ZDNet Admits Mistakes in Recent SecurityTest

drsparkly writes "Linux Today is running this story claiming that the recent ZDNet Linux vs NT security `shootout' was biased against Linux. Apparently ZDNet had neglected to apply 21 available security fixes. They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point? "

Re:Devil's Advocate

If you look at the configuration that ZDNet published, you will see that they applied 4 service packs, moved dozens of files around and made over 90 configuration changes. This seems to me to be a rather intensive process.

ZD Full of It - only need 3 or 4 of the 21 patches

ZD is full of crap. Look at the list of the 21 patches, and compare it to the services they were running on the web server. Now make a list of patches that actually affect the programs running on the server. How many of these services are affected by the patches? Maybe 3 or 4. Duh.

My recent (re) installation of Windows NT

I recently reinstalled Windows NT on my computer, and I would have been thrilled had I only had to install 21 patches. Lets count what I had to do to make system as stable and secure as possible. Admittedly this is a Windows NT Workstation System and not a Windows NT Server system. (Windows NT Server would have had far more patches.)

I started by booting off my Windows NT 4 Workstation CD. This put my into the base operating system install. It copied all the files and rebooted.

After installing the base operating system, I had to apply Service Pack 5 which has some 600 fixes in it. After that I had to upgrade all of my drivers for SCSI card, my NIC, my Sound card, my video capture card, my video card, and my Zip drive.

After that I had to install IE 4 because the copy of Windows NT I have only comes with IE 2 which cannot be used to download IE 5. After installing IE 4, I installed IE 5. After installing IE 5, I had to goto windowsupdate.microsoft.com and install half a dozen fixes beyond the initial IE 5 installation.

Then we have the whole virus issue. I had to intall Norton AntiVirus and upgrade that with another 4 or 5 MB download.

Then, when this is done, there are a total of 17 post Windows NT Service Pack 5 hotfixes that have to be applied. These fix bugs ranging from file system corruption to dialup security.

As I said, 21 RPM packages would have been far more enjoyable then installing Windows NT.

Lets not even get into the myriad of patches and upgrades for the applications I have installed. (MS Office, MS Visual Studio, etc, etc)

Even easier...

Not only can you use ftp/rpm/apt to get security updates, but places like LSL put them all together on nice $1.95 CD's for you...see here. Granted, they're probably a few updates behind, but the idea is sound. Don't know for sure, but perhaps places like Cheapbytes, the Linux Mall, LinuxCentral et al. have something similar.

Small correction.

NT service packs, are, I beleive, cumulative. Ie: you only apply the latest one to get all the fixes of all the previous ones... I am not an NT expert, so please correct me if I am wrong.

Even latest service pack leaves IIS exposed!

The huge IIS hole which would have left the NT server hacked in 10 seconds is *NOT* included in service pack 5. If they can apply *special* fixes then why not the redhat ones?



Download the directory, and rpm with wildcards, how hard is that?

Re:Parity

Considering there are close to 400 changes that need to be made to an NT 4 installation 'out of the box' in order to make it secure, somehow the 21 fixes needed for Linux don't seem like they'd be that big of a deal to apply...

RPMs or patches (and source)

Zdnet should have installed any recommended patch and rpm from the distribution's web site or technical support channel (e.g. RedHat)! However, rpms and updates from other sources (including kernel.org, etc..) should not included. You might as well start fooling around with your IBM mainframe. Enterprise servers should not be a playground for patches and updates. Expecting exterprise customers to follow mailing lists and install every single patch available is unreasonable.

Here's were Sun/Solaris gets is right...

...you can download and apply individual fixes if you want - or you can download a "patch cluster" that includes a collection of patches (making it easier to get a lot of patches installed in one hit). Sample clusters generally include:

• Recommended - as the name suggests, recommended for everyone's use (this is what most people install)
• Security - security issues only (no other bugs fixed or apps updated)
• Y2K - duh

If something like this was available, then just as they'd installed SP5 on NT they would have been able to install the latest patch cluster onto Linux so as to ensure that all the latest patches were included - nice an' easily.

Even Debian has it over Red Hat in this regard (fire up package management and say "install the latest stuff", which downloads the packages over the Internet and installs them - can't get much simpler).

Re:Here's were Sun/Solaris gets is right...

[yod@]

mandrake 6.0 also has this feature. Infact rpmfind kan do this for you I belive

Re:Kidding?

Just because it's from MS doesnt mean it's bad...

What?! EVERYTHING that comes from Microsoft is EEEEEVILLL ! Haven't you been reading your Linux users handbook? Praticality has no place in the computing world. Everything must be as difficult as possible to use in order to keep out the "stupid" people.

DOWN WITH EASE!

Yeah, this might be flamebait, but enough of you seem to think this way.

why did they install that cgi script anyways?

i've installed redhat 6 many times and just chose install everything and i dont ever remember seeing a photo cgi script in there. all i've ever seen is cachemgr.cgi in there. Why did they install that program anyways? Did NT have any other 3rd party cgi scripts installed with it? If they did that for no reason, i would say that the test was obviously tainted because it was not just a real install but had other services installed with it.

zdnet is NOT about technical matters...

[hogwaller]

Just look at this as an example.

A more poorly written article about two
OSes can't be found...

--------------------------
Your Favorite OS Sucks.
^D

21 patches vs 21 hotfixes?

[Elvii]

not always a service pack... nt5/w2k is gonna have about 10+ hotfixes before it's first service pack... are people not going to install those because it's not just one update?

I don't think so. They'll do more than one, any good admin will do whatever is nessecarry to secure his servers.

Re:21 patches vs 21 hotfixes?

[IntlHarvester]

You might be right. There are already NT4 "Post-SP6" hotfixes out, and SP6 hasn't even been released yet.

They do have a point..

[Bill+Currie]

but as has been discussed in previous articles, it's not particularly valid. Not applying those patches (whether they come as a single bundle or a multitude) is sheer laziness and a poor excuse. I believe that if the same thing happened to the network I look after at work for the same reasons, I would be (justifiably) fired. If not the first time, then definitly if it happened again (ie, I didn't learn from my mistake).

windows update site?

[Quixotic]

Good idea... kinda like the MS Windows Update website. Using IE, you can connect to this site, which will run some ActiveX program, check which MS software needs updating / patching, and let you choose which ones to update. Once you have made your choice, it goes off and does it's thing and installs all the updates you choose. Actually pretty nifty and painless if you've tried it.

Re:windows update site?

[barbaBob]

Yeah quite nifty. Just reinstalled Windows 98 First Edition this weekend, connected to that site and had more that 13 security fixes to download and install. Not to mention all the other stuff that needs updating. Requires at least three reboots because some of the components don't install together with others.

Yech :)

Cya,
barbaBob

Re:Kidding?

[Quixotic]

sure.. valid points. My point (sorry if I wasn't too clear) is that there's a central place for end users to easily update their files. It's all point and click. Sure, some of it's implementation might be a bit flaky for now.. but I think it's a good idea and a step in the right direction.

In fact, I believe there have been several pieces of software that does this already.. like Oil Change or something like that. Just because it's from MS doesnt mean it's bad...

Re:Linux Packs?

[J.+J.+Ramsey]

Because between one month and the next, some cracker could have found a new exploit.

Re:Security Patches were not the problem!

[J.+J.+Ramsey]

The cracker exploited two holes, one in the CGI script, the other having to do with cron. Red Hat had a security update for cron that would have plugged the hole that the cracker exploited.

No, they do not

[The+Man]

Regardless of whether someone would want to apply 21 security-related fixes, this is not a valid point. The fact is that any even remotely professional system administrator will ensure, especially on a main web server, that any and all applicable security patches are installed. What all this really means is that the people responsible for this "contest" didn't feel like being professional administrators - which, not surprisingly, they aren't. I'm just wondering where they found somebody who was willing to deal with installing the 5 NT service packs. Talk about something I wouldn't want to do. But it's part of the job to keep systems up to date, whatever those systems might be.

Now, back to practicality: Is it really that hard to do rpm -Uvh *.rpm? I just can't imagine this being difficult in any way whatever. Except for someone wishing to slant the outcome in a particular direction. Anyone who's ever been within 100 meters of a unix system knows better.

Re:Security Patches were not the problem!

[imroy]

If you read his page correctly, you would have noticed he used a known exploit in the cron daemon. An exploit that was fixed by one of the RedHat updates.
Everything below this line is a lie

CGI security through chroot?

[kris]

The following is a drop-in replacement for the suexec.c that comes with Apache. It is a bit less tight about permissions (I want to be able to execute code under different UIDs), but executes the CGI within a chrooted environment (so that the UIDs cannot cause harm). Please have a look at the code and tell me what you think about it.


/*
* suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache
*
************************************************** *********************
*
* NOTE! : DO NOT edit this code!!! Unless you know what you are doing,
* editing this code might open up your system in unexpected
* ways to would-be crackers. Every precaution has been taken
* to make this code as safe as possible; alter it at your own
* risk.
*
************************************************** *********************
*
*
*/

#include "ap_config.h"
#include
#include
#include

#include

#include "suexec.h"
#undef LOG_EXEC

/*
************************************************** *********************
* There is no initgroups() in QNX, so I believe this is safe :-)
* Use cc -osuexec -3 -O -mf -DQNX suexec.c to compile.
*
* May 17, 1997.
* Igor N. Kovalenko -- infoh@mail.wplus.net
************************************************** *********************
*/

#if defined(NEED_INITGROUPS)
int initgroups(const char *name, gid_t basegid)
{
/* QNX and MPE do not appear to support supplementary groups. */
return 0;
}
#endif

#if defined(PATH_MAX)
#define AP_MAXPATH PATH_MAX
#elif defined(MAXPATHLEN)
#define AP_MAXPATH MAXPATHLEN
#else
#define AP_MAXPATH 8192
#endif

#define AP_ENVBUF 256

extern char **environ;
static FILE *log = NULL;

char *safe_env_lst[] =
{
"AUTH_TYPE",
"CONTENT_LENGTH",
"CONTENT_TYPE",
"DATE_GMT",
"DATE_LOCAL",
"DOCUMENT_NAME",
"DOCUMENT_PATH_INFO",
"DOCUMENT_ROOT",
"DOCUMENT_URI",
"FILEPATH_INFO",
"GATEWAY_INTERFACE",
"LAST_MODIFIED",
"PATH_INFO",
"PATH_TRANSLATED",
"QUERY_STRING",
"QUERY_STRING_UNESCAPED",
"REMOTE_ADDR",
"REMOTE_HOST",
"REMOTE_IDENT",
"REMOTE_PORT",
"REMOTE_USER",
"REDIRECT_QUERY_STRING",
"REDIRECT_STATUS",
"REDIRECT_URL",
"REQUEST_METHOD",
"REQUEST_URI",
"SCRIPT_FILENAME",
"SCRIPT_NAME",
"SCRIPT_URI",
"SCRIPT_URL",
"SERVER_ADMIN",
"SERVER_NAME",
"SERVER_ADDR",
"SERVER_PORT",
"SERVER_PROTOCOL",
"SERVER_SOFTWARE",
"UNIQUE_ID",
"USER_NAME",
"TZ",
NULL
};


static void err_output(const char *fmt, va_list ap)
{
#ifdef LOG_EXEC
time_t timevar;
struct tm *lt;

if (!log) {
if ((log = fopen(LOG_EXEC, "a")) == NULL) {
fprintf(stderr, "failed to open log file\n");
perror("fopen");
exit(1);
}
}

time(&timevar);
lt = localtime(&timevar);

fprintf(log, "[%d-%.2d-%.2d %.2d:%.2d:%.2d]: ",
lt->tm_year + 1900, lt->tm_mon + 1, lt->tm_mday,
lt->tm_hour, lt->tm_min, lt->tm_sec);

vfprintf(log, fmt, ap);

fflush(log);
#endif /* LOG_EXEC */
return;
}

static void log_err(const char *fmt,...)
{
#ifdef LOG_EXEC
va_list ap;

va_start(ap, fmt);
err_output(fmt, ap);
va_end(ap);
#endif /* LOG_EXEC */
return;
}

static void clean_env(char *cwd,int len)
{
char pathbuf[512];
char stripbuf[1024];
char **cleanenv;
char **ep;
int cidx = 0;
int idx;


if ((cleanenv = (char **) calloc(AP_ENVBUF, sizeof(char *))) == NULL) {
log_err("failed to malloc memory for environment\n");
exit(120);
}

sprintf(pathbuf, "PATH=%s", SAFE_PATH);
cleanenv[cidx] = strdup(pathbuf);
cidx++;

for (ep = environ; *ep && cidx pw_dir);
p=strstr(newroot,"/.");
if ( newroot[0]!='/' || p == NULL ) {
log_err("$home (%s) has no /. for uid= %ld\n",pw->pw_dir,uid);
exit(102);
}
*p=0x00;

if (getcwd(cwd, AP_MAXPATH) == NULL) {
log_err("cannot get current working directory\n");
exit(111);
}

uid = pw->pw_uid;
gid = pw->pw_gid;
actual_uname = strdup(pw->pw_name);
target_homedir = strdup(pw->pw_dir);

/*
* Log the transaction here to be sure we have an open log
* before we setuid().
*/
log_err("uid: (%s/%s) gid: (%s/%s) cmd: %s\n",
target_uname, actual_uname,
target_gname, actual_gname,
cmd);

/*
* Error out if attempt is made to execute as root or as
* a UID less than UID_MIN. Tsk tsk.
*/
if ((uid == 0) || (uid UID_MIN)) {
log_err("cannot run as forbidden uid (%d/%s)\n", uid, cmd);
exit(107);
}

/*
* Error out if attempt is made to execute as root group
* or as a GID less than GID_MIN. Tsk tsk.
*/
if ((gid == 0) || (gid GID_MIN)) {
log_err("cannot run as forbidden gid (%d/%s)\n", gid, cmd);
exit(108);
}

/*
* Change UID/GID here so that the following tests work over NFS.
*
* Initialize the group access list for the target user,
* and setgid() to the target group. If unsuccessful, error out.
*/
if (((setgid(gid)) != 0) || (initgroups(actual_uname, gid) != 0)) {
log_err("failed to setgid (%ld: %s)\n", gid, cmd);
exit(109);
}

/* now we chroot */
if ( chdir(newroot)!=0 ) {
log_err("cannot chdir to newroot directory %s\n",newroot);
exit(112);
}
if ( chroot(newroot) != 0 ) {
log_err("failed to chroot to %s\n",newroot);
exit(113);
}

if ( strlen(cwd) strlen(newroot) ) {
fprintf(stderr,"chroot not below docroot cwd=%s [%d] newroot=%s [%d] \n!",cwd,strlen(cwd),newroot,strlen(newroot));
exit(114);
}

if ( chdir(cwd+strlen(newroot)) != 0 ) {
log_err("warning: cannot chdir after chroot %s | %s \n",cwd,newroot);
}


/*
* setuid() to the target user. Error out on fail.
*/
if ((setuid(uid)) != 0) {
log_err("failed to setuid (%ld: %s)\n", uid, cmd);
exit(110);
}

clean_env(cwd,strlen(newroot));

/*
* Be sure to close the log file so the CGI can't
* mess with it. If the exec fails, it will be reopened
* automatically when log_err is called. Note that the log
* might not actually be open if LOG_EXEC isn't defined.
* However, the "log" cell isn't ifdef'd so let's be defensive
* and assume someone might have done something with it
* outside an ifdef'd LOG_EXEC block.
*/
if (log != NULL) {
fclose(log);
log = NULL;
}

/*
* Execute the command, replacing our image with its own.
*/
#ifdef NEED_HASHBANG_EMUL
/* We need the #! emulation when we want to execute scripts */
{
extern char **environ;

ap_execve(cmd, &argv[3], environ);
}
#else /*NEED_HASHBANG_EMUL*/
execv(cmd, &argv[3]);
#endif /*NEED_HASHBANG_EMUL*/

/*
* (I can't help myself...sorry.)
*
* Uh oh. Still here. Where's the kaboom? There was supposed to be an
* EARTH-shattering kaboom!
*
* Oh well, log the failure and error out.
*/
log_err("(%d)%s: exec failed (%s)\n", errno, strerror(errno), cmd);
exit(255);
}

Re:CGI security through chroot?

