFIG is static)

Re:I like the WindowsUpdate idea

[odaiwai]

While WindowsUpdate is ok for a win98 home machine, I'm not convinced it's the right thing for an NT server. (Does it even work on NT? It doesn't work on *this* NT box.)

For a start, it only has patches from Microsoft and the vast bulk of those patches are for screensavers, and general entertainment.

There are 'critical updates' and 'reccomended updates' which are ok, but those patches are applied from the server. Some of these need reboots, some need downloading by themselves.

In short, it's a good idea, but it's clunky and non-automatable.

A cron job or autorpm (must try that) sounds much better.

dave

ps: does autorpm simulate the way you can update and recompile the entire system via CVS on a *BSD box?

Re:BSD wins here.

[knarf]

Sure, cvsup is nice and all, but that central distribution philosophy can just as well be implemented using rpm or any other packaging system. And if you're using RedHat, it IS implemented. Instead of (cvsup ; make world) you use the appropriate rpm-magic which has been spelled out too many times already in this discussion, and ready you are. And if you'd rather compile your own stuff, just get the .src.rpm's, rpm --rebuild them and rpm --Uvh * the resulting binary packages.

So, while different from BSD, most Linux (or GNU/Linux) distributions are just as likely to `win' here. And by the way, I did not remember that we started a contest on ease of installation, so how can BSD win? Winning is for Marketroids and wimps...

Cheers//Frank

21, is that all?

[bfife]

21, is that all? join the NTBugTraq list and you'll hear about much more than 21 patches!!

Re:ZDNet's credibility

[Hobbex]

I would like to claim that /. (or at least certain editors) lost a lot more.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

So, does typical small IT apply all SPs?

[WillAffleck]

I've been called in to places where we had people running NT 3.51 with no patches. None. Nada. After 2+ years.

So, what does that say? Should we insist that they use NT 4.0 (the original release)? Or else apply the patches to BOTH servers?

Nah, that might be "realistic" ...

Re:Update Ease

[bifrost]

Doesn't AutoRPM update and install and not tell you?

Update Ease

[bifrost]

Linux needs to take a *big* point from the BSD's on updating. FreeBSD, OpenBSD and NetBSD have implimented the use of CVSup. Its a totally painless update process. I will admit that it won't be that simple for the Linux crowd because there are many many distributions that are totally separate of eachother. It would be at least a start if RedHat started using CVSup to keep their security fixes available. Write a dinky lil script that CVSup's the latest stuff, then installs it, tells you to restart/whatever. For what its worth it seems that the Linux community has focused more on installation rather than maintenance. But then again its new, and the NT communities learned that a long time ago.

Re:Update Ease

[X-Nc]

There's a utility out there somewhere called AutoRPM which does this and more, making the process of keeping your system updated completely transparent and automated.

I do agree that the *BSD way is a very good one, though.

---

Small Updates + Package Management = Bliss

[SecretAsianMan]

root@quark: apt-get update

Wham, bam, thank you Debian.

Re:Small Updates + Package Management = Bliss

[SkunkPussy]

methinks: apt-get upgrade


frankie

debian/rules

Maybe it's easier to apply only one big patch...

[Manaz]

... but I wasn't aware that system administrators were hired to take the easy way out - especially when it comes to data security.

If there are 21 known security issues, and patches are available to fix them, I can't see that *any* system administrator worth his salt, either in a small business, or a huge enterprise business, would knowingly ignore this and just not install the relevent patches, simply because he thought it would be easier to wait for the next major upgrade. For ZDNet to suggest this is ludicrous - they obviously have NO idea about how things in the real world operate.

This would be the same as saying a few years ago "Well, M$ just released Service Pack 3, but I'd rather just let NT run without any service packs or hot fixes, because Service Pack 5 can't be far away, and it'll fix more problems than Service Pack 3 and the hot fixes do together - I'll just leave my system insecure and prone to DoS attacks until then - in fact, I might just wait for NT5" (which we know isn't coming now, but when SP3 was released, that was where NT was going).

ZDNet have just, in my opinion, killed their own credibility.

It's just a shame that someone TOTALLY independant can't do these tests, and give us a totally unbiased report on how these two OSs stack up against each other.

Solaris...

[cyanoacrylate]

Nobody's mentioned the individualized nature of Solaris patches... And nobody bitches about the number of them either because Sun just gives you a nice patch cluster to install and away you go...

Of course, you can install them one by one if you want to...

But anyone who thinks that just installing a system and doesn't install ALL the security patches is going to get some nasty surprises.

Reapply?

[RallyDriver]

1. How many times in the life of an RPM update do you have to reapply it after installing software?

2. WTF does NT still come as SP1, with a separate service pack disc?

Re:No no no no no no!

[Steve+G+Swine]

Having gone through the (admittedly baroque) Site Server setup, I can tell you that the docs have improved anyway...

A quick search of support.microsoft.com shows that...

If this were a glibc dependency/version problem you were talking about, you'd get hit with the FUD brush before you got your mouse off the Submit button.

Now don't get me started on the MDAC stuff, which is the only MS product I've seen break in an all-MS environment...

Re:negligence, pure and simple

[kovi]

Exactly !
First of all, it is not written anywhere that one has to install them all. There is no point in updating services / programs you don't use. For example: rdist or talk or KDE. These things are
hardly needed on the machine running web server as a sole task. Using "minimalistic" approach during setup, it is possible to make "important patches list" much smaller.
So these "incredible difficulties" in appalying some patches are just somebody's poor excuse for not doing proper sysadmin job. Another proof of that is "closed-source" CGI script story...

Regards,
kovi

Then why does NT have hotfixes...

[WolfShades]

and did they install them? In addition to its monsteriously huge Service Packs and Option Packs, NT also has hotfixs, which are patches for things between service packs. Did they apply them?

Actually, I take issue with the whole "real sysadmin" scenario. If this were a _real_ sysadmin, he would have looked at all the Windows NT and Red Hat Linux patches and remembered that, even if it was troublesome, if he didn't apply them, it could be _his or her job_. I know this because _I am a sysadmin_, and if someone breaks into our company or something fails because of a patch I didn't apply, _I_ have to tell the President what went wrong and why. _Real_ sysadmins take responsbility for the actions (or inaction). If, after you've been made aware of a patch (security of otherwise), you don't apply it, you are accepting the consequences for not applying that patch, regardless of whether you're running Windows NT, Linux, UnixWare, Novell NetWare, or any other OS. Now, if people want to talk about making "packages of patches" or something like that to make things easier, fine, but ZDNet can't cry to me about "real world sysadmins," because _I_ know better.

simple solution.

[snubber1]

To fix this 'problem' all we have to do is start the open source group update. A single place with a listing of all the latest versions. Even could write a program to check version numbers and download the required fixes.

----------------------------------------------

Re:They do have five points ;)

[barbaBob]

I know that. Point I was trying to make is that in general people will go the 'easier' way, and that it's an argument NT administrators could use as FUD against Linux.

barbaBob

They do have five points ;)

[barbaBob]

I think they have a bit of a valid point (flameproof suite on). NT is up to Service Pack 5 at the moment, but it is still a lot easier to download and install those; one 'trusted' source instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling. That requires more work and a knowledgable systems administrator.

The LinuxToday article has some very strong arguments though; Linux fixes are less prone to break other services because they just patch the affected code, not dump a lot of new code that can not be tested fully on all systems. Most service packs have introduced new bugs that have to be fixed in the next. Etc. Etc.

One argument I couldn't find in the article though was the fact that Linux does only require a service restart for most fixes - fix crond, restart crond, no one will notice - while NT requires a total reboot for almost everything. Not exactly a platform to build critical services on.

That's why, although they may have a bit of a valid point in their argument, it's a very weak one. ZDNet's director, John Taschek deserves a spanking for saying:

[The test] was designed and put together by PC Week for the purpose of testing security implementation. We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security.

And not acting on it. In this case it would require downloading a few K's as opposed to five multi-megabyte service packs to fix the crond hole and make it a lot harder for those trying to break in. Without a total reboot :)

Cya barbaBob

Re:They do have five points ;)

[Tet]

one 'trusted' source instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling.