[h2odragon]

1) Good idea, I think.

2) Have ye never heard of diff and patch?

Re:CGI security through chroot?

[Barbarian]

send it to the apache cvs tree or however it's maintained?

It could be a compile-time option.

Re:CGI security through chroot?

[kris]

I have, yet this is currently experimental. Also it is small enough to be distributed as a single piece, enabling you to read it without tools.

Something like this would have been able to contain the ZDnet script in a tight environment, probably making the exploit much harder.

Automatic RH Fixer-Upper

[Threed]

Such a beast already exists. It's called (drum-roll please...) MandrakeUpdate!

--Threed

I like apt

[ftc]

I run debian. Slink (stable) on all the production machines, and potato (unstable) on two "testbed" ones.

I like how i can run "apt-get update; apt-get upgrade" and have the latest security updates I need automatically downloaded, installed and configured on my system.
Or, if I want to review the changes and decide for each package individually if I want to upgrade them or not, I run the "select" method in dselect first.

I can even get told within minutes of a new critical patch being posted by subscribing to the debian-announce mailing list.

There are a couple things that I really like about it:

1) The advisories sent out to the mailing list contain enough information to know what problem the updates are fixing. The changelog files in the packages (which I *can* read before installing the package, if I unpack it somewhere else) contain a list of all changes. And if this is not enough for me, I can go and get the source package, and diff it to the previous version.

2) Debian potato will contain the apt-zip package, a set of scripts that simplify the process of downloading updates to removable media (e.g. zip drives, though you could probably also write them to a CD-R if you needed or wanted to). I can apply them to as many machines as I want to by inserting the medium, mounting it and typing "dpkg -i /mountpoint/*.deb"

3) dselect, console-apt and gnome-apt as well as kpackage are applications that provide me a list (sorted by anything) of Items I have installed so I can check off the one I want to uninstall.

I think everyone agrees that individual patches would be better since it allows ultimate user control. And the way they are organized in the Debian system is really great.

21 fixes too hard?

[sterwill]

"apt-get update ; apt-get upgrade". I've always got the latest security fixes, and they never render my sytem unstable or completely unusable.

--

Think Debian.

[demon]

Try Debian, esp. Potato, if you really want all the latest updates. Slack doesn't really have a "proper" package management system. Debian is continuing to develop the 'apt' system, which not only provides for package management, but has a mechanism for fetching the latest updates from Debian's package archives. All you have to do is

apt-get update ; apt-get upgrade

then answer some questions to get everything updated to the latest (at least, everything that's installed as a package - and Debian has a package for most everything out there).

If you really need a more stable system, go for Slink (aka Debian v2.1, Potato is being actively developed), but for all the latest updates, go with Potato.

Re:The explanatiion is not relevant

[demon]

What Linux need is some stuff arround RPMs (or DEBs). This will be a way to access a repository of RPMs to automatically download (asking first would be a good idea) any dependencies. This woulld allow one to create a RPM with nothing in it but dependencies. So one install this RPM and all the other RPM refered in it will be downloaded and installed.

Sounds something like Debian. apt-get is your friend, and an ncurses frontend is being developed as well. (Don't know about the status of the gnome apt frontend tho.)

Re:Debian has had this for ages...

[demon]

dselect is slowly being tossed away in favor of the new 'apt' (advanced package tool) system that's being developed. And that's just fine by me - I hated dselect. It screwed up my first-ever Debian (slink) install. I was brave though, and went back and used the (still infantile) apt system instead, and it worked MUCH better. apt-get makes updating an install easy as pie, and console-apt is developing nicely (it has some bugs, yes, but it's quite usable even so).

Re:Parity

[/dev/niall]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

If it were only that simple...

That works fine on your NT workstation that only has user applications installed. If you have SQL server, Site server, SMS, or any other server package that does anything useful you have to install service packs in a special order or risk breaking all sorts of strange dependancies. And it's not just sweeping service packs that need to be installed; most SPs require a myriad of smaller fixes (MDAC etc.) in order to work without bringing things crashing down around you.

To top it all off, you'll need to make several registry changes, IIS confguration changes (I don't believe there's ANY service pack as of yet that fixes the vurnerabilities in the .HTX script mapping problem in IIS), etc. etc. ad nauseum before your system is safe.

Bottom line, without spending a decent amount of time and energy on either platform you're not going to have a secure box. I completly agree that your average corporate group would fail to do this under either platform since your average corporate machine is a festering bag of comprimises waiting to happen.

Why was a third party script installed on the linux box to begin with? It's not like they took advantedge of anything intrinsic to Linux? It was a perl script that just as easily could have lived on the NT box.

Devil's Advocate

[Sanity]

Of course you know what ZD will say don't you? If NT is so difficult to secure, then why didn't anyone break into it during our test?

--

Redhat FTP install doesn't install updates

[copito]

The Redhat FTP install doesn't install updates, and there is no option to do so. It is reasonably easy set an FTP server so it does so, but it takes a bit of tweaking. See RedHat CD mini-HOWTO
--

Re:I do NOT like the WindowsUpdate idea

[Jason+Earl]

Actually, I have not. My Windows virus scanners seem to think that BO2k is a virus. Even so, I would suspect that the possibilities that B02k open up are not nearly as comprehensive as what a systems administrator could do with root access and Perl.

How scriptable is BO2k? Chances are it is nowhere near as scriptable as Linux is right out of the box.

Re:I do NOT like the WindowsUpdate idea

[Jason+Earl]

Actually, most of the time that *nix is deployed as a desktop solution the employee does _not_ have root access to the machine. In other words, you probably have less power on your *nix box than your Windows machine.

If you were using something like Debian Linux (or any distro with a decent packaging system) it would be pretty trivial to implement something very SMS-like. The administrator could _easily_ see what software was installed on your machine, what hardware you were running (I have seen software that makes very pretty text files of the hardware), who had logged on recently, etc.

Heck, they could even archive all of the software that you had run, and other such esoterics like what websites you have visited.

If you have root on someone's desktop Linux box, you _own_ them. This is not necessarily true of Windows machines.

nt service packs

[Paul+Jakma]

service packs are *easy* aren't they?

so easy, you have to reinstall them if you add a component from the NT cd.

And so easy when some application (usually MS) takes it upon itself to upgrade files that are also upgraded by a SP. Which version is the correct one? The one from the SP or the one the application installed? And maybe the app can't work with the version from the SP? So how do you install the SP? Or reinstall it if you've changed some vital config, eg changed the NIC?

And this kind of thing has infinite permutations, leading to hours and hours of NT admin fun. And hey, if it wasn't for NT admin's would never be able to claim overtime! Damm those Unix boxes that just purr away for months and months without a glitch. How can you ever earn money from them?

Yes service packs... gotta love them. you really do. {God, Allah, prefferred deity} bless NT!

This is a poor excuse

[Jeff+Davis]

Most enterprises want to put on fixes that solve a problem. Sure it is nice to be a patch set on, but ultimately, the idea with patches is to fix/improve/add something. A good sysadmin will always keep current on security patches as a priority even if they have to be applied one at a time. The is most especially true on systems that are attached directly to internet.

Re:Automatic updates are a Bad Thing(tm)

[Oestergaard]

PostgreSQL database formats changes only between some (usually major) version numbers.

It would be very bad indeed if RH released an update package that would break data when applied. Haven't seen that yet. They're usually (probably for the reasons you state) very careful about warning you of any implications an update might have. Usually the're no implications except for the fix of the hole.

Re:3 questions and a rant

[Oestergaard]

Ever tried updating more than a few machines ? Well that's why you don't want to click it. You could ofcourse. I'm sure that tools like gRPM (GNOME RPM) and others will, in time if not already, give you the option of running the equivalent of the --freshen. You can already point-and-click upgrade packages, which is sufficient for upgrading packages you know needs upgrading.

I don't know about the 120 exploits you mention. If you look at the updates directory for RH6, there's far from 120 packages to upgrade. So there might be 120 holes, but they're all fixed by applying a far smaller number of upgrades (so either 120 is a little optimistic on someone's part, or some packages just have a lot of holes (I'd doubt that so many packages had so many holes though)).

Really, redhat has the erratta page, and you can already point'n'click upgrade. In the security updates that redhat release, they even give you an entire command-line you can just cut'n'paste into a root-shell, to have the upgrade retrieved from the 'net and applied. I'm having a hard time seeing what you think the problem is.

Re:I work enterprise - multiple patches are the pi

[Oestergaard]

I can think of:
*) ssh (using .shosts for root)
*) rpm --freshen ftp://
and eventually
*) at

There you have your shink-wrapped enterprise management patch package distribution scheduling parallel system [feel free to add more buzzwords]

Really, with rpm (and I'm sure with dpkg too) it's really _so_ easy. You need a very small amount of imagination, and then you have your management system that you can customize in anyway you please (hell, you just wrote the main routine of the application yourself - even though it's a one-liner).

Useless test

[android]

If they had bothered to maximize security, we could have found a NEW flaw, thereby actually accomplishing something.

I do NOT like the WindowsUpdate idea

[Ken+Broadfoot]

This is because I really am worried still that microsoft is databasing stuff about me and what is on my server. I would rather just "one way" FTP the stuff I need then install it on my machine much like the Redhat errata site is right now.

At work I have to use NT on my desktop. I ran the task manager and decided to try and kill some tasks. Heh, I could not kill the smss.exe. Gee, I wonder what that is for?

I bet many companies fear the penguin because they will lose the ability to snoop on you, much they way WinozeUpdate probably does as well.

Ken

Re:I do NOT like the WindowsUpdate idea

[Chandon+Seldon]

Yes it is. Have you ever really played with such remote administration software as BO2k?

Re:The CGI script

[Mawbid]

This is looking less and less like a test and more and more like an ambush. Still, I like to keep in mind the much repeated advice "never ascribe to malice what can be adequately explained by incompetence".

I found the page you linked to very informative. I had no idea security-conscious NT admins worked so hard.
--

The CGI script

[Mawbid]

I'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?
--

Re:The CGI script

[bmetzler]

I'm too lazy to read the article. I did read the hacker's (yes, he is a hacker) how-I-did-it piece and it didn't tell me *why* that CGI script was there. What was it doing there? Why was it installed?

In order to simulate a real web server, PC Week Labs had to have it exist for a reason. So they installed a Classified Ads application. And it had a hole.

If you read the page where they described the configuration changes they made, you'll see that they made more changes to NT then they comparatively made to Linux. As in, it was biased a lot more then just not installing all the patches on Linux. They made registry changes. *By* hand, I presume. They moved some of the admin tools to a different location on NT, but didn't move the comparative tools on Linux.

They were comparing apples to oranges anyways. They used a CGI application on Linux and a scripted application (ASP) on NT. Come on, to be fair they should have used a scripted application on Linux also. They *know* what php is, they used it for the forums

-Brent
--

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

Oops, that's Steve Wildstrom <steve_wildstrom@businessweek.com>.

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

Oops, that's Steve Wildstrom <steve_wildstrom@businessweek.com>.

Re:Should it matter?

[stevew]

Yes it should matter - I've been around PROFESSIONAL Sys Admins in a mixed Sun/Windows shop. These guys applied EVERY fix to the Sun OS as they came out, or as they installed new system. PERIOD! These guys set up the community - AGAIN - and they used an application which indeed had holes in it. Probably much to the suprise of the guys that wrote the religious (holey) software. The OS should have been the final line of defense with no known ways of gaining root privilege. The second part of this proposition was the sys-admin's responsibility. It just isn't THAT hard!

autorpm

[Alan+Shutko]

Autorpm has been around for a while, which can also check for updates and install them. The major differences with RH's (that I know of, I don't have it yet) are:

* A priority FTP server for registered users
* It comes with RH standard. Not everyone knows about autorpm.

I work enterprise - multiple patches are the pits!

[dustpuppy]

I work on one of the largest Unix sites in my country - 200 machines - and I can tell you, if I had to apply 21 individual patches to 200 machines, I would be ready to punch someone.

These machines are mission critical which means that the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights. Sure a single large patch still has to install the same amount, but you could start patching the system and then move onto another one which means you could do several in parallel. With individual patches, you would have to keep coming back to each system to start the next patch.

On top of this, due to the mission critical nature of the boxes (they are used nation wide), we have extensive change management controls. Any patch that we apply would have to have a corresponding backout procedure. It is much easier to consider a patch as one big patch than 21 individual patches. Sure, us tech people know that they are really one and the same. But try telling the change managment people that.

When you are dealing with a small site, individual patches are probably preferable - I would prefer them myself.

But on an enterprise level of any decent size, there is no way I want to have to deal with individual patches.

This is not intended as an insult to those who are contributing to this topic, but how many of you guys actually work in the enterprise area? Or are the majority of you making comments based on what you think happens in the enterprise arena?

Okay, I shot my mouth off without thinking

[dustpuppy]

Yes, I totally agree with the previous replies - I too would use scripts.

In my haste to post my reply I overlooked the mot obvious way to handle multiple patches - yes, I look stupid.

I should have known better because I just performed 5 patches to the machines two weeks ago - hence my post on this topic - and yes, I used scripts then.

I do stand by my argument on red tape though.

Re:Okay, I shot my mouth off without thinking

[Sesse]

Red tape? Are you referring to the `backup plan' system?

Should be pretty easy to fix -- if you find that the patch breaks, just install the old RPM, .deb, .tgz or whatever you use for package management.