Sigh. You don't have to track down security fixes from different sources, and you don't have to recompile anything. Just go to Red Hat's updates page, download everything and do rpm -Uv *.rpm

Re:So it was sys admin test not a security test

[GFD]

Somebody moderate this UP. I vote for both. Clueless idiots.

Re:No no no no no no!

[bakert]

I've had similar experiences with Site Server. Both machines that have had it installed are being rebuilt prior to our millenium freeze. Hopefully Site Server will not be reinstalled.

siteserver.com has a 'correct order' install and notes if you need it.

Hotfixes

[jimfrost]

"If you want to keep NT secure, you have to apply the HOT-FIXES. There are just as many of those, if not more, than RPMs."

Actually there are only 15 hotfixes for NT4SP5 right now, although there are quite a few additional outstanding "best practices" guidelines associated with closing specific security holes present in the software using the default configuration. I'm not sure where you'd find the whole collection of those things, though. Hell, it even took me some time to track down the whole collection of hotfixes: I couldn't find a link on their support pages so I had to search the Knowledge Base for "hotfix" and find a link in one of the articles back to the ftp server.

I have to contrast this with RedHat's approach of clearly posting errata on every release: you can see every known problem and where to get the fix all in one place.

Great Story By LinuxToday

[mochaone]

I totally agree that the responsible way to implement patches is ONE AT A TIME. This assumes that the organization gives a rat's ass about QA. Unfortunately, in this era of Microsoft computing where software is disseminated by the Seattle code-slingers, we have been lulled into a sense of complaceny. "QA ? Why bother checking the patches? Microsoft has already done that for us."

We've seen where that mindset has taken us. The growth of Linux and alternative OS's are a reactionary outgrowth of rational people protesting against this mindset. Microsoft may have poisoned the mindset of some middle managers and middling media people, but they have surely set in motion events which will ultimately break their hegemonic hold on the industry.

I'm saddened that such a "respected" webzine such as ZDNET has stooped to such lows. It's a saddening harbinger of what this new-medium media will bring forth in the future. Want a favorable review? Just donate some software. Want a favorable "unbiased study" ? Just donate some hardware and software. Want "ubiased analysis" from "independent economists"? Just send them on an all paid junket.

Keep your eyes open people and continue to ask questions.

Re:Small, isolated patches better

[Lev_Arris]

Exactly my point. With small patches you at least know WHAT you are patching and WHY. With those huge Service Packs all you do is download some monstrous file, which takes ages if you have limited bandwith, (and some of us apparently have ;) and then apply it, hoping that it will not mess up your system. With single patches YOU are in control of what is being updated and you can apply them on a step by step basis.

I also do not agree with ZDs statement. Sure, some corporations will be more reluctant to using 21 different patches instead of one big package, but anybody who is serious about security on their system would nevertheless apply them.

Just my (H) opinion, feel free to rate me down ;)

NT service Packs versus 21 patches

[fivetena]

I do hate to sound like I am coming down on Microsoft's side (and I do mean HATE) but . . .

Installing the latest service pack (5 or 4 if you are talking Terminal Server) can be done over any of the last service packs including an installation without ANY service packs applied. They are all retro-active. They all cover all the prior ones. One would HOPE that was why sp5 was 33Megs!

Re:Small, isolated patches better

[Rhys+Dyfrgi]

If one of those small patches doesn't work, for whatever reason, you can remove it. With an NT SP, it's all or nothing. If the products are seperate, the update should be seperate.
---

Re: NT service packs vs Linux patches

[garster]

So, ZDNet is under the impression that the PHBs are going to set up the machines and won't want to install patches? Get real! I have and NT server and several Linux servers. I can't install SP5 on my NT box because it's known to break the behavior of Oracle 7.3.2. And yet, I apparently need those patches to fix bugs in NT and introduced in SP1-4. Nevermind that MS comes out with plenty of patches in the intervals between SPs. I'd hazard a guess that there are more than 21, just in the security area alone. In the real world, I prefer having to apply patches on a frequent basis than waiting (and waiting... and waiting) for MS to come out with a patch (when they admit it's a problem) and hoping in the meantime that someone doesn't discover my system.

Re:I work enterprise - multiple patches are the pi

[Kintanon]

When you are dealing with a small site, individual patches are probably preferable - I would prefer them myself.

But on an enterprise level of any decent size, there is no way I want to have to deal with individual patches.



So you are telling us that you would rather leave 21 security holes on 200 servers for 4 months waiting for someone to release a big service pack than turn on Auto RPM for 1 night to update all of them? Where do you work? Someone should be firing you right now....

Kintanon

The explanatiion is not relevant

[javatips]

First they add to apply several service pack on the NT box. By doing so they add to reboot many times.

They could have installed the 21 patch for the linux box without rebooting once.

Second, they say that an enterprise custommer will not apply 21 patch. Did they ever talk to a Solaris SysAdmin? To make Solaris usable, you do have to install many patches. If you install the latest JDK on Solaris you have to install between 5 and 10 patches, who knows how many patch are required to make Solaris secure?

The second point is there just to show that YES, an enterprise customer WILL apply many patches to make it's system work like he want it to work.


But they still have a point. Linux need a more convenient way to be updated without having to download many RPM then installing them.

The RPM package manager is good, but it far from being an excellent way to install application and patches.

What Linux need is some stuff arround RPMs (or DEBs). This will be a way to access a repository of RPMs to automatically download (asking first would be a good idea) any dependencies. This woulld allow one to create a RPM with nothing in it but dependencies. So one install this RPM and all the other RPM refered in it will be downloaded and installed.

We also need something like InstallShield. That is a front end to the package manager that ask for destination directories, display reaadme files, etc.

This will allow a much easier way to install new application where the user want them to be.

Finally distribution vendor should do what microsoft do. Service pack! They could put all the 21 security patches RPMs into a .tar and call it Security Service Pack 1. Then when, other patches are added, they could release SSP 2, etc.

This will allow one who do care about security, but not enough to constantly look for new patches, to have a fairly secure system easily. And this would not give any excuses to ZDNet and the like about not installing security patches.


SeeU All!

Re:Small, isolated patches better

[reptilian]

We might also want to consider that if the box was already being used for a while, these 21 patches would NOT have been released at the same time. The updates would be applied over time, not all 21 at once.

Of course new users are still left to install all 21.

and that makes nt better how?

[Trygve]

Why are they saying that `enterprise businesses would not want to apply 21 individual fixes'?

Putting aside the age old MS v. *nix debate, it has been proven time & again that MS security holes are found on a far more regular basis than Linux security holes.

That's not to say that Linux is better or worse. I'm not even going to start that old discussion, most /.ers feel the same about that anyway. It's the fact that historically speaking, NT has had so many more security issues than Linux that ZDNet can't even hope to reasonably defend an argument like that.

Re:I like the WindowsUpdate idea

[liki]

I like how I go to one website, and it automatically tells me what I do or do not have installed.

Have your considered what that webpage is allowed to do on your system (without even you knowing) because it can tell you what do you have patched and what you haven't?

And why it doesn't work correctly with Netscape browsers is that they won't let a web page to run programs that search your system. (Well Netscapes have holes also but..) Anyway, my point is that I would never grant such rights for a remote automated robot, and not even trained human other than mysel.

Anyone could write a program that completely screws your hard drive if you IE and surf to that page. Only barrier between disaster being that notorius window asking user does he trust the program, asking for permission to execute it. After that...

Ever read NTSecurity

[strobert]

You have got to be kidding me. One of the best/most common topics of the NTSecurity mailing list, is what service packs with what hot fixes should be installed and in what order. I haven't looked in a few months but at one point it was a greater than 20 step process. I personally find rpm -UFvh *.rpm much easier.

See now, this is horse Pies! Our ever so incom...

[mattz]

...petent IT staff at work even has a script that automatically applies patches for our unix platforms--simply and stupidly! If ITP can get it right, joe wenttothe6monthNTcourse can get it right too!

Re: *please*

[TummyX]

And why is the update tied in to IE5? So MS can further leverage their OS advantage and push Netscape further out of the picture. Update with IE5 and activeX - uh - no thanks.