/* Steinar */

Re:I work enterprise - multiple patches are the pi

[dustpuppy]

Heh heh, regardless of whether you have one or multiple patches, applying them to WinNT is painful! :)

I too have been in that situation. The GUI nirvana kinda falls down doesn't it when you have to push buttons a-l-l t-h-e t-i-m-e!! I synpathise with you.

My post was more about comparing a single patch for Unix to multiple patches for unix.

No they don't have a point

[Jack+Hughes]

If you think that "good" system administration is:

1. Download a great big service pack
2. Don't bother to read any release notes or even to think why you might be applying the fixes
3. Install and reboot your server
4. Place a Big Fat Tick (Check?) mark by the "I've installed the Service Pack on this server" item on your job sheet
5. Repeat for another n servers

Then they might have a point.

If you think that good system administration involves: Understanding your system; Understanding the problem; Understanding the solution, then of course you don't want to blindly install hundreds of megabytes of new code...

It really is a question of mindset. Given a handful of servers it is far easier to do

ftp some site
cd update directory
mget *.rpm
quit
rpm -Uvh *.rpm

And then telnet to another server and repeat the same. Without rebooting your machine.

[That's if you really wanted to of course, and weren't that bothered in working out what the impact of each RPM is].

Re:No they don't have a point

[Jack+Hughes]

One of the strengths of UNIX is the availablity of various scripting languages/facilites which can be used to automate things - a System Administrator would probably not type in the RPM command on all 2000 machines, but would automate it.

Some keywords to help you: "perl", "cron", "bash", "at", "expect", "init".

Try searching for these either using the web or the "man" command.

Re:No they don't have a point

[sparks]

> Riiight, and if you had 200 or 2000 servers,
> the rpm solution would be *sooo* good.

The RPM solution would be ideal for 2000 servers. Even if you did have to do them all manually (which you wouldn't unless you were clueless), it would still be faster to issue a wildcard rpm command and walk away than to install SP5 and reboot.

Any half competent Linux systems administrator could trivially set up an automated system to roll out patches to any number of connected servers. There are lots of ways you could do it, using cron and either scp, ftp or nfs depending
on how paranoid you are.

Sure, you'd have to install a script on each machine and set up a cron job - once. From then on you'd just place the relevent rpms in a nominated directory and go home. At 3am, or whenever, each of your systems has a look in that directory to see if there's anything there which updates its installed software, and upgrades using it if so.

Can you get that degree of functionality with NT?
You could install PERL and cron on an NT box and get the scripting working - that would be the easy bit. But Microsoft just don't provide patches in a useful enough manner. Even if they did, how would a particular machine decide wether or not it needed to install a particular patch? Trivial with RPM. All but impossible with NT. Not to mention the need to reboot after installing each one.

ZD (and for that matter Microsoft) just don't understand the art of systems administration. Someone who stays at work all night doing point, click, reboot, point, click, reboot several hundred times over to upgrade his machines is not a good sysadmin. Someone who types a few commands then goes home at 5pm, confident in the knowledge that by 9am the next day, the systems will all have upgraded themselves - that is a good sysadmin.

Re:No they don't have a point

[Dionysus]

Riiight, and if you had 200 or 2000 servers, the rpm solution would be *sooo* good. That's why the sysadmin gets paid those big money, right? Staying up all night, doing rpm -Uvh *rpm.

nobody puts a new service pack on a production system. They test it out on a single non-exential server first, and then carefully roll it out.

I do think zdnet is wrong, though. Security patches (especially on firewalls, webservers etc... anything that can compromise the internal security of the company), will be applied. Others problems, unless they impact productivety, won't get patched until a service pack comes out and tested.

Re:They do have five points ;)

[Jack+Hughes]

Mmm.. Your missing something here when you say "..instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling. That requires more work and a knowledgable systems administrator.

ZD were testing RedHat Linux. This is a distribution. This means that it is put together by (the evidence suggests) some knowledgable people. So you DO have one trusted source, and one set of files. This is why it is worth paying RedHat for their distriubtion - because it relieves your of the burden (but not the responsibility) for continually monitoring and updating your system.

It is far, far, far easier to maintain a few RH systems (especially remotely) than it is the same number of NT servers.

Cool...............

[Synflex]

I suppose now we can have all the time in the world to compile _one large sweeping-in-scope fix_ while risking security breeches huh? Let's see..... RH6, then about few months RH6 SR1? then SR2? Perhaps that's what 'enterprise bussiness' needs. It's always fine for us ;P

come on

[arielb]

ok this makes me sick. If you are really interested in security then you better not be hiring Mr. point and click. This is serious business and if some IT thinks he can simply install a service pack and poof! security! then he should be fired. Don't you think?

Re:come on

[PigleT]

Well said!
Security, like firewalls, is not something that comes in a big box to be applied en-lump.
(Firewalls: which do you want, an ipchains that lets 110/tcp through as filtered regardless of setting (beats me!) or which advertises what sort of firewall it is when you telnet into it??)

Anyone here been to sunsolve recently? I mean, I diff'd someone else's solaris 2.6 box against one of ours, and found a meagre 98 patches different... it's not as though "Real OSs" don't have individual patches to apply...

Debian has had this for ages...

[Sesse]

Not wanting to start a distribution war here, I should perhaps notice that Debian has had automatic update for ages. Run dselect, choose `update' and everything (including downloading, installing and configuring) is done automatically for you, at the spot.

If you do a net install, you get the right packages right away, of course.

Since I know close to nothing about RH, I shouldn't say that RH _hasn't_ had a similiar system, but from the comments I've been reading in this article, it certainly sounds that way.

/* Steinar */

Windows Update a great concept?

[Sesse]

Perhaps, but at least not new. (Try Debian with dselect.) What worse, you have to make LOTS of scans, and click a lot around. At least with dselect, you know what's happening...

/* Steinar */

DHTML/XML

[Sesse]

XML being a key feature??

I think that Microsoft should get real support for the base standards (their HTML-generation makes BAD HTML, and their CSS1 support is far from complete) before they go on to `supporting' more or less new standards (like XML, or XSL which is experimental ATM).

If you want Netscape with `proper' DHTML (which Microsoft invented), try Mozilla/Raptor, which supports DOM level 1, 99% CSS1 and well over 50% CSS2.

And your second argument sounds a bit funny to me: Java was too secure, so they made ActiveX instead! Go, go! (If `Java wasn't enough', they could easily have extended it with a few classes. But I guess they don't have HD space for any new classes anymore...)

/* Steinar */

Re:Small, isolated patches better

[Sesse]

>Of course new users are still left to install all 21.

Why?

Just install off the 'Net, and if your distribution can do it (at least dpkg/dselect can do it), then the older packages will never be downloaded at all -- security right away.

If you install from CD, of course, you will have to do a network update. That's approx 10-15 keypresses, for setting up the servers and hitting Update.

/* Steinar */

Re:and that makes nt better how?

[Sesse]

>On the other hand, Linux has so many services started by default that it is a nightmare.

That is a common SuSE/Red Hat problem. Most other distributions (at least not Debian and Slackware) have this problem.

/* Steinar */

Re:Do they have a point?

[myconid]

And what if I only run one of the programs that there is a security fix for? I have to download the entire group of updates, which would be rather large in comparison just because I don't use the remaining 20 applications?
Stan "Myconid" Brinkerhoff

I don't think so.

[LongShip]

ZDNet Labs deliberately chose to ignore the 21 security flaws that would most likely be used by any cracker to crack the Linux box. ZDNet's Chowdhry's claim that this was because IT managers prefer monolithic patches where the administrator has no hope of tracking individual changes is a ridiculous equivocation. This same argument didn't stop them from applying the service release 5 patches to the NT setup.

The lesson to be learned here is that ZDNet Labs has violated the public trust. Somebody's head should roll.

Re:Accuarate

[LongShip]

It's my article. I would not publish this if it weren't true. If you take the trouble to click the link in the very first paragraph you will be miraculously transported to the ZDNet site where a Mr. Chowdhry of ZDNet Labs will tell you that it's true.

The only problem is that you have to take the trouble to click the link.

Re:YES THEY HAVE A POINT!

[Rev.+Krusty]

Debian has the ability to do auto-updates based
on security fixes only. security.debian.org stores only security updates for packages in
the current stable release. This is perfect for
companies that only want to run stable software and yet want security updates. All of these updates can be automated even so that there is no
need for someone to even be there.

Companies definatly do not want to mess with updating package after package. The biggest problems with all of this is that there are a ton of different programs out there in the opensource arena to use to make life easier. It all depends on what you know and use. The majority of talk here is of RedHat...but not everyone uses RedHat. At my company we have chose Debian since it's better (In our opinion mind you) for a server operating system. It allows us to easily maintain packages and keep them up to date without the worry of...man I have to update how many???...it's all done automatically. We even maintain a set of our own packages for internal use...this allows us to keep all of our internal software up to date just as easily.

This problem exists in more than just the Linux arena..Solaris has tons of minor packages that they release as updates but they also supply one huge package as well.

By far Linux has the ability to deal with security fixes the best. RedHat has alot of goals that they are trying to acomplish and in time they will meet them all. (or come close)...If you want this type of functionality go with a distribution that's designed for it.

yes and no...

[lucid]

i think they have something of a point, but not really. sure, people would love to install 1 patch instead of 21. however, i think any company with a clue is going to want 21 patches installed if thats the way the patches come. saying anything else is like saying they don't want their box to be secure. which is interesting, especially in light of ZDnet's admission. aren't they kinda saying they wanted the PR from the "contest", but they didn't really feel like securing the linux box?

Re:ZDNet's credibility

[Juniper]

"I would like to claim that /. (or at least certain editors) lost a lot more."

A lot more WHAT? Credibility? I don't think so: it said right it the synopsis that "It's a hoax, folks."

If not credibility, then what did /. lose?

Even if they do have a point...

[Michel]

Well, even if it were true that people wouldn't want to apply 21 different patches (Whoever said that sysadminning was supposed to be easy?), if you're going to run a security test you still have to apply ALL the patches available (if they make sense, that is).

Otherwise I could just go out and say that lots of people are stupid and will execute unknown binaries on their NT boxen, and you can assume that BO2000 will be installed. Hey look, insecure NT box!

I don't need to tell you that this gets silly really fast...

No, they don't have a point

[Critter]

Red Hat could make it even easier by placing security fixes in one place. However, lets put this in perspective:

First, Microsoft service packs are several in number and are usually applied in turn. So, even on that platform there is not ONE patch. For the testing teams manager to decide that five service packs is ok, but twenty rpms is too many shows an unprofessional attitude.

Second, the security of a system could be compromised by any application listening to a port. On the Microsoft platform this is more likely to include individually distributed proprietary applications; each of which would maintain their own security patches.

Re:How hard is this?

[elflord]

rpm -Uvh *rpm
Now really how hard is that?

Well, it's easy enough, but it's wrong. This will possibly install a bunch of packages that you

• don't have installed, and
• would rather not have installed (ie daemons).

If you're going to trash ZDNet, at least do it right.

To make sure you only update packages and don't install anything new, you need rpm -F

Most of you are wrong, they *do* have a point

[whitroth]

Lessee, most places I've worked, and that ranges from county gov't, to small co's, to huge co's,
to city gov'ts, *INSIST* on testing, and being as sure as possible that the latest "fix" doesn't break something else.

Anyone want to argue that there are times when it does?

Fixes, where I work now, would *have* to be scheduled a week or two in advance...AT LEAST.

And then there's the problem of large shops. Someone said they worked in a large shop, w/ 200 machines. I have a close friend who works for Walgreens, with something like three thousand UNIX boxen. Anyone who's arguing that each should be applied as soon as they come out, individually, want to discuss what would be involved with 21 patches to 3000 boxes, running 24x7, over remote links?

Emergency fixes, like that on the ping-of-death, are one thing. Smaller fixes should be bundled, and come out a *lot* less frequently. Hell, when I come home, if I want to read my email, or whatever, I don't want to have to spend time, when I could be making dinner, or whatever, putting in the patch-of-the-day.

On the other hand, a regularly scheduled patch-level maintenance would be a Good Idea, if managers could be made to swallow it.

mark

IIRC Microsoft "experts" helped with the NT system

[Barbarian]

I believe that they said that Microsoft assisted them in setting up the NT system.

"Community resources" assisted them with the LINUX system.

In any event, not installing the fixes is incompetence.

Enterprise Computing.

[malkavian]

Heh..
You know, I've not heard such a good joke in a while...
I work at the level they say that "You wouldn't want to install 21 seperate patches"..
Wrong. The brief is "Make is secure". If that means 21 patches, so be it. If it means 100 patches, then so be it. But, make it as secure as you can.
Now, how easy is it to NFS mount a partition with the patches on, and an automated script to run the RPMs??
Now, how easy would it be to install the said same service packs on the same number of NT boxes??
Hmmm.. In the real world, 21 patches to 1000 UNIX boxes is orders of magnitude faster than 1 patch to 1000 NT boxes.
And if you can't do the above NFS mount and scripting, YOU SHOULDN'T BE IN ENTERPRISE COMPUTING!
I could rant a lot more, but I think everyone knows what I mean, and I have work to get on with..
Just my tuppence worth,

Malk
(Who has applied a lot more patches than that to his very-strategically-important-to-a-large-company Red Hat 5.2 box)

21 patches vs 21 service packs?

[/dev/kev]

Somehow I get the feeling that they would bother to install 21 NT service packs if Microsoft had that many of them (don't laugh), and they wouldn't even think it strange.

And let's not forget the 21 consecutive reboots that would require, plus how long it would take to download all 21 x ~ 50Mb of them... :)

Re:ZDNet Car Security Contest: You forgot...

[AviN]

... and it won't crash.

Re:The simplest solution of all times

[sgifford]

It's not quite so simple; if I downloaded Update.tar.gz last week, and I want to get up to date again today, I don't want to download the entire tarfile, including the packages I just updated last week. Similarly, if I don't have Apache installed, I don't want to download a large replacement package for something I don't even use.

What you want is to only download and apply the patches you need, based on what you have installed and on when you last updated, automatically.

rhlupdate (search freshmeat) is one way to do this, although I had to modify it to get it to do what I wanted.

I believe that the "up2date" software in RedHat 6.1 is supposed to solve the same problem in a more GUI way.

Somebody else suggested doing:

rpm -Uvh ftp://ftp.redhat.com/pub/redhat/updates/6.0/i386/\ *

although I wasn't able to get that to work.

I do agree, though, that software to do this automatically should have been included in RedHat a long time ago.

Automatic updates are a Bad Thing(tm)

[RobM]

You type 'rpm --freshen' and the next that happens is that you lose your PostgreSQL Database, since version 6.n data files are NOT compatible with version 6.n+1. And this is just an example.

Never use automatic updates on production machines: even if RedHat (or Debian or SuSE or [put your favorite distribution name here]) use maximum attention creating packages and packages rules, you can't be guarantee that all will work everywhere. And if you need a demo, read what happens whith NT and their monolithic service packs: in SP1, it was 'dir A:' -> machine resets... ;-)

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[RobM]

It was not a security patch, but the standard upgrade that RedHat 6.0 installer does on a 5.2, after you select to update an old version.
The right thing to do for the installer was to NOT upgrade the Postgres, and maybe signal the necessity for a manual backup/upgrade/restore.

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[RobM]

Yes, as I said in my previous reply, it was the standard update from 5.2 to 6.0, and OBVIOUSLY it was NOT on a production machine, but on a test one that thank goodness had a test PG database on it, so that I could spot the problem.

Back to security fixes: when you (RedHat) discover a security breach in a package, you are in a hurry to fix it, so the likeliness of a misconfigured update is high: they sure do their tests, but erorr is alwais possible ;-)

Then your option is to wait for the security fix to be tested by someone else, or by yourself on a production machine. Not an option if you are a 'target' site for whatever reason, but that's the same thing that happens with NT: I usually install a SP al least a month later, unless it fixes a really important (and usually stupid ;) secbug.

Bye,
Rob!

Re:Automatic updates are a Bad Thing(tm)

[tialaramex]

Nah, RedHat are pretty conservative about security fixes
(If you update just because stuff is new, go play with potato and DON'T DO IT ON YOUR PRODUCTION MACHINE)

An RH security fix usually just bumps the patch revision, and therefore doesn't cause any damage
Upgrades from say 5.x to 6.x should be approached with rather more caution (still much better than a re-install IMHO)

21 Updates is a Royal Pain in the Ass.

[Mike+Buddha]

They're right. 21 updates is too inconvenient. This is an issue that should be addressed with more than simple anti-MS rhetoric.

What's keeping Linux down at this point, is lack of user-friendliness. I don't advocate making it a useless, pablum, MacOS-like OS, but a little more concentration on the end user is going to go a long way at this point.

People ARE sick of MS, but they are not going to give up ALL of the creature comforts that they have aquired. This "Unified Patch Distribution" idea seems a simple enough idea that it could be facilitated, quite easily, in fact. Some RPMs, an install script, &c.

Re:Kidding?

[Squeak]

I must disagree - not everything they make is evil. They do produce very good mice.

So if MS waited another week...

[PsychoSpunk]

Alright, we all know about the security problems that have plagued hotmail since MS bought it out and put it on NT, right?

Well, the way I see it, they should have just waited to apply "one large, single fix" to their problems rather than patching it here and there.

They probably could have actually avoided some of the problems they had when their software patches caused more problems. Every software engineer knows a patch causes as many problems as it solves.

I guess that enterprise solutions don't have an MIS dept, and that their work isn't that critical.

Of course, then again ZDNet could have just dropped the ball (as usual) and tried to cover their asses by saying that people don't want to apply 21 separate patches. Any mission critical box generally has a sysadmin whose carcass would be flung out into the street if they didn't want to apply 21 separate patches to fix security.

Parity? How about Accuracy!

[Lumpy]

NT doesnt have only 3-5 service updates! there are over 30 that I have to install on every machine here! NT,IE,Outlook,Word.... every single MS app has about 3-5 patches that need to be applied... Linux needsing 21? that's a joke... each app needs 1 or more applied. Let's get things into contex people! Install linux workstation - 2-4 hours Install NT workstation (Automated) - 4-6 hours Patch the thing - Linux 20 minutes NT - 3 hours!!!!

Re:No they don't have a point -YES

[Lumpy]

Ummm have you talked to a MCSE? yes that is the scope of their abilities... download, click setup... drool.... un-jam a printer, drink coffee, download next patch, click drool.... oops, that was setup!

Re:I work enterprise - multiple patches are the pi

[Dionysus]

I don't know. With enterprise, wouldn't you have something like Tivoli or some other enterprise management package installed? Just set up a timer to do the update at 3 am for all the systems that need the update.

Granted Linux, at this point, doesn't have *any* enterprise management packages (although IBM demonstrated TME on Linux at LinuxWorld).

Windows NT needs 50..3000 security changes.

[wtanaka]

From: crypto-gram

Many people asked me about my comment last issue about Windows NT needing over 300 security changes to make it secure. I queried the Usenet newsgroup comp.os.ms-windows.nt.admin.security asking if it was folklore or truth, and got several answers. The consensus seemed to be that the number was somewhere between 50 and 3000, and 300 wasn't an unreasonable estimate. A good checklist is available here: http://people.hp.se/stnor/ And see also: http://www.trustedsystems.com/NSAGuide.htm

Re:I work enterprise - multiple patches are the pi

[JamesKPolk]

How would such scripting be possible? Perhaps I should have been more specific, and said "possible with the documented tools that come packaged with the operating system."

Re:I work enterprise - multiple patches are the pi

[JamesKPolk]

I always thought that one basic qualification of a sysadmin was the ability to write scripts!

It wouldn't be hard to write a script to apply 21 rpm patches...

By comparison, it wouldn't even be possible to hack out a quick shell script to install the latest service pack, plus 2 or 3 of the hotfixes microsoft has available.

Service Packs?

[kevlar]

Should Linux have Service Packs?
Absolutely. Thats a great idea. However with RedHat they're called RPM's and are smaller (maybe someone can think of a way of bundliing all of the errata updates together).

Does this EXCUSE PC Week for blatently being biased against Linux in their "Professional" testing?
Absolutely not. Not only would installing the latest SP from MS _NOT_ fix every vulnerability in NT, but the mere fact that they installed it for the sake of security, and installed nothing for Linux makes this test look outright fradulent.

I wonder if you can sue for that? Defimation of Linux?

Re:FreeBSD cvsup

[theJeff]

Do you have to do the whole make world seven hour process for any update? Or is there an easy semi-automatic way to just rebuild and restart the services that were patched? Obviously a kernel patch would need a reboot, but why reboot for other updates?
I think these questions are probaly why binary updates are popular. Using Debians apt-get I download updates weekly and spend about 5 minutes watching them install. (Could automate it, but I like to see what I'm going to change.) No reboot needed, all services are restarted etc.
The only advantage I see to the make world approach is that everything can be built optimized for your system. But for most applications that isn't really significant.
Where's the advantage?

thejeff

Re:I like the WindowsUpdate idea

[cdegroot]

Cool. It essentially means you're forced to run MSIE with Administrator rights, the equivalent of which (running Netscape as root) I'd never dream of under Unix. Basically, my strategy is to mirror the FTP update site of my favorite-Linux-vendor-of-the-day (SuSE at the moment) and only become root to install the rpm's after I have verified what the rpm patches, what the impact could be, and why I would want to apply the patch in the first place. No vendor can make that decision for me, what's critical to one user is totally unimportant to another one.

And, as others have said, security of a system comes down to the competence of the people administrating it. However, Microsoft is doing such an optimal job of shielding information from the average user that it takes above-average competence just to get the information needed to make informed decisions (applying an SP, IMNSHO, is not making an informed decision).

Re:Kidding?

[Jae]

I must disagree - not everything they make is evil. They do produce very good mice.

heh - that's because they subcontract them out and just stamp them w/ the microsoft name.

Both many small and one big fix is possible

[Helge+Hafting]

While I'd agree that most CIOs would prefer a single opaque fix-pack every six months, I'm betting that most of the people who actually do the work would prefer to get a fix this afternoon for a problem discovered this morning

Both is possible. The guy who takes care of the linux boxes from day to day may install fixes as soon as they get available.

Those who want a single fixpack (perhaps because they are going to install 50 machines, with the latest fixes applied) can use a "fixpack" consisting of all the small fixes and a script that goes
rpm -i firstfix
rpm -i second fix
...
The various distributors should keep a "fixpack" like that for the benefit of new installs, as well as those who don't follow development closely.

Re: NT service packs vs Linux patches

[Mojojojo]

I read on CNN about 2 days ago that there are over 300 things that you would have to do to a vanilla NT server out of the box to make it secure. 21 fixes isn't much at all. Besides, people running Linux for the most part understand more about their systems and sysadmins should be up to speed on these application patches anyway. That's BS that they failed to secure the server, then said, "Well, noone in the real world applies patches."

There's something of a decent point here...

[Cyric]

I think it is reasonable to assume many companies won't add every fix to their servers. It's much easier to download one 100+Mb patch and apply it than it is to apply the dozens of fixes individually.

Instead of bitching and bickering about the unfairness of it all, I'd bet that if someone took the 21 patches and put them into one service pack ZDNet would re-do the tests. If not, they're caught in a bold-faced lie.

Keep in mind, if someone starts making service packs available, it's got to be consistent. If 40 different service packs are flying around, no administrator is going to sort through them figuring out which one is the newest (at least, not in ZD's world).

Re:YES THEY HAVE A POINT!

[Roundeye]

Why does autorpm not do what you want?

Reboot?

[orcrist]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

Figures a Microsoft proponent doesn't consider rebooting a server to be a difficulty...

Re:Reboot?

[mpe]

Figures a Microsoft proponent doesn't consider rebooting a server to be a difficulty...

Or that the thing is so unreliable that rebooting it isn't an issue.

Re:My Opinion

[orcrist]

AC wrote:
But add another gap: when RedHat servers will be cracked, you're going to have "trojan" updates. Remember even freebsd.org source repository was once compromised.

ignoring (or overseeing) that

aqua wrote (in part):
...it's a nifty little app that picks up the updates from FTP, NFS mount, etc., checks the PGP signatures ...

Chris

Re:I like the WindowsUpdate idea

[sharkey]

Of course, that assumes MS actually posts ALL the available updates/patches/etc. Did anyone else notice that the fix for their latest JVM security hole didn't show on Windows update for more than 2 weeks after MS published the security bulletin about it?

"Unbiased" reporting? (Rated R for language)

[Chip+Stillmore]

After reading anything on ZDNet, it's obvious to me that the company is extremely biased towards Microsoft. This ZDNet SNAFU* is just another example of their unbiased approach towards information dissemination.


*SNAFU - situation normal all fucked up

Re:"Unbiased" reporting? (Rated R for language)

[Chip+Stillmore]

Of course, in the above, when I say "unbiased", I'm being sarcastic.

I forgot to make that clear.

Re:Parity

[Tenareth]

Huh? Have you ever applied an NT service pack ? Just click on the .exe, reboot, and that's it.

Three things:

1. If I am fixing a bug in the crond, why would I have to reboot, I just restart the service. Much more useful in "real-world" scenerio.

2. I have seen on several occasions, that after the reboot, it either doesn't boot, or there are a whole slew of new problems (SP2 anyone?).

3. If you want to keep NT secure, you have to apply the HOT-FIXES. There are just as many of those, if not more, than RPMs.


-- Keith Moore

This is pathetic

[platypus]

They seem not to have any more advanced expierence with nt server, too.
For a laugh, goto Sequences for Installing and Configuring Server Applications Running on Windows NT Server 4.0.
Ask yourself: What do I have to do if I want to install more than one of the packages? And you know, one failure and you are fscked.
And while talking about "enterprises" and the packages they don't want to install, here's a very nice one:Installing MS-Site Server 3.0.
A summary, look at the original, you will fall from your chair, because the are more trapdoors than a suse-distro has packages. And remember, for every point you see above there's an average of one reboot (my guesstimate).
First a bunch of pre-installation tips in the form of do not install ms-software xy version a.bcd together with mss 3.0, otherwise you're screwed, and then this:

1. Install Windows NT-Server 4.0
   
2. Install Microsoft Windows NT 4.0 Service Pack 3.
   
3. Install Microsoft Internet Explorer 4.01 Service Pack 2 using the Standard installation.
   
4. Install the Microsoft Windows NT 4.0 Option Pack.
   
5. Install Index Server, Windows Scripting Host, and under the IIS options, install the SMTP server.
   
6. Install the updated FrontPage 98 Server Extensions, version 3.0.2.1706.
   
7. Install Microsoft Windows NT 4.0 Service Pack
   
8. Install Microsoft Internet Explorer 5.0. For this configuration, Internet Explorer 5.0 is required.
   
9. Install Microsoft SQL Server 7.0.
   
10. Install SQL Server 7.0 Service Pack 1. Q232570.[...}Installing SQL 7.0 SP1 can take up to 30 minutes, which does not include the time it takes to download the service pack.
    
11. Configure the SQL Server client default Network Library to Named Pipes.
    
12. Verify that the MSDTC service is started and that MSDTC is configured to start automatically.
13. Configure database connectivity.
    
14. Install Site Server 3.0.
    
15. (Optional) Install Commerce Server.
    
16. (Optional) Install Visual Studio 6.0 or Visual Studio 97.[...]
    If you installed Visual Studio, apply Visual Studio 97 Service Pack 3 or Visual Studio 6.0 Service Pack 3 appropriately.
    
17. Install Site Server 3.0 Service Pack 2.
    
18. (Optional) Install Commerce Interchange Pipeline Manager (CIPM) for Site Server 3.0, Commerce Edition.
    
19. Install MDAC version 2.1.2.4202.3, which is also known as MDAC 2.1 SP2.
    
20. Install ADSI 2.5.
    
21. Install Microsoft Windows NT 4.0 Service Pack 5.
    

After that there follow 8 "post-installation instructions, i.e. bugfixes and workarounds".

Re:Yes they have a point

[kvajk]

If a user does "mget *" and then "rpm --freshen *" they're going to get into trouble with the kernel updates.

Sure, Linux is more secure than NT. But you're wearing blinders if you think that updating a Linux box is easy enough and shouldn't be improved.

It's easy for me, a Linux geek, to keep my single home PC up to date. But I don't typically bother with the Linux PCs at work, because it's too much trouble. I see this as a problem, and I'm not the only one.

Re:YES THEY HAVE A POINT!

[kvajk]

And what about those kernel packages in the updates directory? Oops! (The redhat errate webpages specifically tell you *not* to use "-U" to update them.)

A lot of people think that point patches are a pain, compared to a VENDOR-SUPPORTED method of bringing your system up to date with one simple procedure.

Why do so many Linux fanatics have such a hard time hearing this?

Kinda...but..

[Rolan]

They do kinda have a point. It would be great to be able to update everything that has a security problem in one sweep, but it might not be practical for linux, since not everything has to be installed (like NT).

As an after thought. Don't you have to apply 21 fixes to NT just to get it to run?!

Re:Small, isolated patches better

[Zoinks]

Over 5 years ago I was de-facto sysadmin for an IBM RS-6000. There was a program on it which would do just what you're talking about. I was very impressed, because this was BTW (Before The Web). You clicked a button and it would download the bug fix database or whatever, and you could select pertinant fixes for your machine. Very slick. Should be even easier in this web-enabled day and age.

My Opinion

[maan]

There's a big difference between an MS service pack and 21 rpms to update. On one side is a huge file that might install correctly, and might update your system, and on the other are 21 (usually) small files. It takes a rpm -Uvh * to update everything (hopefully, of course). Also, the service pack only takes care of the kernel, the user interface, and some miscellaneous stuff. On the linux side, however, you have a single file to update the kernel, and the rest are for shells, daemons, misc apps... So I would think that you need more updates on NT to update your other apps.