The same reason why HTML help is tied to IE5, because these features require features which only IE5 supports. DHTML & XML are key features which Netscape does not support properly (or not at all). ActiveX is required because Java isn't enough to do the kind of thing the update sites require (security is another issue). Why should microsoft go and write netscape plugins? They already have a product that will do it.
Same reason why Office 2000 requires IE5. Microsoft wants office to be able to handle HTML, XML etc. What should they do? Write _another_ HTML/XML engine - *OR* use their existing componentised engine called IE5?
It's intelligence - but I can see why you think it's "leveraging" and "pushing" - I just don't agree with that stand point.

Re: *please*

[TummyX]

Come on now. The windows update was only designed for Win98 and above computers. Win95 machines shouldn't be updating from windows update but rather from microsoft support channels.
You don't want IE5 or activeX controls on your computer due to security holes? Obviously you've enver used Netscape. And windows wouldn't work without any activex controls.

And yes, if need be, MS should "Write _another_ HTML/XML engine"

I'm sorry, but that's themost idiotic thing I've heard this week. If they wrote another HTMl engine it would have to be as large as IE5 (which isn't really that large considering it comes with key OS features like ADO etc).
IE5 isn't as big as netscape when you take into account the cd and distributions normally come with updated windows libraries. Before you complain about this - it's cause IE5 like most microsoft software - makes heavy use of COM, DLLs etc. That's the reason why they seem large - but realistically, don't take _that_ much space since they share a lot of files and services.
Again, suggesting microsoft write another HTML engine for the sake of it is stupid.
Windows update is a feature specifically for Win98 and Windows 2000. These operating systems come with IE4/5. I see no advantage of having it IE only for microsoft. it's not like microsoft (unlike netscape/aol) are trying to tie you to CONTENT. Unless you think all the advertising on Windows Update is bad - wait - there is no advertising.
Microsoft could have just written some proprietry update software to update windows and you would probably have been fine with that. It's only that they decided to make it web based with features they have researched and developed for IE that you don't like it.
I'm so sick and tired of hearing "oh, microsoft is trying to push netscape....blah blah blah".

Here's some facts.

1) IE supports more standards than Netscape.
2) IE has some MS developed features - specifically for LANs and Windows features (like Windows Update). Stuff like res:// urls etc (which Mozilla has now copied).
3) The advantage of having a web browser monopoly is to manipulate content. IE has not done this - infact with IEAK and the likes, companies can customize IE (interface included) however they like.
4) IE being componentized just makes sense. And being componentized - what's wrong with embedding IE into applications so that you have universal HTML support (look at the direction KDE is taking...look familiar?).
5) Conceivably, Netscape could make a shell replacement for windows based on navigator or mozilla. Hell, you could make netscape 4.7 your shell.


Take a look at some examples of the advantages of componentization, winamp has it's own webbrowser - what does it use? IE ofcourse. How? ActiveX, that's how. Component reuse by many vendors. Brilliant stuff - why shouldn't microsoft do the same? You DON'T HAVE TO USE IE. But it's required for windows help. Just transparently use IE for windows help (it's small and fast) and if you must use Netscape for your webbrowsing. I mean, if you don't like Windows Common Controls, you can't delete them cause they're vital to making windows work - but you can still use GTK+ for windows.

Security Patches were not the problem!

[RobNich]

If you read the page written by the hacker who cracked the box, you would know that the exploit was in the CGI script(s), not the OS. Everything else is moot!
Yes, ZD should have applied the patches. But what good would it have done?

Disclosed holes should be closed IMMEDIATELY

[mlefranc]

Many people here have insisted on why it is important to apply security updates, and for obvious reasons. There is however one reason that has not been emphasized enough IMHO. A security update from a vendor should be applied IMMEDIATELY because the existence of the hole it fixes appears BLACK ON WHITE in a knowledge base at the time the update is issued.

If someone was reading on a public web site that their home door had not been locked in the morning, I guess that they would rush to correct this. This seems not to be always the case with computers.

The guy who hacked securelinux explicitely mentioned he browsed the RedHat errata in hope that some fix would not have been applied.

And frankly, the guys who write that it is difficult to apply security updates on a Linux system are incompetent at best.

Re:Disclosed holes should be closed IMMEDIATELY

[Black+Parrot]

> A security update from a vendor should be applied IMMEDIATELY

Are you saying you don't like the MS timeline?

Media reports the hole.

MS Months 1-3 : Deny that the problem exists.

Media reports an exploit of the hole.

MS Months 4-6 : Admit that there is a problem that can be exploited by people with esoteric knowledge (who wouldn't consider doing such a thing!) under rare conditions, but that isn't a problem for ordinary users.

Media reports a high-profile exploit of the hole.

MS Months 6-9 : "We're working on it."

Patch is delivered.

Your Months 10-12 : Sysadmins either wait to see what happens to the suckers that apply it first, or else spend these months trying to repair the damage and lock out the new holes created by the 'patch'.

Media reports the problems caused by the 'patch'.

MS Months 13-15 : Deny the problem exists...

Repeat until bankrupt. Season the above liberally with vaporware announcements about how the next new product is going to make all your troubles go away.

Meanwhile, who's been reading your mail?

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Did they even bother to install the RedHat updates

[net-fu]

Wait a sec... They can't even bother to download the redhat updates?

% ftp rpmfind.net
ftp> cd linux/redhat/updates/6.0/i386
ftp> bin
ftp> prompt
ftp> mget *

% rpm -Uvh *.rpm

Am I missing something, or is that too difficult for ZD? Much better than installing (and let's be honest, re-installing and re-installing) service packs. M$ support is simply horrible- if you did want to install only a particular patch, each has it's own method of install and uninstall.

By comparison, try this with RedHat:

% mkdir rpms
% for pkg in `rpm -q -a`; do echo $pkg; rpm -q -i $pkg > rpms/$pkg; done

That takes the list of rpms on your machine and makes a bunch of files in the rpms directory. The files have the same names as your installed packages, and each file contains a description of what the package does.

Want to know what an individual file is for? You can rpm -q -f to find out what package it belongs to, or get real fancy and write a little program:

#!/bin/sh

rpm -q -i `rpm -q -f $1`

save that as 'whatrpm' and then you can type 'whatrpm ' to find out what is there for.

Definitely beats M$ sorry system.

Laziness

[joeuser]

Yes, it was VERY unfair to have Linux running without the latest and greatest patches. That's all I have to say about that. This guy makes that point very well: http://slashdot.org/users.pl?op=userinfo&nick=Coda

However, the question is:

"They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point?"

Clearly, ZD Net wants Billy in bed, if they aren't already. It's so see through, the ZD Net reply was making me laugh, " one large, sweeping-in-scope, fix " Why don't you just say NT, dumbasses!? Furthermore, if they didn't want to apply 21 fixes to Red Hat Linux, they didn't care about security. Linux is swiss cheese by default. Takes a lot of time and work.

NT is for those with little time and the lazy. For now, I love my NT box. Can't wait for Linux to get up to speed.

Ouch, probably didn't earn any Karma (or whatever it is) with that one.

Total agreement with the article.

[Amokscience]

It seems they took the NT mentality and applied that to Linux. Pretty braindead thinking. Are IT sysadmins as totally clueless?

Any remotely experienced Linux user should be used to the constant patching that they 'get' to do when bugfixes are found, exploits secured, upgrades released, etc. ZDNet, however, assumed that all IT managers think like those trained in Windows. "If it's not called a 'service pack' then it's not important enough to install it" Bleh.

While I can see it being annoying to have to apply 21 patches, a person responsible for servers and security is PAID to do so. What do you think would happen if your corporate web server was hacked, and then you told the management that you didn't apply the fixes because it was inconvenient?!?

And honestly, if you're going to stick a total cluebie on a Linux or any *IX box, you're asking for trouble. It's still not for newbies, and someone trying to do something important in Linux should have a better clue than ZDNet assumes.

I'd think if ZDnet were an IT department it would have been 'let go' a while ago. Perhaps they should assume a little more professional pride and admit their foulups. Oh wait, people who get caught with their pants down make desparate excuses.

IF however, ZDNet is correcnt, and most Linux server admins are clueless gimboids then corporate management might do well to check in and see what security measures/patches etc. are being practiced in their organization.

Maybe they do have a point

[Sorklin]

I'm a linux newbie, even though I've been using it for a while. Slack was my distribution of choice. I have a question/comment about the security issues. Does any distribution have a way to update your system with a series of security patches to make your system secure with a minimum of intervention? If not, this would be greatly beneficial to the acceptance of linux. Better if this could be a method used by all the distributions to a series of centralized sites. That way, as a newbie, I could just run a program that will download and apply any patches I need to make my system secure. I wouldn't have to figure out what the latest patches are and where I need to get them.

I say this for a couple of reasons. This provides a quick and easy way to make sure that you are running the latest and most secure programs on your OS. This is a must for newbies and system admins which must configure multiple machines. Of course you can use the old method, and if you are a serious admin, you probably would anyway. But it would be nice if a very easy option was ubiquitous on the linux platform.

Bull@#!$

[Jake_Man]

I'll wager that they applied all five NT security...oops, I mean service packs.

Re:FreeBSD cvsup

[Sascha+Schumann]

That probably should read

make buildworld
make installworld

since "make world" includes the install step.

Do you have to do the whole make world seven hour process for any update?

Nope, only if you rm -rf /usr/obj.

Or is there an easy semi-automatic way to just rebuild and restart the
services that were patched?

make will rebuild things, if necessary.

Obviously a kernel patch would need a reboot, but why reboot for other updates?

So, skip the reboot step.

The only advantage I see to the make world approach is that everything can be built optimized for your system.

Another advantage is that you can "install" many "patches" in one turn. Simply cvsup and recompile.

Re:Linux (systems with rpm anyway) easier to maint

[knarph]

True. I was just pointing out how easy it could be. I didn't say how safe. I normaly point it at a machine that I control and runs nothing other then the ftpserver anyway. What else am I going to use a 386 for?

Linux (systems with rpm anyway) easier to maintain

[knarph]

Ummm ok, so companies don't want to install 21 seperate patches.
So set up autorpm to point at redhats updates directory. And you install 0 patches. You just let autorpm do all the "work".
Have it update automagicly.
If anything linux is easier for a company to keep current then NT.

33MB patches

[Fastball]

So I'm setting up an NT server last night. This includes installation of several service packs. Each one a sizable lump. I note the size of one as 33MB.

I think to myself: find enough things to patch Microsoft?

21 small patches are nothing compared to a 33MB lump of which you have little idea what it patches.

No, I don't think so!

[Howard+Beale]

Coming from an AS/400 environment, IBM releases patches to their OS and applications called PTF's (Program Temporary Fixes, if I remember correctly). If you needed a fix immediately, it was available. Every once in a while, you could call up IBM and order a tape containing all outstanding PTF's for your system. What is the difference between downloading a fix from RedHat to patch a program, or installing a PTF from IBM? What is the difference between installing all outstanding patches from RedHat or installing a tape containing all outstanding PTF's from IBM? Last time I checked, there were quite a few AS/400's out there in the 'enterprise' world.

21 updates too much?

[miracles]

Funny they should say that, netware 3.11 alone has something like 30 updates available (and these are just for the os, they have nothing to do with "critical" subsystems such as mail or www or dns etc...). And NT has a constant stream of hotfixes available (with no fanfare, requiring you to scour their ftp server for stuff), but businesses will not accept multiple updates for a linux distro? Sure it would be nice to have a single source of patches for everything installed locally on your box, even better, a trained tech to visit each box and install the patches for you! Why not just have the companies send in preconfigured boxes that they will keep "updated", which we will no longer have access to, Then everything will be peachy!

come on! every admin should know what she/he is running and administer it accordingly... businesses shouldn't worry about how many patches their admin is installing, but rather if the admin knows what she/he is installing in the first place.

.sig? why yes, American Spirits only!

ZDNet preaching that sys admins should be lazy...

[k9-quaint]

I like the fact that ZDNet is spreading FUD about Linux and how *hard* it is to make a linux box secure (21 patches, YIKES). "Just run NT and you will never have to worry, yada yada yada...". Get all the simpletons running NT and joining get rich quick pyramid schemes and the world will be a better place.

This is a form of natural selection. If you listen to morons and do what they suggest, you will most likely fail (at best you will just lose a lot of money). Eventually, I will be able to identify idiots just by glancing at their desktop, NT? or Linux? Thank you ZDNet for providing us with this valuable idiometer. Preach on brother Bill. Meanwhile, I will tune my X server :)

Re:They only needed to install 4

[glorf]

Option Pack 4 is an app, not a patch. Granted it does fix problems with the previous version, but most administrators will want to use IIS4.0 anyway. IE 4.01 is an app and the other three items tell you to install it anyway. I think the point that some are trying to make is that it is a lot easier to figure out what to install in the Windows world. How much research would it take comparatively to figure out what to install in Linux? If someone were to compile the latest patches for Linux into _one_ downloadable package with a smart install routine on a regular basis so that there were Linux Service Packs, it would go along way in shrinking the ease of use gap.

The fact that Linux Service Packs don't exist yet could be intepreted as proof that it is too difficult to compile the list of current necessary patches. Or it could prove exactly the opposite. The main thing is that people want to have them and/or want to know why there aren't any now.

OS patch policies

[ariux]

It'd be nice to have a system - on any OS - where you do ONE THING, or it's even automatic at reboot, and the system updates itself with all the latest patches from a website. Not "sit down and read through 50 300-page books, then spend a week fighting the machine". Not "spend 12 hours searching the web to make sure you've got everything". ONE THING.

/. effect != sysadmins nodding their heads

[R.+Anthony]

slashdot effect n.

1. Also spelled "/. effect"; what is said to have happened when a website being virtually unreachable because too many people are hitting it after the site was mentioned in an interesting article on the popular Slashdot news service. The term is quite widely used by /. readers, including variants like "That site has been slashdotted again!" 2. In a perhaps inevitable generation, the term is being used to describe any similar effect from being listed on a popular site.

Lesson learnt..

[gargle]

The guy broke in because of a faulty CGI script!
No fair, the test was supposed to test the underlying OS alone!
Well bugs in Linux helped!
Well they should have known to apply the patches!
...
blah blah blah. etc.etc.etc.


The lesson to be learnt from this is that there's no such thing as the "security of this or the security of that alone". Security is a holistic concept, and a weak link phenomena. Everything has to be considered when designing a secure system, including human factors (how easy is it to make the system secure? How likely is it that people will make errors? etc.).

It's pointless to say: We're testing the security of the OS alone -- because there's no such thing. The PCWeek test is meaningful in the sense that it reveals how difficult it may be to make the a Linux system, as a whole, secure.

I like RPMs

[Steeltoe]

If you want easy and clean installs, with checks for consistency with other packages, option for uninstall to previous versions and logging of what's done, RedHat Package Manager does all this and more. Gnome comes out with GnoRPM which isn't a too bad a GUI for those who can't stand to read the manual pages and work out the simple commandline. I have yet to see its like on any Wintel platform.

Btw, I'm not sure I understand why Everything has to go through your browser nowadays, even upgrades. I guess it's a feature for the masses, and an attempt to be hip. Because if they really cared about convinience, they should have used the time to make a real installer than the wussy InstallShield *puke*. The added layer of everything having to pass through IE sounds to me like the biggest security hole of all.

Re:Should it matter?

[TeeWee]

Indeed it is not the manager who does the work. But sometimes (often?) it is the manager who sets the policy of using a particular OS as their standard.

That standard may very well be NT because it has less patches than *nix. It may not be the competent admin that has the choice of OS.

HotFixes, Services Packs, Security Patches, oh my!

[codepoet]

As a new Linux user, seduced by the hype, and as an experienced NT user - I haven't seen much difference between Service Packs + Hot Fixes and the patchitis that happens with RedHat and other Linux releases. That said, the ZDNet guys dropped the ball. They don't talk about Net Admins not wanting to install a Service-Pack + umpteen Hot-Fixes...

Re:I like the WindowsUpdate idea

[Shambler]

I like the idea - but M$ needs to get their **** together and make the fixes work - W98 SP1 autoinstalled, and promptly disabled my dialup subsystem. Four hours of ****ing around before I decided to dump the service pack - hey presto, I'm back online...

Duh.