And as for the complexity of the whole process, I think it's easier on linux. You usually end up with a mess after service packs, whereas updates on linux are cleaner, and actually perform their goal: they make the system more stable and more secure, and up to date.

Finally: isn't there a new tool in RedHat 6.1 which updates rpms all by itself? That should make it easier (although I don't think I'd use it, I'd be worried of what it might do, especially on a server). And I believe there were other programs already available that do that...

Maan

Re:My Opinion

[aqua]

Yes, there is -- they're calling it the RedHat Update Agent, and its main job seems to be to perform RPM upgrades automatically as they become available. It's hardly new, and if ZDnet had done any research (they read the HOWTOs, and Apache's security docs, and ignored the rest), they might have found it. AutoRPM has been in common usage for quite a while now -- it's a nifty little app that picks up the updates from FTP, NFS mount, etc., checks the PGP signatures, and installs the upgrades, then notifies you that it happened so you can check its work. Closes the vulnerability gap a bit.

Do they have a point?

[Leper]

No.
Using the distribution of your Operating System as a crutch, regardless of the OS, is still wrong. It isn't enough to just keep your software up-to-date. 21 patches from Red Hat, or 5 service packs from Microsoft, neither one is replacement for knowing what the hell you're doing.

But thats the way it always is isn't it? Scads of people indigent about the superiority of their system but who can't be bothered by little details of how it all works. "Don't confuse me with the facts!"

I suggest otherwise

[jetpack]

I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically

I suggest this is a Bad Thing, in general. I haven't used this service since I dont do NT. However, from this sounds of it, all this tells you is what you do and don't have, and what microsoft has to say about whatever the current patches are. It is not the case that you want to apply all patches merely because they are new. You need to know which ones work, which don't, which are buggy and which are stable.

This is merely an excuse for lazy admins to think they are doing a good job by hitting the microsoft site every week or so, and fooling themselves into thinking that applying whatever patches are new makes their systems secure and stable.

There is no substitute for knowledge. And convenience is definitely not a good substitute for knowing your way around your machines.

Re:I suggest otherwise

[fredm8]

My previous experience with Windows Updates for Win98 has been okay, however it would be nice if the update gave you a serious indication of what it would actually do, and a log to follow to figure out why the updates fail - when an update fails it is power off reboot, I'm glad it is only my notebook, not a server supporting hundreds of users.....

Debian

[guacamole]

Doh, Debian GNU/Linux could update/upgrade itself for AGES. RedHat was the ZDnets problem...

Site Server

[Robert+S+Gormley]

Argh. SiteServer. Evil :)

MS has a 19 point plan which is extremely pedantic in the install requirements:

• Install Win NT 4.0 Standalone;
• Install SP3;
• Install IE4.01SP1 (not5, not 4.00);
• Install Option Pack (but NOT FP Server extensions;
• Install Server Extensions (WTF?);
• Install SP4;
• If you want, Install IE5;
• Install SQL 7.0;
• Install SQL-SP1;
• Configure DTC;
• Install MDAC 2.1.3711.11 (!?!);
• Build SiteServer Databases;
• Install SiteServer;
• Install SiteServer SP2;
• Install ADSI 2.5;
• Install SP5;
• Install FrontPage.

What was that quote again? "The average administrator doesn't want to install [xxx] individual fixes"?

That bastard took five hours to install on a Dual P-III, 256mb ram.

Re:ZDNet Car Security Contest: You forgot...

[Le+douanier]

You forgot to mention that the NT car was furnished with a driver seat as default when the Linux car was furnished with ten different seats that you can can install instead of thedefault seat, an autoradio with Tapes and CD's, lateral security, ABS, Airbag for everyone (but you can disable them), and plenty other stuff included in the default package.

Re:Security Patches were not the problem!

[Cannon]

Actually, he used a combination of the CGI script(s) AND a known exploit with the cron package. It took both for him to get in. Applying the cron fix would have stopped this particular exploit.

Who is "corporate IT", anyway?

[mwood]

Indeed, I think this points out a split that causes no end of confusion. While I'd agree that most CIOs would prefer a single opaque fix-pack every six months, I'm betting that most of the people who actually do the work would prefer to get a fix this afternoon for a problem discovered this morning, even if it does mean applying 21 piecemeal patches ASAP instead of one big one long after the problem has shut them down. I also think they'd prefer to know exactly what is being fixed. As one of the people who actually do the work, I know I would.

Re:Who is "corporate IT", anyway?

[aqua]

True, most manager-people would probably prefer a single huge package that fixed everything. It'd be a misnomer, since huge fixes never fix everything (any more than lots of little fixes do, though those can achieve better granularity). But the people who do the work wouldn't need to apply 21 different updates, unless they were running all of the packages needing upgrades -- that's part of why upgrades published on a per-package basis works out well -- if you need to upgrade crond, the fix is about 500k and just fixes cron. If all you're running is crond, then 500k later it's fixed. A typical MS Service Pack is huge, and contains a ton of things which may or may not have needed replacing. Moreover, because the MS service packs are so wide-ranging, they require a greater quantity of more difficult testing to validate that it works. With an apache update, say, you know what to test.

However, in deference to the long expertise of corporate IT managers, I hereby propose the following Industry Standard for Manageable Updates. Call it the RedHat Service Pack specification. I expect to see it hailed as a wonder of technological innovation and a great leap forward for the Linux communiy in providing security management:

Packaging (this part is proprietary, you don't need to even see it. avert your eyes):

ls *rpm | sed 's/^/rpm -Uvh /' > UPDATE.sh
tar cvf RH-SP3.TAR UPDATE.sh *.rpm

Installing:

#!/bin/sh
# install_servicepack.sh
mkdir /tmp/sp-$0-$$
tar -C /tmp/sp-$0-$$ $0
cd /tmp/sp-$0-$$
[ -x UPDATE.sh ] && ./UPDATE.sh

I expect news of this great manageability innovation to be trumpeted throughout the tech news industry. It should be referenced in the sales pages for Maximum RPM, but may require a separate publication of its own to explain this great technology to the world, especially the technology press.

Re:Small, isolated patches better

[mwood]

Yup, Digital Had It Then too. DSIN subscribers could get any patch with a few keypresses, and we got emails whenever critical fixes (security, innocent-looking-command-hangs-system) were released. VMSINSTAL SOME.PATCH applied 'em -- no muss, no fuss, no bother.

Media tweaking

[quux26]

Unfortunately, most people don't read slashdot. So we can hem and haw about ZDNet's inability to think logically, but someone is going to swear by it because they saw it there. The popular media can (and does) slide the most amazing bull[ ] under the radar.

Do I even need to point out that most people use MS products to illustrate the power of disinformation? I swear, people have lost even the most cursory signs of skepticism.

My .02
Quux26

The Evil of Fixing Things :P

[Chocodile]

As we all know, it is an absolutely digusting and vulgar thing to ever change anything. In fact, I am appalled that we are speaking in Modern English. How can we desert its root ("God, root, what is difference?" - Pitr), Old English? Why do we use computers instead of abacuses (abacii? whatever, I'm not going to fix it, since that would be worng)? One monumental fix should be issued at the End of the Universe. It would be so much more convienient for enterprise businesses...

Re:The Evil of Fixing Things :P

[reptilian]

and if that fix were released by microsoft, it would be the cause of the end of the universe.

Re:Red Hat fixes wouldn't have helped

[nas]

I'm sure Red Hat (or Debian or Bugtraq) would be happy to hear this information. Talk is cheap.

Nothing new...

[yorkie]

This happened all the time to me in real life, in my Banyan days.

I supported a number of networks for various customers. Most would not bother to apply patches, even when multiple packages were bundled together in one big fix, changing the version number at the same time.

This applied to all forms of patches - security, performance, stability etc.

Change control procedures had a lot to do with this, but the main reason was that sys-admins were lazy. In fact I was often sent out to apply upgrades/patches myself, even though the process was no more than sticking a floppy in a drive and running a single command, and possibly a system restart.

Another issue was that a number of sites feared change, and wanted everything running the same version. This caused numerous problems supporting modern client architectures.

There were even cases of patches not being applied when they were supplied in the box with new installations. There were at least two versions of the OS that customers were supposed to apply a critical patch to, and I saw both versions up and running in the field.

Another problem is that some users insisted on running obsolete versions of the OS, even wanting to run this on new systems. It took a lot of effort to persuade management that there was no active maintenance on the code, and that finding current hardware that the software supported. Once site even fitted ISA SCSI adapters to their PCI systems, instead of installing the latest version which supported the PCI card directly - the performance was dreadful!

I seem simillar things now with other software. Everyone seems to think that as soon as something is running that it is installed correctly. No one bothers with either additional maintenance, or system tuning. (Witness DMA on IDE drives under NT or Win95).

It all springs down to one thing - most enterprise sysadmins (and their management) are lacking in the clue departement.

Re:No no no no no no!

[yorkie]

I had a bad experience this week.

I had to install some SQL server drivers on one PC, to allow it to act as a Unicenter management console. The NT machine I had never used before, and had no idea what software was installed.

The driver install kept hanging after copying the drivers in place. Eventually after stopping almost every service the install proceded. I eventually discovered that the ODBC subsystem was being updated, yet there was one service that was currently running on the machine that used ODBC.

Once all the software was installed, a CISCO management server on this box was no longer available. Hours of investigation revealed that my updates had allowed another web server process to start (it had previously been disable), and the presence of this server was preventing the CISCO server from running.

The major problem with NT is that it uses an antiquated shared library management system, one that hasn't changed since at least Windows 2.x. Only one library with any given name can be open at any one time, and the library can only be updated if no process has it open, otherwise a reboot is necessary. Executables are treated in exactly the same way. Compare other REAL operating systems, where running libraries and executables can be replaced - the old code is not open to new executable invocations, and is deleted when the last process mapped into it is closed. (Just don't try to update the running C library - big contention problems - this is why LDCONFIG is static)

Re:I like the WindowsUpdate idea

[odaiwai]

While WindowsUpdate is ok for a win98 home machine, I'm not convinced it's the right thing for an NT server. (Does it even work on NT? It doesn't work on *this* NT box.)

For a start, it only has patches from Microsoft and the vast bulk of those patches are for screensavers, and general entertainment.

There are 'critical updates' and 'reccomended updates' which are ok, but those patches are applied from the server. Some of these need reboots, some need downloading by themselves.

In short, it's a good idea, but it's clunky and non-automatable.

A cron job or autorpm (must try that) sounds much better.

dave

ps: does autorpm simulate the way you can update and recompile the entire system via CVS on a *BSD box?

Re:BSD wins here.

[knarf]

Sure, cvsup is nice and all, but that central distribution philosophy can just as well be implemented using rpm or any other packaging system. And if you're using RedHat, it IS implemented. Instead of (cvsup ; make world) you use the appropriate rpm-magic which has been spelled out too many times already in this discussion, and ready you are. And if you'd rather compile your own stuff, just get the .src.rpm's, rpm --rebuild them and rpm --Uvh * the resulting binary packages.

So, while different from BSD, most Linux (or GNU/Linux) distributions are just as likely to `win' here. And by the way, I did not remember that we started a contest on ease of installation, so how can BSD win? Winning is for Marketroids and wimps...

Cheers//Frank

21, is that all?

[bfife]

21, is that all? join the NTBugTraq list and you'll hear about much more than 21 patches!!

Re:Linux Packs?

[Malcontent]

Yes excellant Idea. It certainly would make the life of a busy network administrator easier. I say even make it once a week. Does anybody have a autorpm script for this? If you do please email to me.

Re:YES THEY HAVE A POINT!

[Digital_Fiend]

It's easier now-a-days, but we need also need something for security-only.

No. you don't. you need rpm --install.

"proprietary GNU'd protocol"? Uhh.. That's almost as bad as microsoft.

I think new linux admin's might be inclined to use it

I sure hope you aren't implying that there are network admins that don't even know how to go about applying patches.. *shudder*

-Warren

Re:ZDNet's credibility

[Hobbex]

I would like to claim that /. (or at least certain editors) lost a lot more.

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

So, does typical small IT apply all SPs?

[WillAffleck]

I've been called in to places where we had people running NT 3.51 with no patches. None. Nada. After 2+ years.

So, what does that say? Should we insist that they use NT 4.0 (the original release)? Or else apply the patches to BOTH servers?

Nah, that might be "realistic" ...

Re:Update Ease

[bifrost]

Doesn't AutoRPM update and install and not tell you?

Update Ease

[bifrost]

Linux needs to take a *big* point from the BSD's on updating. FreeBSD, OpenBSD and NetBSD have implimented the use of CVSup. Its a totally painless update process. I will admit that it won't be that simple for the Linux crowd because there are many many distributions that are totally separate of eachother. It would be at least a start if RedHat started using CVSup to keep their security fixes available. Write a dinky lil script that CVSup's the latest stuff, then installs it, tells you to restart/whatever. For what its worth it seems that the Linux community has focused more on installation rather than maintenance. But then again its new, and the NT communities learned that a long time ago.

Re:Update Ease

[X-Nc]

There's a utility out there somewhere called AutoRPM which does this and more, making the process of keeping your system updated completely transparent and automated.

I do agree that the *BSD way is a very good one, though.

---

Small Updates + Package Management = Bliss

[SecretAsianMan]

root@quark: apt-get update

Wham, bam, thank you Debian.

Re:Small Updates + Package Management = Bliss

[SkunkPussy]

methinks: apt-get upgrade


frankie

debian/rules

Maybe it's easier to apply only one big patch...

[Manaz]

... but I wasn't aware that system administrators were hired to take the easy way out - especially when it comes to data security.

If there are 21 known security issues, and patches are available to fix them, I can't see that *any* system administrator worth his salt, either in a small business, or a huge enterprise business, would knowingly ignore this and just not install the relevent patches, simply because he thought it would be easier to wait for the next major upgrade. For ZDNet to suggest this is ludicrous - they obviously have NO idea about how things in the real world operate.

This would be the same as saying a few years ago "Well, M$ just released Service Pack 3, but I'd rather just let NT run without any service packs or hot fixes, because Service Pack 5 can't be far away, and it'll fix more problems than Service Pack 3 and the hot fixes do together - I'll just leave my system insecure and prone to DoS attacks until then - in fact, I might just wait for NT5" (which we know isn't coming now, but when SP3 was released, that was where NT was going).

ZDNet have just, in my opinion, killed their own credibility.

It's just a shame that someone TOTALLY independant can't do these tests, and give us a totally unbiased report on how these two OSs stack up against each other.

Solaris...

[cyanoacrylate]

Nobody's mentioned the individualized nature of Solaris patches... And nobody bitches about the number of them either because Sun just gives you a nice patch cluster to install and away you go...

Of course, you can install them one by one if you want to...

But anyone who thinks that just installing a system and doesn't install ALL the security patches is going to get some nasty surprises.