[Arawak]

Duh. Maybe you have to apply 21 patches to the Linux box in question, but I'll bet you have to reboot the NT box almost 21 times in getting its service packs applied. In the Microsoft shop where I work we dread the work in taking a stock NT install to a point where it can be used.

Remember to that almost any NT server expected to actually _do_ something has the endless litany of Msg Queue, IIS, SQL Server, etc, ad naseum (you know - all the functionality that come standard in a Red Hat install) which must be patched, rebooted, and prayed over. We're talking a couple hours sometimes. Arawak

Acts of malicious kindness?

[foxtaur]

Given that there are so many bugs which permit random hackers and crackers to gain root access to the ZD linux box... what's keeping a hacker from exploiting one of those bugs and using their new-gained access to actually patch them? Isn't that part of 'the hacker spirit'?

If they really wanted an accurate benchmark...

[sprong]

...they'd pick a random sampling of n NT admins and n Linux admins and say, OK, here's your box, here's what we're going to do on it, you have x hours to make it secure, fast, and stable.

This would have the following results:

1. Benchmarks would start getting more interesting again.
2. Benchmarks would start getting realistic. An OS is only as good as its admins.
3. We wouldn't have to keep hearing the guys running the benchmark saying "Hey, it's not like this out of the box" vs. the linux people pointing out the obvious.

Obviously #2 is the real issue here. If NT "works better" out of the box, and your average linux admin is savvy enough to tweak appropriately, then an out-of-the-box benchmark isn't consistent w/ performance in the real-world business environs.

Heres what i think is one of the reasons.....

[Taelon]

ZD is owned by ClientLogic (was Softbant till about the turn of the year) whom i had worked for a few months back. They (ClientLogic) are closely tied to Microsoft....I believe that explains a bit There were more then a few times that MS came to visit us and the supervisors told a few of us (including me) to turn off out Linux boxes and remove the penguins from our desks...

So it was sys admin test not a security test

If your source is correct, then this was a sysadmin test NOT a security test. If it were a security test the patches would have been applied.

As to the "real world" conditions this is BS. If they want to test real world conditions, get a statisically significant sample of sys. admins, give them all the same hardware and software and see how many boxes are secure in two weeks.

Either the people who ran these tests had a preconceived result or they are complete idiots (or both).

BSD wins here.

[Dom2]

This is where the centralised method of distribution that FreeBSD et al use really wins. You just set up CVSup to run regularly and run "make world" when you need to actually install the patches. Strictly a hands off operation.

Re:Parity

[sjames]

Just click on the .exe, reboot, and that's it.

Run dselect, select install, don't bother to reboot. Or, download all of the rpms, and run rpm over all of them at once. OR, download the latest service pack, decide if you prefer a security hole in file shareing, or a broken print service and who knows what else.

Re:I work enterprise - multiple patches are the pi

[ninjaz]

On top of this, due to the mission critical nature of the boxes (they are used nation wide), we have extensive change management controls. Any patch that we apply would have to have a corresponding backout procedure. It is much easier to consider a patch as one big patch than 21 individual patches. Sure, us tech people know that they are really one and the same. But try telling the change managment people that.

I don't know how you do things in your neck of the woods, but to change management at my company, a new installation would be considered 1 change. i.e., New webserver with all errata packages applied. Now, during the production, you tend to get them in more manageable chunks - usually 1 at a time.

Speaking of enterprise environments, though, I think it would be unfair to leave out Solaris 7. It has 22 security-related patches as listed here: ftp://sunsolve6.Sun.COM/pub/patches/Solaris7.Patch Report Do you run Solaris at your site? If so, did you install all of those? Here, we've got scripts that install those patches on the Solaris boxes. Of course, change management is involved, too.

Sure, it would be nice if Red Hat paid more attention to security and quality control, but that's why I tend to stick with Debian & FreeBSD when feasible. :)

Managers vs. IT guys.

[jimbo]

"enterprise businesses would not want to apply 21 individual fixes"

The usual "manager vs. IT dude" problem, I suppose:

The average enterprise manager could probably easily be persuaded to order their IT guys not use Linux for that reason. They always scare easily for things that are not their area of competence.

If the IT guy take the OS decision himself, it probably doesn't matter whether it is one fix or many. If he already selected Linux, then he probably also like the power and control it gives him.

Re:Managers vs. IT guys.

[heimdall]

I've worked for quite a few IT managers in some rather large shops (1000+ servers). Not once have I had one not willing for us to install any number of patches, just so long as they have been tested in a test environment. I have to wonder where ZD is getting the idea that enterprise businesses CARE how many patches are being installed (or what OS they're running, for that matter). Most companies simply ant a stable platform to run their applications on.

Re:Linux (systems with rpm anyway) easier to maint

[Gus]

No serious enterprise company should allow any automated tool to install any software without human intervention. While I am not aquainted with the security precautions in autorpm, if any, placing an amount of trust in a network-provided resource is the sort of error that gets system administrators fired for incompetance.
That aside, I prefer having several small updates, which allows me a finer granularity of which patches I install. Take for example a Sun patch cluster. Each patch is a in a subdirectory all its own, and the order in which they are to be installed is listed in a single text file. While the current recommended patches are available as a single tarfile, there is a fine level of control available.

Re:Small, isolated patches better

[Oestergaard]

I guess the main reason why GNU/Linux systems ship numerous small updates, whereas NT has huge single service-packs is, that any normal program (a package) under GNU/Linux consists of a well-defined set of files. None of which are *system* libraries (DLLs).

On Windows a typical application ships its own version of some of the *system* DLLs, thereby rendering the whole platform insecure if one of it's libraries has a flaw.

Thus the need for a huge service pack on NT. You need to re-ship updated versions of all libraries, and you need to re-install the service pack after each installation of a (seemingly unrelated) program, because NT DLLs are touched by *applications*.

Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem. And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.

Yes they have a point

[Oestergaard]

That is, if rpm --freshen * is too hard to type, they shouldn't be running computers at all.

Hire someone with a clue, and go back to writing articles.

Seriously though, if you tried applying NT service packs, and tried rpm --freshen, you know who's got the lead (and for those who haven't tried, here's a hint: it's not the redmond guys).

With NT, you apply one huge service-pack that (somewhat) fixes the problems known at the time of the release of the service pack. Whenever you install a new piece of software, you have to re-install the service pack if you want to be sure it's effective.

With rpm you do the --freshen trick, once. If you install another piece of software, well fine, no worries. If another fix becomes available, just get them all and do --freshen, or get the one fix and --freshen. It's as simple as it gets.

I think it's much too common for clueless people to assume that it's hard to maintain a system they don't know (and haven't even tried to grasp), and assuming that the system with the most aggressive PR backing is necessarily much easier.

The only reason why we don't see more remote attacks on NT is because ``networking'' is somewhat alien to NT. Networking has always been an integral part of UN*X and Linux, so naturally a buggy networked application is almost bound to compromise the system in a cracker-friendly way.

Consider the incredible amount of local attacks on NT being posted weekly (almost daily) on Bugtraq, and you see why NT people should be really happy that NT is not a network operating system.

Re:Parity

[aqua]

Agreed -- recall ZDNet's stated rationale (or rationalization) for not installing any of the updates: "The hackpcweek.com test was not meant to be easy but was meant to be practical and to reflect the habits of corporate IT."

Which presumably doesn't mean that they believe corporate IT to be a bunch of ignorant layabouts, but if I were a corporate IT person, and a reader of their publication, and also in the slightest bit competent with Linux, I'd be insulted. Perhaps they don't grasp the significance of a discrete package upgrade -- something MS has never really gone for. Root compromise hole in crond? Well, upgrade crond -- redhat publishes the bloody rpm -Uvh ... command to do that in every security advisory. It's a different methodology -- we usually have one upgrade package per main package -- and that, in the UNIX scheme of things, makes vastly more sense than clobbering all our package management systems (far superior to that offerred by poor NT) in favor of what they call "[making] fixes available in a more manageable manner."

ZD didn't do enough research while orchestrating this PR stunt, I suspect. Bring on the derision. ):

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

In principle, this sounds like a good thing. In practice, enabling Windows Update opens a big security hole:

ActiveX controls can be marked "safe for scripting," meaning that a script on any HTML page can activate them without requesting permission or giving notification. And the controls turn out to have holes. So far, Microsoft has identified two buffer overruns and one case of improper filesystem access among Microsoft-supplied, marked-safe controls (Security Bulletins MS0099-33, 37, and 40).

...

For now, Microsoft recommends turning off ActiveScripting. Unfortunately, that breaks a good many Web sites, including most of Microsoft's. A less draconian solution suggested to me by a Microsoft developer is to deny permission to run "safe for scripting" controls. But even this breaks a lot of sites, including Windows Update, which is most Windows 98 users' best hope of installing security patches.

(from a mail to the RISKS mailing list by Steve Wildstrom ).

Debian's system doesn't rely on this sort of stuff - you have to actively ask for packages. However, it still relies on your trusting the FTP server you get them from. Official packages will be signed - but do you know that all Debian developers with the key will keep it safe?

Your binary releases can also be pre-linked

[SurfsUp]

Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem.

Agreed, this is key. Perhaps even more important though is the ability to statically link, so that binary releases can be built, a la Netscape, with everything version-independent (except for kernel dependencies which are few & far between thanks to the efforts of people like Torvalds and Cox). So you can download the binary app and expect to have it work, as it nearly always does when built this way [ed note: and when declared stable ;-)].

Another factor of crucial importance is for this linking process to be carried out by anyone who wants to do it, i.e., access to the source code is important just as you say, but not necessarily for the same reason. Also consider - it's possible to re-link a dynamicly linked app to become a statically linked app using a linkage editor... I don't know if Linux has such utilities because I'm a relative newcomer to these development tools. But if they're not they're, we need them badly.

And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.

(a) That and 1,000,000 other reasons

(b) It already does. (Check the situation as of last spring)

Re:Just click .exe

[bmetzler]

But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.

Six months for Red Hat to be specific. Probably a lot faster then MS releases service packs. That's basically what RH 6.1 is, a service pack in MS terms for 6.0. There is only one difference. Red Hat replaces their old version with the new version. If I buy a copy of NT today, would I still have to install SP5? I imagine so.

Still though, I wouldn't want to have to wait until the next version was released to fix security holes. Not even on NT.

-Brent
--

Do they have a point?

[Bricius]

> Do they have a point?

No.
Imagine you buy 21 different programs from 21 different vendors, but you buy them all in the same shop, with one single bill, maybe bundled in a single box.
It's obvious that each vendor will fix only their own part and you'll get 21 different fixes.
What you can expect from the shop is that they bundle the fixes in the same way they bundled the programs.
And this is what Linux distributions already do (Debian at least).

Cheers!

negligence, pure and simple

[Eddie+the+Jedi]

The difficulty of applying 21 security fixes may be a bit of an issue (not that I find anything difficult about "rpm -Uvh *.rpm"), but that sure as hell doesn't justify ZD's decision not to apply the fixes. Applying the vendor's fixes is not optional, no matter what system you're running.

Do they think that if a business had its several-thousand-user network were compromised, the execs would accept the excuse that there were just too many vendor-supplied patches to apply?!

--

Re:Parity

[Peyna]

I think what they did may be a good way to test the ease of securing a server, as opposed to the true security of the server, once everything has been properly secured. So, perhaps had they applied all of the necessary patches to linux, they would have shown that linux is more secure, and that maybe companies with security issues need to hire people smart enough to be able to secure their information, rather than people who can install NT (boy that's tough) and run a few executables to apply some service packs and be done with it, without really having taken any steps to secure the box.

Should it matter?

[Oirad]

It's not the managers who are going to be doing the work, they're simply going to mandate "This will be secure!", if they know enough to mandate anything at all.

Most admins out there may not like doing multiple patches, but there are advantages. Some patches can open other holes, and using one of NT's service packs isn't guaranteed to fix everything either. And having them separated out allows an admin to more closely monitor what's been patched, rather than than NT's way of doing things.

It's like the NT vs. *nix discussion itself: each has its pros and cons. What it all boils down to is the competency of the guy/gal running the box.

Re:I work enterprise - multiple patches are the pi

[Black+Parrot]

> if I had to apply 21 individual patches to 200 machines, I would be ready to punch someone.

Just copy them to an upgrade directory, cd, and type rpm -Uhv *.rpm on each system. How does that compare to installing one NT service pack on each of those same 200 systems?


> the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights.

Per above, except have a cron job run at 9pm every night to -Uhv whatever files you put there during the day.


Any patch that we apply would have to have a corresponding backout procedure

Just re-install --force your prior version of the RPM for the same package.

Would you rather back out (say) one of 21 RPMs with rpm --force, or back out an NT service patch? And even if they were the same amount of trouble, do you want to throw out everything the SP offers, just because one of the patches on it sucks? Some of the other patches in the SP might accidentally fix something without breaking something else.

ZD doesn't have a case. Because they don't have a clue.


--
It's October 6th. Where's W2K? Over the horizon again, eh?

ZDNet's credibility

[quux26]

Call this flaimbait, hidden linux worship, sour grapes or whatever...

But ZDNet (and Yahoo) lost much credibility with me when they couldn't figure out that Jesux was a joke.

My .02
Quux26

Does it matter?

[Bob-K]

This wasn't even a remotely valid security test, so who the heck cares about the details?

There's no way am I going to make a decision based on what happened in a test like this. I'm not even going to take it into consideration. It was entertaining, and I enjoyed it, I enjoyed reading about it, I hope the ZDNet people had fun doing it, and I hope the people who hacked it had some jollies.

But the results are as meaningless as Bill Clinton's sworn testimony.

Re:Does it matter?

[remande]

This wasn't even a remotely valid security test, so who the heck cares about the details?

The people who don't know that it is an invalid security test cares about the details.

Time and again, some magazine, company, or other shows NT's supposed improvements over Linux. Then somebody notices how the "test" was intentionally or unintentionally rigged. While this is great for the Slashdot community, this is the sort of stuff that needs to be seen by those who make the buy decisions.

Now that you know, you can argue this where you work or learn; when somebody points to this test as a reason to install NT at your site, you have an effective counterargument--and URLs to back it up.

Re:Red Hat fixes wouldn't have helped

[nas]

Yes, they would have. They probably would have prevented jfs from getting root. If he did manage to get root then he would have uncovered a new security hole. Unfortunately, due to ZD incompetence, we have learned absolutely nothing from this little exercise (except possibly the magnitude of ZD's stupidity).

Count the numbers...

[knarf]

Just look up any `hacked page' archive which keeps track of the OS for the original website, and start counting. Keep in mind that Microsoft operating systems are actually less popular as a webserver platform than Linux, and Apache is far more popular than any MS offering (see The Internet Operating System Counter and netcraft). To make it easy on you, I did a count on some of the recent attrition archives and came up with these results (I only listed Linux, NT, Solaris, FreeBSD and OpenBSD, so the totals will NOT match the sum of the individual OS's):

year=month total Linux NT Solaris FreeBSD OpenBSD

1999-10 53 4 29 14 8 0
1999-09 259 72 82 62 12 0
1999-08 318 68 106 77 9 0
--- --- --- --- --- ---
total: 630 144 217 153 29 0

(apologies for the funky formatting, it used to be a nice table but /. does not like tables, and does not support the tag...)

According to this logic, Linux is cleary more secure than Windows NT, especially when you `weigh' the numbers with the popularity (or lack thereof) for the individual operating systems.
Of course, the really interesting number is the 0 for OpenBSD. Pity though I have no idea how many OpenBSD sites there are out there...

Re:I work enterprise - multiple patches are the pi

[Adam+Knapp]

Well I don't know about enterprise settings but:

I worked for my college's computer services this summer; my job mainly consisted of applying patches to NT for 3 months. Admittedly, we have many more computers than you (I'd estimate 800+ or so in public labs and administrative offices, we are extremely wired for 1500 students) but with 5 other students and the college's professional staff we were unable to apply service packs to all of them. Why? because when installing that "one big easy install" not only do you have to kick the user of the machine off (they really don't like that) but you actually have to be there the whole time to click on those "friendly" buttons. NT's profiles (they are like home directories except they suck) aren't always updated correctly by the upgrade so the users have to fix and reinstall their programs. Computers that were running NT SP3 w/o IE4 a little bit slow now are completely unusable with all of the "improvements" that were "necessary". Not to mention differing support of hardware between the different service packs; SP4 broke some computer I worked on because of incompatibilities with the BIOS on some Compaqs which had no problems at all with earlier versions.