Reapply?

[RallyDriver]

1. How many times in the life of an RPM update do you have to reapply it after installing software?

2. WTF does NT still come as SP1, with a separate service pack disc?

Re:No no no no no no!

[Steve+G+Swine]

Having gone through the (admittedly baroque) Site Server setup, I can tell you that the docs have improved anyway...

A quick search of support.microsoft.com shows that...

If this were a glibc dependency/version problem you were talking about, you'd get hit with the FUD brush before you got your mouse off the Submit button.

Now don't get me started on the MDAC stuff, which is the only MS product I've seen break in an all-MS environment...

Re:negligence, pure and simple

[kovi]

Exactly !
First of all, it is not written anywhere that one has to install them all. There is no point in updating services / programs you don't use. For example: rdist or talk or KDE. These things are
hardly needed on the machine running web server as a sole task. Using "minimalistic" approach during setup, it is possible to make "important patches list" much smaller.
So these "incredible difficulties" in appalying some patches are just somebody's poor excuse for not doing proper sysadmin job. Another proof of that is "closed-source" CGI script story...

Regards,
kovi

Then why does NT have hotfixes...

[WolfShades]

and did they install them? In addition to its monsteriously huge Service Packs and Option Packs, NT also has hotfixs, which are patches for things between service packs. Did they apply them?

Actually, I take issue with the whole "real sysadmin" scenario. If this were a _real_ sysadmin, he would have looked at all the Windows NT and Red Hat Linux patches and remembered that, even if it was troublesome, if he didn't apply them, it could be _his or her job_. I know this because _I am a sysadmin_, and if someone breaks into our company or something fails because of a patch I didn't apply, _I_ have to tell the President what went wrong and why. _Real_ sysadmins take responsbility for the actions (or inaction). If, after you've been made aware of a patch (security of otherwise), you don't apply it, you are accepting the consequences for not applying that patch, regardless of whether you're running Windows NT, Linux, UnixWare, Novell NetWare, or any other OS. Now, if people want to talk about making "packages of patches" or something like that to make things easier, fine, but ZDNet can't cry to me about "real world sysadmins," because _I_ know better.

simple solution.

[snubber1]

To fix this 'problem' all we have to do is start the open source group update. A single place with a listing of all the latest versions. Even could write a program to check version numbers and download the required fixes.

----------------------------------------------

Re:They do have five points ;)

[barbaBob]

I know that. Point I was trying to make is that in general people will go the 'easier' way, and that it's an argument NT administrators could use as FUD against Linux.

barbaBob

They do have five points ;)

[barbaBob]

I think they have a bit of a valid point (flameproof suite on). NT is up to Service Pack 5 at the moment, but it is still a lot easier to download and install those; one 'trusted' source instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling. That requires more work and a knowledgable systems administrator.

The LinuxToday article has some very strong arguments though; Linux fixes are less prone to break other services because they just patch the affected code, not dump a lot of new code that can not be tested fully on all systems. Most service packs have introduced new bugs that have to be fixed in the next. Etc. Etc.

One argument I couldn't find in the article though was the fact that Linux does only require a service restart for most fixes - fix crond, restart crond, no one will notice - while NT requires a total reboot for almost everything. Not exactly a platform to build critical services on.

That's why, although they may have a bit of a valid point in their argument, it's a very weak one. ZDNet's director, John Taschek deserves a spanking for saying:

[The test] was designed and put together by PC Week for the purpose of testing security implementation. We don't care which operating system (if any) is broken into first. We want to establish the basis for a story on the best practices for implementing security.

And not acting on it. In this case it would require downloading a few K's as opposed to five multi-megabyte service packs to fix the crond hole and make it a lot harder for those trying to break in. Without a total reboot :)

Cya barbaBob

Re:They do have five points ;)

[Tet]

one 'trusted' source instead of having to track down 21 security fixes from different sources, which in some cases might require recompiling.

Sigh. You don't have to track down security fixes from different sources, and you don't have to recompile anything. Just go to Red Hat's updates page, download everything and do rpm -Uv *.rpm

Re:Kidding?

[cernnunous]

Maybe I'm not understanding how this Windows Update thing works since I've never used it.

Frest install of RH6.0 onto my girlfriend's computer (dont' ask why, she requested RH). Took about 20 minutes.

1. Boot up the computer straight to X
2. Along the left side of the screen is a an icon of a little man with a hat, underneath reads "Red Hat Errata".
3. Clicking the little man takes me to a website with a list of every package which has been upated, along with a fairly detailed description of why it's being updated.
4. Click the link of the package I want to update. Choose to save it to the default directory that comes up.
5. Once downloaded I follow the simple instructions that were printed right under the link on the webpage, type: rpm =Uvh *
6. Now have completely updated system.

What is the difference between this and this Windows Update page? I had to type a command into the evil command line? Guess I could have taken an extra 5 seconds to create a "shortcut" so that I could click it.

John

Re:So it was sys admin test not a security test

[GFD]

Somebody moderate this UP. I vote for both. Clueless idiots.

Re:No no no no no no!

[bakert]

I've had similar experiences with Site Server. Both machines that have had it installed are being rebuilt prior to our millenium freeze. Hopefully Site Server will not be reinstalled.

siteserver.com has a 'correct order' install and notes if you need it.

Hotfixes

[jimfrost]

"If you want to keep NT secure, you have to apply the HOT-FIXES. There are just as many of those, if not more, than RPMs."

Actually there are only 15 hotfixes for NT4SP5 right now, although there are quite a few additional outstanding "best practices" guidelines associated with closing specific security holes present in the software using the default configuration. I'm not sure where you'd find the whole collection of those things, though. Hell, it even took me some time to track down the whole collection of hotfixes: I couldn't find a link on their support pages so I had to search the Knowledge Base for "hotfix" and find a link in one of the articles back to the ftp server.

I have to contrast this with RedHat's approach of clearly posting errata on every release: you can see every known problem and where to get the fix all in one place.

Great Story By LinuxToday

[mochaone]

I totally agree that the responsible way to implement patches is ONE AT A TIME. This assumes that the organization gives a rat's ass about QA. Unfortunately, in this era of Microsoft computing where software is disseminated by the Seattle code-slingers, we have been lulled into a sense of complaceny. "QA ? Why bother checking the patches? Microsoft has already done that for us."

We've seen where that mindset has taken us. The growth of Linux and alternative OS's are a reactionary outgrowth of rational people protesting against this mindset. Microsoft may have poisoned the mindset of some middle managers and middling media people, but they have surely set in motion events which will ultimately break their hegemonic hold on the industry.

I'm saddened that such a "respected" webzine such as ZDNET has stooped to such lows. It's a saddening harbinger of what this new-medium media will bring forth in the future. Want a favorable review? Just donate some software. Want a favorable "unbiased study" ? Just donate some hardware and software. Want "ubiased analysis" from "independent economists"? Just send them on an all paid junket.

Keep your eyes open people and continue to ask questions.

Re:Small, isolated patches better

[Lev_Arris]

Exactly my point. With small patches you at least know WHAT you are patching and WHY. With those huge Service Packs all you do is download some monstrous file, which takes ages if you have limited bandwith, (and some of us apparently have ;) and then apply it, hoping that it will not mess up your system. With single patches YOU are in control of what is being updated and you can apply them on a step by step basis.

I also do not agree with ZDs statement. Sure, some corporations will be more reluctant to using 21 different patches instead of one big package, but anybody who is serious about security on their system would nevertheless apply them.

Just my (H) opinion, feel free to rate me down ;)

NT service Packs versus 21 patches

[fivetena]

I do hate to sound like I am coming down on Microsoft's side (and I do mean HATE) but . . .

Installing the latest service pack (5 or 4 if you are talking Terminal Server) can be done over any of the last service packs including an installation without ANY service packs applied. They are all retro-active. They all cover all the prior ones. One would HOPE that was why sp5 was 33Megs!

Re:WTF

[trelyle]

-Just my 2 cents; I run an AMD K-6 200 with an FIC motherboard, and there is no way in hell NT will install on this box, forget about the service paks.NT apparently does not support this model mother board. Linux installs in approximately 1 hr, start to finish, with a somewhat usable X window system. The biggest problem I consistently have with a Linux install is clock (or is it hwclock) installs broke every time. Only by applying a "patch" from an older flavor of Redhat will my clock set up properly.Granted, the first time my semi educated ass tried to do this fix, it took several hours, now I've got it down to about 5 minutes or so. To update things, I usually create a dir called updates, and cram it with RPMs. From there it's "rpm -Uvh *.rpm". Now it makes my brain hurt to hear that that is more difficult than applying one (five) Big patches to NT. Let's say I have a mission critical machine. When updating it, would the sysadmin rather have control over every last file that goes in, or would they like a unlabeled envelope of fixes accompanied by a README that *must* be applied as one big whole. I know what I would prefer. I also know that I do not think in the same fashion as a suited manager, who I really believe would make a decision like this. To really even things out, I have nothing to prove/disprove like this test did. I just use what I like,what I can fix, and what I can afford.
One other thing I would like to point out is the turn around time. I mean the amount of time elapsed from the definition that a problem exists to the acknowlegement and *release* of a fix. With all of this in consideration, I think it rather insulting to think that once again the masses have been fed misinformation and FUD. But rather than take offense, I for one will add this to my arsenal of "Things I have learned about the real world". Face it people, we are surrounded by incompetence at all levels;from your average Mc'Donald's worker , to the most high office(presidency,etc..)
I think that is sysadmins really think that they would rather wait for 1(5) *big* updates for NT really had best look out for their jobs, there are too many hungry college students just itching to take your job .

Re:Small, isolated patches better

[Rhys+Dyfrgi]

If one of those small patches doesn't work, for whatever reason, you can remove it. With an NT SP, it's all or nothing. If the products are seperate, the update should be seperate.
---

Re: NT service packs vs Linux patches

[garster]

So, ZDNet is under the impression that the PHBs are going to set up the machines and won't want to install patches? Get real! I have and NT server and several Linux servers. I can't install SP5 on my NT box because it's known to break the behavior of Oracle 7.3.2. And yet, I apparently need those patches to fix bugs in NT and introduced in SP1-4. Nevermind that MS comes out with plenty of patches in the intervals between SPs. I'd hazard a guess that there are more than 21, just in the security area alone. In the real world, I prefer having to apply patches on a frequent basis than waiting (and waiting... and waiting) for MS to come out with a patch (when they admit it's a problem) and hoping in the meantime that someone doesn't discover my system.

Re:I work enterprise - multiple patches are the pi

[Kintanon]

When you are dealing with a small site, individual patches are probably preferable - I would prefer them myself.

But on an enterprise level of any decent size, there is no way I want to have to deal with individual patches.



So you are telling us that you would rather leave 21 security holes on 200 servers for 4 months waiting for someone to release a big service pack than turn on Auto RPM for 1 night to update all of them? Where do you work? Someone should be firing you right now....

Kintanon

The explanatiion is not relevant

[javatips]

First they add to apply several service pack on the NT box. By doing so they add to reboot many times.

They could have installed the 21 patch for the linux box without rebooting once.

Second, they say that an enterprise custommer will not apply 21 patch. Did they ever talk to a Solaris SysAdmin? To make Solaris usable, you do have to install many patches. If you install the latest JDK on Solaris you have to install between 5 and 10 patches, who knows how many patch are required to make Solaris secure?

The second point is there just to show that YES, an enterprise customer WILL apply many patches to make it's system work like he want it to work.


But they still have a point. Linux need a more convenient way to be updated without having to download many RPM then installing them.

The RPM package manager is good, but it far from being an excellent way to install application and patches.

What Linux need is some stuff arround RPMs (or DEBs). This will be a way to access a repository of RPMs to automatically download (asking first would be a good idea) any dependencies. This woulld allow one to create a RPM with nothing in it but dependencies. So one install this RPM and all the other RPM refered in it will be downloaded and installed.

We also need something like InstallShield. That is a front end to the package manager that ask for destination directories, display reaadme files, etc.

This will allow a much easier way to install new application where the user want them to be.

Finally distribution vendor should do what microsoft do. Service pack! They could put all the 21 security patches RPMs into a .tar and call it Security Service Pack 1. Then when, other patches are added, they could release SSP 2, etc.

This will allow one who do care about security, but not enough to constantly look for new patches, to have a fairly secure system easily. And this would not give any excuses to ZDNet and the like about not installing security patches.


SeeU All!

Re:Small, isolated patches better

[reptilian]

We might also want to consider that if the box was already being used for a while, these 21 patches would NOT have been released at the same time. The updates would be applied over time, not all 21 at once.

Of course new users are still left to install all 21.

and that makes nt better how?

[Trygve]

Why are they saying that `enterprise businesses would not want to apply 21 individual fixes'?

Putting aside the age old MS v. *nix debate, it has been proven time & again that MS security holes are found on a far more regular basis than Linux security holes.

That's not to say that Linux is better or worse. I'm not even going to start that old discussion, most /.ers feel the same about that anyway. It's the fact that historically speaking, NT has had so many more security issues than Linux that ZDNet can't even hope to reasonably defend an argument like that.

Re:I like the WindowsUpdate idea

[liki]

I like how I go to one website, and it automatically tells me what I do or do not have installed.

Have your considered what that webpage is allowed to do on your system (without even you knowing) because it can tell you what do you have patched and what you haven't?

And why it doesn't work correctly with Netscape browsers is that they won't let a web page to run programs that search your system. (Well Netscapes have holes also but..) Anyway, my point is that I would never grant such rights for a remote automated robot, and not even trained human other than mysel.

Anyone could write a program that completely screws your hard drive if you IE and surf to that page. Only barrier between disaster being that notorius window asking user does he trust the program, asking for permission to execute it. After that...

Ever read NTSecurity

[strobert]

You have got to be kidding me. One of the best/most common topics of the NTSecurity mailing list, is what service packs with what hot fixes should be installed and in what order. I haven't looked in a few months but at one point it was a greater than 20 step process. I personally find rpm -UFvh *.rpm much easier.

See now, this is horse Pies! Our ever so incom...

[mattz]

...petent IT staff at work even has a script that automatically applies patches for our unix platforms--simply and stupidly! If ITP can get it right, joe wenttothe6monthNTcourse can get it right too!

Re: *please*

[TummyX]

And why is the update tied in to IE5? So MS can further leverage their OS advantage and push Netscape further out of the picture. Update with IE5 and activeX - uh - no thanks.


The same reason why HTML help is tied to IE5, because these features require features which only IE5 supports. DHTML & XML are key features which Netscape does not support properly (or not at all). ActiveX is required because Java isn't enough to do the kind of thing the update sites require (security is another issue). Why should microsoft go and write netscape plugins? They already have a product that will do it.
Same reason why Office 2000 requires IE5. Microsoft wants office to be able to handle HTML, XML etc. What should they do? Write _another_ HTML/XML engine - *OR* use their existing componentised engine called IE5?
It's intelligence - but I can see why you think it's "leveraging" and "pushing" - I just don't agree with that stand point.

Re: *please*

[TummyX]

Come on now. The windows update was only designed for Win98 and above computers. Win95 machines shouldn't be updating from windows update but rather from microsoft support channels.
You don't want IE5 or activeX controls on your computer due to security holes? Obviously you've enver used Netscape. And windows wouldn't work without any activex controls.

And yes, if need be, MS should "Write _another_ HTML/XML engine"

I'm sorry, but that's themost idiotic thing I've heard this week. If they wrote another HTMl engine it would have to be as large as IE5 (which isn't really that large considering it comes with key OS features like ADO etc).
IE5 isn't as big as netscape when you take into account the cd and distributions normally come with updated windows libraries. Before you complain about this - it's cause IE5 like most microsoft software - makes heavy use of COM, DLLs etc. That's the reason why they seem large - but realistically, don't take _that_ much space since they share a lot of files and services.
Again, suggesting microsoft write another HTML engine for the sake of it is stupid.
Windows update is a feature specifically for Win98 and Windows 2000. These operating systems come with IE4/5. I see no advantage of having it IE only for microsoft. it's not like microsoft (unlike netscape/aol) are trying to tie you to CONTENT. Unless you think all the advertising on Windows Update is bad - wait - there is no advertising.
Microsoft could have just written some proprietry update software to update windows and you would probably have been fine with that. It's only that they decided to make it web based with features they have researched and developed for IE that you don't like it.
I'm so sick and tired of hearing "oh, microsoft is trying to push netscape....blah blah blah".

Here's some facts.

1) IE supports more standards than Netscape.
2) IE has some MS developed features - specifically for LANs and Windows features (like Windows Update). Stuff like res:// urls etc (which Mozilla has now copied).
3) The advantage of having a web browser monopoly is to manipulate content. IE has not done this - infact with IEAK and the likes, companies can customize IE (interface included) however they like.
4) IE being componentized just makes sense. And being componentized - what's wrong with embedding IE into applications so that you have universal HTML support (look at the direction KDE is taking...look familiar?).
5) Conceivably, Netscape could make a shell replacement for windows based on navigator or mozilla. Hell, you could make netscape 4.7 your shell.


Take a look at some examples of the advantages of componentization, winamp has it's own webbrowser - what does it use? IE ofcourse. How? ActiveX, that's how. Component reuse by many vendors. Brilliant stuff - why shouldn't microsoft do the same? You DON'T HAVE TO USE IE. But it's required for windows help. Just transparently use IE for windows help (it's small and fast) and if you must use Netscape for your webbrowsing. I mean, if you don't like Windows Common Controls, you can't delete them cause they're vital to making windows work - but you can still use GTK+ for windows.

Security Patches were not the problem!

[RobNich]

If you read the page written by the hacker who cracked the box, you would know that the exploit was in the CGI script(s), not the OS. Everything else is moot!
Yes, ZD should have applied the patches. But what good would it have done?

Disclosed holes should be closed IMMEDIATELY

[mlefranc]

Many people here have insisted on why it is important to apply security updates, and for obvious reasons. There is however one reason that has not been emphasized enough IMHO. A security update from a vendor should be applied IMMEDIATELY because the existence of the hole it fixes appears BLACK ON WHITE in a knowledge base at the time the update is issued.

If someone was reading on a public web site that their home door had not been locked in the morning, I guess that they would rush to correct this. This seems not to be always the case with computers.

The guy who hacked securelinux explicitely mentioned he browsed the RedHat errata in hope that some fix would not have been applied.

And frankly, the guys who write that it is difficult to apply security updates on a Linux system are incompetent at best.

Re:Disclosed holes should be closed IMMEDIATELY

[Black+Parrot]

> A security update from a vendor should be applied IMMEDIATELY

Are you saying you don't like the MS timeline?

Media reports the hole.

MS Months 1-3 : Deny that the problem exists.

Media reports an exploit of the hole.

MS Months 4-6 : Admit that there is a problem that can be exploited by people with esoteric knowledge (who wouldn't consider doing such a thing!) under rare conditions, but that isn't a problem for ordinary users.

Media reports a high-profile exploit of the hole.

MS Months 6-9 : "We're working on it."

Patch is delivered.

Your Months 10-12 : Sysadmins either wait to see what happens to the suckers that apply it first, or else spend these months trying to repair the damage and lock out the new holes created by the 'patch'.

Media reports the problems caused by the 'patch'.

MS Months 13-15 : Deny the problem exists...

Repeat until bankrupt. Season the above liberally with vaporware announcements about how the next new product is going to make all your troubles go away.

Meanwhile, who's been reading your mail?

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Did they even bother to install the RedHat updates

[net-fu]

Wait a sec... They can't even bother to download the redhat updates?

% ftp rpmfind.net
ftp> cd linux/redhat/updates/6.0/i386
ftp> bin
ftp> prompt
ftp> mget *

% rpm -Uvh *.rpm

Am I missing something, or is that too difficult for ZD? Much better than installing (and let's be honest, re-installing and re-installing) service packs. M$ support is simply horrible- if you did want to install only a particular patch, each has it's own method of install and uninstall.

By comparison, try this with RedHat:

% mkdir rpms
% for pkg in `rpm -q -a`; do echo $pkg; rpm -q -i $pkg > rpms/$pkg; done

That takes the list of rpms on your machine and makes a bunch of files in the rpms directory. The files have the same names as your installed packages, and each file contains a description of what the package does.

Want to know what an individual file is for? You can rpm -q -f to find out what package it belongs to, or get real fancy and write a little program:

#!/bin/sh

rpm -q -i `rpm -q -f $1`

save that as 'whatrpm' and then you can type 'whatrpm ' to find out what is there for.

Definitely beats M$ sorry system.

Laziness

[joeuser]

Yes, it was VERY unfair to have Linux running without the latest and greatest patches. That's all I have to say about that. This guy makes that point very well: http://slashdot.org/users.pl?op=userinfo&nick=Coda

However, the question is:

"They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point?"

Clearly, ZD Net wants Billy in bed, if they aren't already. It's so see through, the ZD Net reply was making me laugh, " one large, sweeping-in-scope, fix " Why don't you just say NT, dumbasses!? Furthermore, if they didn't want to apply 21 fixes to Red Hat Linux, they didn't care about security. Linux is swiss cheese by default. Takes a lot of time and work.

NT is for those with little time and the lazy. For now, I love my NT box. Can't wait for Linux to get up to speed.

Ouch, probably didn't earn any Karma (or whatever it is) with that one.

Total agreement with the article.

[Amokscience]

It seems they took the NT mentality and applied that to Linux. Pretty braindead thinking. Are IT sysadmins as totally clueless?

Any remotely experienced Linux user should be used to the constant patching that they 'get' to do when bugfixes are found, exploits secured, upgrades released, etc. ZDNet, however, assumed that all IT managers think like those trained in Windows. "If it's not called a 'service pack' then it's not important enough to install it" Bleh.

While I can see it being annoying to have to apply 21 patches, a person responsible for servers and security is PAID to do so. What do you think would happen if your corporate web server was hacked, and then you told the management that you didn't apply the fixes because it was inconvenient?!?

And honestly, if you're going to stick a total cluebie on a Linux or any *IX box, you're asking for trouble. It's still not for newbies, and someone trying to do something important in Linux should have a better clue than ZDNet assumes.

I'd think if ZDnet were an IT department it would have been 'let go' a while ago. Perhaps they should assume a little more professional pride and admit their foulups. Oh wait, people who get caught with their pants down make desparate excuses.

IF however, ZDNet is correcnt, and most Linux server admins are clueless gimboids then corporate management might do well to check in and see what security measures/patches etc. are being practiced in their organization.

Maybe they do have a point

[Sorklin]

I'm a linux newbie, even though I've been using it for a while. Slack was my distribution of choice. I have a question/comment about the security issues. Does any distribution have a way to update your system with a series of security patches to make your system secure with a minimum of intervention? If not, this would be greatly beneficial to the acceptance of linux. Better if this could be a method used by all the distributions to a series of centralized sites. That way, as a newbie, I could just run a program that will download and apply any patches I need to make my system secure. I wouldn't have to figure out what the latest patches are and where I need to get them.

I say this for a couple of reasons. This provides a quick and easy way to make sure that you are running the latest and most secure programs on your OS. This is a must for newbies and system admins which must configure multiple machines. Of course you can use the old method, and if you are a serious admin, you probably would anyway. But it would be nice if a very easy option was ubiquitous on the linux platform.

Bull@#!$

[Jake_Man]

I'll wager that they applied all five NT security...oops, I mean service packs.

Re:Kidding?

[jsm2]

Very good mice? Surely you're kidding. I tried one yesterday. It tasted filthy.

jsm

Re:FreeBSD cvsup

[Sascha+Schumann]

That probably should read

make buildworld
make installworld

since "make world" includes the install step.

Do you have to do the whole make world seven hour process for any update?

Nope, only if you rm -rf /usr/obj.

Or is there an easy semi-automatic way to just rebuild and restart the
services that were patched?

make will rebuild things, if necessary.

Obviously a kernel patch would need a reboot, but why reboot for other updates?

So, skip the reboot step.

The only advantage I see to the make world approach is that everything can be built optimized for your system.

Another advantage is that you can "install" many "patches" in one turn. Simply cvsup and recompile.

Re:Linux (systems with rpm anyway) easier to maint

[knarph]

True. I was just pointing out how easy it could be. I didn't say how safe. I normaly point it at a machine that I control and runs nothing other then the ftpserver anyway. What else am I going to use a 386 for?

Linux (systems with rpm anyway) easier to maintain

[knarph]

Ummm ok, so companies don't want to install 21 seperate patches.
So set up autorpm to point at redhats updates directory. And you install 0 patches. You just let autorpm do all the "work".
Have it update automagicly.
If anything linux is easier for a company to keep current then NT.

33MB patches

[Fastball]

So I'm setting up an NT server last night. This includes installation of several service packs. Each one a sizable lump. I note the size of one as 33MB.

I think to myself: find enough things to patch Microsoft?

21 small patches are nothing compared to a 33MB lump of which you have little idea what it patches.

No, I don't think so!

[Howard+Beale]

Coming from an AS/400 environment, IBM releases patches to their OS and applications called PTF's (Program Temporary Fixes, if I remember correctly). If you needed a fix immediately, it was available. Every once in a while, you could call up IBM and order a tape containing all outstanding PTF's for your system. What is the difference between downloading a fix from RedHat to patch a program, or installing a PTF from IBM? What is the difference between installing all outstanding patches from RedHat or installing a tape containing all outstanding PTF's from IBM? Last time I checked, there were quite a few AS/400's out there in the 'enterprise' world.

21 updates too much?

[miracles]

Funny they should say that, netware 3.11 alone has something like 30 updates available (and these are just for the os, they have nothing to do with "critical" subsystems such as mail or www or dns etc...). And NT has a constant stream of hotfixes available (with no fanfare, requiring you to scour their ftp server for stuff), but businesses will not accept multiple updates for a linux distro? Sure it would be nice to have a single source of patches for everything installed locally on your box, even better, a trained tech to visit each box and install the patches for you! Why not just have the companies send in preconfigured boxes that they will keep "updated", which we will no longer have access to, Then everything will be peachy!

come on! every admin should know what she/he is running and administer it accordingly... businesses shouldn't worry about how many patches their admin is installing, but rather if the admin knows what she/he is installing in the first place.

.sig? why yes, American Spirits only!

ZDNet preaching that sys admins should be lazy...

[k9-quaint]

I like the fact that ZDNet is spreading FUD about Linux and how *hard* it is to make a linux box secure (21 patches, YIKES). "Just run NT and you will never have to worry, yada yada yada...". Get all the simpletons running NT and joining get rich quick pyramid schemes and the world will be a better place.

This is a form of natural selection. If you listen to morons and do what they suggest, you will most likely fail (at best you will just lose a lot of money). Eventually, I will be able to identify idiots just by glancing at their desktop, NT? or Linux? Thank you ZDNet for providing us with this valuable idiometer. Preach on brother Bill. Meanwhile, I will tune my X server :)

Re:They only needed to install 4

[glorf]

Option Pack 4 is an app, not a patch. Granted it does fix problems with the previous version, but most administrators will want to use IIS4.0 anyway. IE 4.01 is an app and the other three items tell you to install it anyway. I think the point that some are trying to make is that it is a lot easier to figure out what to install in the Windows world. How much research would it take comparatively to figure out what to install in Linux? If someone were to compile the latest patches for Linux into _one_ downloadable package with a smart install routine on a regular basis so that there were Linux Service Packs, it would go along way in shrinking the ease of use gap.

The fact that Linux Service Packs don't exist yet could be intepreted as proof that it is too difficult to compile the list of current necessary patches. Or it could prove exactly the opposite. The main thing is that people want to have them and/or want to know why there aren't any now.

OS patch policies

[ariux]

It'd be nice to have a system - on any OS - where you do ONE THING, or it's even automatic at reboot, and the system updates itself with all the latest patches from a website. Not "sit down and read through 50 300-page books, then spend a week fighting the machine". Not "spend 12 hours searching the web to make sure you've got everything". ONE THING.

/. effect != sysadmins nodding their heads

[R.+Anthony]

slashdot effect n.

1. Also spelled "/. effect"; what is said to have happened when a website being virtually unreachable because too many people are hitting it after the site was mentioned in an interesting article on the popular Slashdot news service. The term is quite widely used by /. readers, including variants like "That site has been slashdotted again!" 2. In a perhaps inevitable generation, the term is being used to describe any similar effect from being listed on a popular site.

Lesson learnt..

[gargle]

The guy broke in because of a faulty CGI script!
No fair, the test was supposed to test the underlying OS alone!
Well bugs in Linux helped!
Well they should have known to apply the patches!
...
blah blah blah. etc.etc.etc.


The lesson to be learnt from this is that there's no such thing as the "security of this or the security of that alone". Security is a holistic concept, and a weak link phenomena. Everything has to be considered when designing a secure system, including human factors (how easy is it to make the system secure? How likely is it that people will make errors? etc.).

It's pointless to say: We're testing the security of the OS alone -- because there's no such thing. The PCWeek test is meaningful in the sense that it reveals how difficult it may be to make the a Linux system, as a whole, secure.

I like RPMs

[Steeltoe]

If you want easy and clean installs, with checks for consistency with other packages, option for uninstall to previous versions and logging of what's done, RedHat Package Manager does all this and more. Gnome comes out with GnoRPM which isn't a too bad a GUI for those who can't stand to read the manual pages and work out the simple commandline. I have yet to see its like on any Wintel platform.

Btw, I'm not sure I understand why Everything has to go through your browser nowadays, even upgrades. I guess it's a feature for the masses, and an attempt to be hip. Because if they really cared about convinience, they should have used the time to make a real installer than the wussy InstallShield *puke*. The added layer of everything having to pass through IE sounds to me like the biggest security hole of all.