In contrast, if we had been using Linux, even if I hadn't created a script, I could have opened up a sh*tload of telnet sessions from the cold room and, without the user knowing or caring, updated each and every machine at the same time with only the packages necessary.

Windows NT Vs. Linux or why ZD is uncredible

[mbpark]

1. NT itself is a piece of crap to even maintain properly. SP2 and SP4 only proved that Microsoft does not properly test third-party products with their Service Packs. We waited until SP5, and ONLY after several rounds of serious tests to make sure that nothing got hammered.

1a. Certain clients that used third-party messaging, web server, or application server products made by competitors such as Sun or Netscape had serious issues when SP4 was installed. So did Samba in one of our test cases. Leads me to believe that M$ wanted SP4 to push the M$ products over the competing products.

2. The Install of NT itself on a bare box is abyssmal. It takes about 10 reboots to get everything installed right with the Hot Fixes and the Service Packs. Linux takes one with 6.1. By the way, the install is about 5x as fast as W2K even in graphical install mode of RH6.0.

2a. Plus, there's the monitoring of NTBUGTRAQ for the latest exploits. Sometimes they hit 5 a week. The MS people post fixes 2 weeks later.

3. Linux, on the other hand, is mostly stable. Fixes are out within hours. I don't have these issues.

4. Linux isn't tightly integrated with Apache.
If I want to change web servers for reasons of security or such then I can. Can I do that easily with NT? The answer is no, unless you run Apache for NT. Then you still have the issues of the operating system.

4a. IIS is the biggest security hole of a web server I have yet seen. The bugfixes hardly fix anything. Doubt me and think NT is god? Read NTBUGTRAQ or actually run an NT server connected to the Internet. Microsoft and their COM objects are causing a whole mess of havoc.

5. Security hole in a Perl script on the hackpcweek site? I wonder why nobody tried to do the same with COM objects or the numerous buffer overflows on NT? Better yet, let's see how long it takes Redmond to come out with a fix! IF anyone wanted to not follow the rules of that contest, I am sure something like that would easily take down the box.

6. I hear too much from NT admins about "Wait until Windows 2000". Y'all can shut up about your vaporware. I interviewed two admins. One was a W2K freak. The other mentioned that MS should fix their products before releasing new ones. Guess which one got the offer? Shut up about how great MS is until I see stable shipping product or get out. Linux is right here, right now, and is constantly being updated. It's also open source and audited by thousands. Beat that, Redmond. Giving a closed source preview of a product doesn't make it like Linux. Open the source and show those API's like WNetEnumCachedPasswords.

6a. I have seen portions of that code, and it is MESSY. They probably won't release it out of embarrassment. I wouldn't.

7. ZD is advertising-driven. Guess who buys most of their advertising? Microsoft. Do you HONESTLY think ZD is going to bite the hand that feeds them? I think not. They are Microsoft's bitch. Anyone who reads anything from ZD should realize that. It's a PHB magazine, meant for people who choose not to pay attention to what is going on in IT. Until Red Hat, VA, Sun, SGI, and other non-MS companies advertise, then they will be continue to be the puppets of Redmond.

Until next time....

Parity

[wct]

I think the main complaint is an absence of parity between the two platforms. On one hand, NT had the five service packs applied, which are IMHO fraught with more difficulties to install than rpm'ing 21 patches. MS's service packs are renown for breaking other things from previous packs, and are usually released a long time after the bugs they fix are identified.

I really wouldn't have a problem with this at all, if ZDNet hadn't made the blanket conclusion that NT was easier to secure. That's an overwhelmingly ignorant statement to make.

Just click .exe

[jimfrost]

Simplistically speaking that's right, but practically speaking it's not.

Before applying SPs I wait at least a few weeks to see what people report as breaking under the new SP. There's usually something, and all too frequently (two NT4 SPs out of five!) applying an SP has a detrimental impact on system stability.

On top of that you may have to reapply SPs after installing new packages (particularly those from Microsoft) and you want to create a new emergency repair disk. These things are not necessary under Linux.

IMO, having adminstered both systems (and a bunch of others) for years, I much prefer the small patch approach where I can pick what I want to apply according to my needs: e.g. if I'm not running ftp I don't really need to apply an ftp patch.

But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.

Interestingly, ZD says "Imagine the work involved in integrating 21 separate fixes into a change process to be deployed across an enterprise." Actually that doesn't have to be a lot of work. You can set up a master system and use rdist to propagate patched software to everything all at once. This kind of environment is easy to set up (the software is stock) and allows the software to do the grunt work of upgrading systems. You need to buy extra software to do this kind of mass upgrade on NT.

Re:Small, isolated patches better

[jflynn]

"Of course new users are still left to install all 21."

I'm not arguing that small, isolated patches are infinitely superior to mega-packs including both fixes and features.

However if a company like RedHat wants to provide support that people would buy, then making a patch or script available to fix all known security problems since last release might be a worthwhile product that new users would appreciate, especially those switching from Windows.

If you want to get into ease of use features, something with the functionality of Windows Update could also be popular. It should be done Unix style though. The update site sends the information about what is available to the local computer on request, which then compares it to what is installed and offers the user an opportunity to select packages to update or install. From this a script is generated locally that will download and install the required software. Category filters for "Security", "Bug", and "Feature" would also be nice.

Perhaps their new online update support in 6.1 addresses this. Can anyone describe it for me?

Nope

[Hynman]

Not after the Red Hat updater dingus in RH 6.1!!!
As I inderstand it it's automatic? is this correct? I have not had a chance to check it out.

How hard is this?

[linuxguy]

ncftp updates.redhat.com/pub/updates/6.1/RPMS/
> bin
> get *rpm
> bye
rpm -Uvh *rpm

Now really how hard is that? This "enterprise" crap is making me sick. These enterprises are hiring people who have peanuts for brains? They would much rather go to Microsoft's website, find the latest patch, download it, sit through the update, reboot the computer AND do the update and reboot process again after they install a new application (This is recommended by most all NT service patches). How many steps is that?

Anybody who can use ftp will tell you that it will take less time and effort to update the Linux machine. Now the "ENTERPRISE" IT guys, they just have a small problem.

They have never heard of ftp.

But they are perfectly capable of maintaining the company mainframe. A a whole lot of them work at Ebay and ZDnet also.

You'd like Debian

[Gleef]

The Debian distribution has set up to do pretty much exactly what you're asking for for a long time now (right down to the distribution of ISO 9660 images for offline machines). In addition, the updates and fixes are better tested and more independant from each other than the corresponding ones in Windows, resulting in a more stable overall environment. It refrains from adding the security holes that Windows Update gives.

Personally, I prefer RedHat, because it gives me more individual control, but Debian sounds like it would be far better for you, and get you away from the nasty broken Service Packs.

----

Re:I like the WindowsUpdate idea

[Greg+Hewgill]

I'm surprised nobody has mentioned FreeBSD and its cvsup system. After mucking around with Linux for a couple of years and never really getting comfortable with maintaining a system with RPMs etc, I disovered FreeBSD not too long ago.

I now have a completely up to date 3.3-STABLE FreeBSD installation on my trusty old P90 that used to run a crufty old RedHat 4.2 install. By watching the FreeBSD mailing lists, I can tell if there's something new I need. If so...

cvsup stable-supfile
make world [1]
make install
make kernel
mergemaster
reboot

Presto! Completely up to date system. Why isn't it this easy with anything else? Why are binary distributions/updates/patches/etc so popular?

[1] Okay, this step takes seven hours on a P90.

Small, isolated patches better

[Tack]

I maintain that it is better to install isolated patches as opposed to one huge monolithic upgrade (as in service packs).

I don't mind upgrading an FTP or bind (or whatever) RPM on my servers, but I absolutely will not install an NT service pack on a production server until waiting at least a month to see what kind of problems arise. I made the horrible mistake of installing SP4 on one of our NT servers. Never again.

Jason.

How many current NT patches ?

[Cally]

I've just rebuilt my NT Workstation, this time I decided to get really anal about security -- auditing everything, applying all available patches, hotfixes etc. Microsoft release 'Service Packs' that aggregate all the available fixes and patches; NT 4.0 is now on SP5. However after installing that there are merely the ... twenty ? thirty ? other patches and fixes to apply to NT alone. There are multiple patches for Office and Internet Explorer, too, and the holes they're patching are mostly things that could leave root (Adminmistrator) access vulnerable. There were 13 NT security alerts & patches in September /alone/.

So "most large companies would prefer the one large, sweeping-in-scope, fix" huh ? Quite right. Our corporate MIS has banned the application of hot fixes, patches or service packs beyond SP3 because ... wait for it ... it makes NT too unstable .

They only needed to install 4

[Quikah]

Why are they complaining about having to install 21 patches? They needed to install 4 with the config they were using; cron, kernel, net-tools, and dev updates. None of the other services were installed thus they did not need updating. Maybe update X if they actually installed it and libtermcap (this is a fix for a local exploit, but better safe than sorry). So maximum of 6 updates.

On NT they installed SP5, IE 4.01, option pack 4 and SQL server SP1. That is 4 updates.

gee, strikingly similar...

Red Hat fixes wouldn't have helped

[ajs]

The Red Hat fixes would have limited the scope of the intrusion, but the bottom line is that the guy got a shell at all because the 3rd-party CGI was buggy. This will be a problem if you're using NT or Linux or True64.

I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.

In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.

I complained...

[ckm]

[QUOTE]

All I have to say about
http://www.zdnet.com/pcweek/stories/news/0,4153, 2346293,00.html
is that you all are idiots.

I rarely write about things, but this is an outrage. Anyone who thinks that
MS distributes all it's fixes in one large patch is a fool. I should know,
I was engineering lead on www.starbucks.com, one of MS most prominent sites.

In order to deploy a server, we would apply the latest service pack and then
between 30-60 hot-fixes. And that was just for the default software. Other
packages, like SQLServer, had at least two dozen hot-fixes.

A lot of times, these would conflict with each other in strange ways, and
uncover other bugs, which made it very difficult to deploy any fixes at all.
I would often try them out on my desktop (an NT Server) first so as not to
endanger the development environment. We even had one case where a hot-fix
wiped out our SourceSafe DB....

In contrast, the two Un*x OSs I use on a regular basis, Solaris and Linux,
have no such problems. Packages and RPMs are small, well-defined fixes to
particular problems, not some ubber-thing that has to itself be patched.

I don't know where you get your writers from, but I sure am glad I don't
read any of your publications. And with information like this (i.e. totally
useless and factually incorrect), it's doubtfull that I ever would.

Chris Maresca
Project Engineer, Organic Online, Inc.
ckm@organic.com

[/QUOTE]

I like the WindowsUpdate idea

[JoeShmoe]

I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically.

This is, in my opinion, a good system and I compliment Microsoft for adopting it. I only wish that the *nix community would be willing to host similar update servers, particularly for the popular distributions.

There are just a couple things that I think should be changed:

1) Link to knowledge base and security alerts. When I see an item listed, I want more than just a one or two line blurb. And vice versa...if I get a security alert on a mailing list, or find a reason why I'm getting a certain bug, I want to click a link and see the fix added to my downoad queue.

2) Make it easier for it to work with secure or offline servers. I should be able to download an ISO image that contains an entire copy of the update website. So, all I have to do is pull down the ISO, burn it, pop it into the CD-ROM of the secure or offline server and PRESTO! I can browse a local copy of the same update site.

3) Download histories with option to uninstall. Right now my Windows Updates are buried under a half dozen items in some Add/Remove Programs control panel. I'd rather be able to see a list (sorted by date) of items I have installed so I can check off the one I want to uninstall. So, if I SWEAR it's a patch that is causing my problem (even if tech support doesn't agree with me) I don't have to reinstall to get rid of it.

Service Packs stink because I get a whole bunch of stuff I DON'T want just to get the one of two things I DO want. The only reason I install Service Pack 3 on stand-alone machines is so I can install MSIE...and the only reason I install Service Pack 5 on those same machines is so I can use 17GB hard drives. Sure, I could probably abort the install after it decompresses the files and just install the new ATAPI.SYS file...but then I'm skating on "unsupported territory". So I have cross my fingers and pray that this isn't another Service Pack 2 or Service Pack 4 or lose my support options.

I think everyone agrees that individual patches would be better since it allows ultimate user control. The only problem has been keeping tracking of where they are, what they do, and which have been installed. So, let's get them all organized...how about it?

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

ZDNet Car Security Contest

[Coda]

It's a little-known fact, but ZDNet recently held a car security test. They left two cars equipped with different security systems on the streets of LA, to see which ones real-life crooks could steal. The first car, equipped with MS MySafeCar, was locked, secured, and parked next to the second car, which was a convertible with the top down, keys in, and Linux Carsec turned off. The second car was stolen, prompting ZDNet employees to rejoice and marvel at the advertising budget for, er, security miracle that is MS MySafeCar.

When Carsec proponents noted the discrepancy between the two cars, ZDNet replied that "the average car user would not want to lock 2 to 4 individual doors."

ZDNet, in response to the information that Carsec comes with power locks, stuck their fingers in their ears and starting humming "Ol' MacDonald."

Do they have a point? Yes, atop their heads.

Update - ZDNet admits using Real PHBs

[Lucius+Lucanius]

In an update to the story, an anonymous source at ZDNet admitted that they used a genuine IT manager during the tests. "The decision not to apply the fixes came about due to our adherance to realistic simulations. We feel most IT managers are clueless, so we used a representative sample from our own labs. He made the decision," said the source, speaking under conditions of anonymity. "We feel this better represents the real world scenario."

In unrelated news, seismologists reported a strange disturbance, which they claimed was caused by thousands of sysadmins nodding their heads in agreement at the same time. The phenomenon has tentatively been titled "the Slashdot Effect".

No no no no no no!

[jem]

Having been an NT admin for awhile... It is not just a question of installing five huge service packs. And I'm not talking about hotfixes either.

There are a number of pieces of software from Microsoft that require the service packs to be applied in differing order:

The place I used to work before used Site Server (extension to IIS). For the personalisation feature to work on this, a completely bizare sequence had to be followed:

Install (approximate - I think this was more complicated):
Service Pack 3
Internet Explorer 4
Option Pack 4
(some crucial DLLs have now been deleted/overwritten with incompatible versions)
Service Pack 3
Option Pack 4
Site Server 3

You can now install Service Pack 4 & 5 if you want more things to break or you can cut your losses and stick to things that you know work (even if they aren't secure).

The problem with this process is that it is badly documented, denied on Microsoft's site and unknown to most MS users. We got this process from someone who spent days installing and uninstalling the software until it worked. Therefore it takes *days* to install a "decent" version of NT.

This is not the worst bit. The worst thing is that we bought Site Server for all of those built in features (many of which simply didn't work). It wasn't cheap and we ended up just writing our own stuff due to the poor quality of the documentation, lack of speed (dual Pentium Pro, 128MB RAM) and general flakiness.

The problem with all this software is that Microsoft doesn't write applications anymore. Everything has hooks in the O/S which means that departments within MS end up writing software that messes with everything. Incompatibilites arise and no-one is willing to tell you how to fix it without charging you huge consultancy fees.

My new web server boxes run Linux. When fixes come in, thousands of users are willing to help you out with any problems you have. They actually know. The applications do not send tentacles into the O/S, choking functionality out of other applications. My sites run fast. I never need to write ASP in my life ever again. I'm happy again.

Other example? To get a certain feature of MS Visual Interdev running on her machine, a friend of mine had to remove Service Pack 5 & 4 from her machine (Then re-install SP3). Only then would database diagrams re-appear as a feature...

I sense that many people here have not actually really experienced the joys of NT first hand. It is much more of a nightmare than you think. And good NT admins simply don't seem to exist. I'm sure there are some out there. Maybe. The recent joys of the Windows 2k machine that MS couldn't keep up due to running out of disk space, etc indicate that there simply aren't any. Even at MS.

I also know of a well know a major UK hosting provider which is withdrawing the NT dedicated server hosting. Too many problems. Too many security holes. Really bad remote management tools. End of story.
</RANT>