Re:Should it matter?

[TeeWee]

Indeed it is not the manager who does the work. But sometimes (often?) it is the manager who sets the policy of using a particular OS as their standard.

That standard may very well be NT because it has less patches than *nix. It may not be the competent admin that has the choice of OS.

HotFixes, Services Packs, Security Patches, oh my!

[codepoet]

As a new Linux user, seduced by the hype, and as an experienced NT user - I haven't seen much difference between Service Packs + Hot Fixes and the patchitis that happens with RedHat and other Linux releases. That said, the ZDNet guys dropped the ball. They don't talk about Net Admins not wanting to install a Service-Pack + umpteen Hot-Fixes...

Re:I like the WindowsUpdate idea

[Shambler]

I like the idea - but M$ needs to get their **** together and make the fixes work - W98 SP1 autoinstalled, and promptly disabled my dialup subsystem. Four hours of ****ing around before I decided to dump the service pack - hey presto, I'm back online...

Duh.

[Arawak]

Duh. Maybe you have to apply 21 patches to the Linux box in question, but I'll bet you have to reboot the NT box almost 21 times in getting its service packs applied. In the Microsoft shop where I work we dread the work in taking a stock NT install to a point where it can be used.

Remember to that almost any NT server expected to actually _do_ something has the endless litany of Msg Queue, IIS, SQL Server, etc, ad naseum (you know - all the functionality that come standard in a Red Hat install) which must be patched, rebooted, and prayed over. We're talking a couple hours sometimes. Arawak

Acts of malicious kindness?

[foxtaur]

Given that there are so many bugs which permit random hackers and crackers to gain root access to the ZD linux box... what's keeping a hacker from exploiting one of those bugs and using their new-gained access to actually patch them? Isn't that part of 'the hacker spirit'?

If they really wanted an accurate benchmark...

[sprong]

...they'd pick a random sampling of n NT admins and n Linux admins and say, OK, here's your box, here's what we're going to do on it, you have x hours to make it secure, fast, and stable.

This would have the following results:

1. Benchmarks would start getting more interesting again.
2. Benchmarks would start getting realistic. An OS is only as good as its admins.
3. We wouldn't have to keep hearing the guys running the benchmark saying "Hey, it's not like this out of the box" vs. the linux people pointing out the obvious.

Obviously #2 is the real issue here. If NT "works better" out of the box, and your average linux admin is savvy enough to tweak appropriately, then an out-of-the-box benchmark isn't consistent w/ performance in the real-world business environs.

Heres what i think is one of the reasons.....

[Taelon]

ZD is owned by ClientLogic (was Softbant till about the turn of the year) whom i had worked for a few months back. They (ClientLogic) are closely tied to Microsoft....I believe that explains a bit There were more then a few times that MS came to visit us and the supervisors told a few of us (including me) to turn off out Linux boxes and remove the penguins from our desks...

So it was sys admin test not a security test

If your source is correct, then this was a sysadmin test NOT a security test. If it were a security test the patches would have been applied.

As to the "real world" conditions this is BS. If they want to test real world conditions, get a statisically significant sample of sys. admins, give them all the same hardware and software and see how many boxes are secure in two weeks.

Either the people who ran these tests had a preconceived result or they are complete idiots (or both).

BSD wins here.

[Dom2]

This is where the centralised method of distribution that FreeBSD et al use really wins. You just set up CVSup to run regularly and run "make world" when you need to actually install the patches. Strictly a hands off operation.

Re:Parity

[sjames]

Just click on the .exe, reboot, and that's it.

Run dselect, select install, don't bother to reboot. Or, download all of the rpms, and run rpm over all of them at once. OR, download the latest service pack, decide if you prefer a security hole in file shareing, or a broken print service and who knows what else.

Re:I work enterprise - multiple patches are the pi

[ninjaz]

On top of this, due to the mission critical nature of the boxes (they are used nation wide), we have extensive change management controls. Any patch that we apply would have to have a corresponding backout procedure. It is much easier to consider a patch as one big patch than 21 individual patches. Sure, us tech people know that they are really one and the same. But try telling the change managment people that.

I don't know how you do things in your neck of the woods, but to change management at my company, a new installation would be considered 1 change. i.e., New webserver with all errata packages applied. Now, during the production, you tend to get them in more manageable chunks - usually 1 at a time.

Speaking of enterprise environments, though, I think it would be unfair to leave out Solaris 7. It has 22 security-related patches as listed here: ftp://sunsolve6.Sun.COM/pub/patches/Solaris7.Patch Report Do you run Solaris at your site? If so, did you install all of those? Here, we've got scripts that install those patches on the Solaris boxes. Of course, change management is involved, too.

Sure, it would be nice if Red Hat paid more attention to security and quality control, but that's why I tend to stick with Debian & FreeBSD when feasible. :)

Managers vs. IT guys.

[jimbo]

"enterprise businesses would not want to apply 21 individual fixes"

The usual "manager vs. IT dude" problem, I suppose:

The average enterprise manager could probably easily be persuaded to order their IT guys not use Linux for that reason. They always scare easily for things that are not their area of competence.

If the IT guy take the OS decision himself, it probably doesn't matter whether it is one fix or many. If he already selected Linux, then he probably also like the power and control it gives him.

Re:Managers vs. IT guys.

[heimdall]

I've worked for quite a few IT managers in some rather large shops (1000+ servers). Not once have I had one not willing for us to install any number of patches, just so long as they have been tested in a test environment. I have to wonder where ZD is getting the idea that enterprise businesses CARE how many patches are being installed (or what OS they're running, for that matter). Most companies simply ant a stable platform to run their applications on.

Re:Linux (systems with rpm anyway) easier to maint

[Gus]

No serious enterprise company should allow any automated tool to install any software without human intervention. While I am not aquainted with the security precautions in autorpm, if any, placing an amount of trust in a network-provided resource is the sort of error that gets system administrators fired for incompetance.
That aside, I prefer having several small updates, which allows me a finer granularity of which patches I install. Take for example a Sun patch cluster. Each patch is a in a subdirectory all its own, and the order in which they are to be installed is listed in a single text file. While the current recommended patches are available as a single tarfile, there is a fine level of control available.

Re:Small, isolated patches better

[Oestergaard]

I guess the main reason why GNU/Linux systems ship numerous small updates, whereas NT has huge single service-packs is, that any normal program (a package) under GNU/Linux consists of a well-defined set of files. None of which are *system* libraries (DLLs).

On Windows a typical application ships its own version of some of the *system* DLLs, thereby rendering the whole platform insecure if one of it's libraries has a flaw.

Thus the need for a huge service pack on NT. You need to re-ship updated versions of all libraries, and you need to re-install the service pack after each installation of a (seemingly unrelated) program, because NT DLLs are touched by *applications*.

Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem. And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.

Yes they have a point

[Oestergaard]

That is, if rpm --freshen * is too hard to type, they shouldn't be running computers at all.

Hire someone with a clue, and go back to writing articles.

Seriously though, if you tried applying NT service packs, and tried rpm --freshen, you know who's got the lead (and for those who haven't tried, here's a hint: it's not the redmond guys).

With NT, you apply one huge service-pack that (somewhat) fixes the problems known at the time of the release of the service pack. Whenever you install a new piece of software, you have to re-install the service pack if you want to be sure it's effective.

With rpm you do the --freshen trick, once. If you install another piece of software, well fine, no worries. If another fix becomes available, just get them all and do --freshen, or get the one fix and --freshen. It's as simple as it gets.

I think it's much too common for clueless people to assume that it's hard to maintain a system they don't know (and haven't even tried to grasp), and assuming that the system with the most aggressive PR backing is necessarily much easier.

The only reason why we don't see more remote attacks on NT is because ``networking'' is somewhat alien to NT. Networking has always been an integral part of UN*X and Linux, so naturally a buggy networked application is almost bound to compromise the system in a cracker-friendly way.

Consider the incredible amount of local attacks on NT being posted weekly (almost daily) on Bugtraq, and you see why NT people should be really happy that NT is not a network operating system.

Re:Parity

[aqua]

Agreed -- recall ZDNet's stated rationale (or rationalization) for not installing any of the updates: "The hackpcweek.com test was not meant to be easy but was meant to be practical and to reflect the habits of corporate IT."

Which presumably doesn't mean that they believe corporate IT to be a bunch of ignorant layabouts, but if I were a corporate IT person, and a reader of their publication, and also in the slightest bit competent with Linux, I'd be insulted. Perhaps they don't grasp the significance of a discrete package upgrade -- something MS has never really gone for. Root compromise hole in crond? Well, upgrade crond -- redhat publishes the bloody rpm -Uvh ... command to do that in every security advisory. It's a different methodology -- we usually have one upgrade package per main package -- and that, in the UNIX scheme of things, makes vastly more sense than clobbering all our package management systems (far superior to that offerred by poor NT) in favor of what they call "[making] fixes available in a more manageable manner."

ZD didn't do enough research while orchestrating this PR stunt, I suspect. Bring on the derision. ):

Re:I like the WindowsUpdate idea

[Ben+Hutchings]

In principle, this sounds like a good thing. In practice, enabling Windows Update opens a big security hole:

ActiveX controls can be marked "safe for scripting," meaning that a script on any HTML page can activate them without requesting permission or giving notification. And the controls turn out to have holes. So far, Microsoft has identified two buffer overruns and one case of improper filesystem access among Microsoft-supplied, marked-safe controls (Security Bulletins MS0099-33, 37, and 40).

...

For now, Microsoft recommends turning off ActiveScripting. Unfortunately, that breaks a good many Web sites, including most of Microsoft's. A less draconian solution suggested to me by a Microsoft developer is to deny permission to run "safe for scripting" controls. But even this breaks a lot of sites, including Windows Update, which is most Windows 98 users' best hope of installing security patches.

(from a mail to the RISKS mailing list by Steve Wildstrom ).

Debian's system doesn't rely on this sort of stuff - you have to actively ask for packages. However, it still relies on your trusting the FTP server you get them from. Official packages will be signed - but do you know that all Debian developers with the key will keep it safe?

Re:YES THEY HAVE A POINT!

[ralphclark]

OK, let's just see how difficult Linux's 21 separate updates are to install - (assuming you're stupid enough to want to wait for 21 updates to accumulate):

$ rpm -Uvh ftp://ftp.mydistribution.com/pub/updates/*.rpm

Now that was such a lot of work wasn't it?

Consciousness is not what it thinks it is
Thought exists only as an abstraction

Your binary releases can also be pre-linked

[SurfsUp]

Because of open source, we can re-compile an application that doesn't work with the system libraries we may have, thereby avoiding having to overwrite system libraries whenever we install an application. Therefore we can have small packages that update nothing but the problem.

Agreed, this is key. Perhaps even more important though is the ability to statically link, so that binary releases can be built, a la Netscape, with everything version-independent (except for kernel dependencies which are few & far between thanks to the efforts of people like Torvalds and Cox). So you can download the binary app and expect to have it work, as it nearly always does when built this way [ed note: and when declared stable ;-)].

Another factor of crucial importance is for this linking process to be carried out by anyone who wants to do it, i.e., access to the source code is important just as you say, but not necessarily for the same reason. Also consider - it's possible to re-link a dynamicly linked app to become a statically linked app using a linkage editor... I don't know if Linux has such utilities because I'm a relative newcomer to these development tools. But if they're not they're, we need them badly.

And therefore GNU/Linux will, unlike some other OS, have a massive share of the total server installations for many years to come.

(a) That and 1,000,000 other reasons

(b) It already does. (Check the situation as of last spring)

Re:Just click .exe

[bmetzler]

But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.

Six months for Red Hat to be specific. Probably a lot faster then MS releases service packs. That's basically what RH 6.1 is, a service pack in MS terms for 6.0. There is only one difference. Red Hat replaces their old version with the new version. If I buy a copy of NT today, would I still have to install SP5? I imagine so.

Still though, I wouldn't want to have to wait until the next version was released to fix security holes. Not even on NT.

-Brent
--

Do they have a point?

[Bricius]

> Do they have a point?

No.
Imagine you buy 21 different programs from 21 different vendors, but you buy them all in the same shop, with one single bill, maybe bundled in a single box.
It's obvious that each vendor will fix only their own part and you'll get 21 different fixes.
What you can expect from the shop is that they bundle the fixes in the same way they bundled the programs.
And this is what Linux distributions already do (Debian at least).

Cheers!

negligence, pure and simple

[Eddie+the+Jedi]

The difficulty of applying 21 security fixes may be a bit of an issue (not that I find anything difficult about "rpm -Uvh *.rpm"), but that sure as hell doesn't justify ZD's decision not to apply the fixes. Applying the vendor's fixes is not optional, no matter what system you're running.

Do they think that if a business had its several-thousand-user network were compromised, the execs would accept the excuse that there were just too many vendor-supplied patches to apply?!

--

Re:Parity

[Peyna]

I think what they did may be a good way to test the ease of securing a server, as opposed to the true security of the server, once everything has been properly secured. So, perhaps had they applied all of the necessary patches to linux, they would have shown that linux is more secure, and that maybe companies with security issues need to hire people smart enough to be able to secure their information, rather than people who can install NT (boy that's tough) and run a few executables to apply some service packs and be done with it, without really having taken any steps to secure the box.

Should it matter?

[Oirad]

It's not the managers who are going to be doing the work, they're simply going to mandate "This will be secure!", if they know enough to mandate anything at all.

Most admins out there may not like doing multiple patches, but there are advantages. Some patches can open other holes, and using one of NT's service packs isn't guaranteed to fix everything either. And having them separated out allows an admin to more closely monitor what's been patched, rather than than NT's way of doing things.

It's like the NT vs. *nix discussion itself: each has its pros and cons. What it all boils down to is the competency of the guy/gal running the box.

Re:I work enterprise - multiple patches are the pi

[Black+Parrot]

> if I had to apply 21 individual patches to 200 machines, I would be ready to punch someone.

Just copy them to an upgrade directory, cd, and type rpm -Uhv *.rpm on each system. How does that compare to installing one NT service pack on each of those same 200 systems?


> the only time you are allowed to apply patches is outside business hours which for these boxes is between 9pm and 3am. That's a lot of late nights.

Per above, except have a cron job run at 9pm every night to -Uhv whatever files you put there during the day.


Any patch that we apply would have to have a corresponding backout procedure

Just re-install --force your prior version of the RPM for the same package.

Would you rather back out (say) one of 21 RPMs with rpm --force, or back out an NT service patch? And even if they were the same amount of trouble, do you want to throw out everything the SP offers, just because one of the patches on it sucks? Some of the other patches in the SP might accidentally fix something without breaking something else.

ZD doesn't have a case. Because they don't have a clue.


--
It's October 6th. Where's W2K? Over the horizon again, eh?

ZDNet's credibility

[quux26]

Call this flaimbait, hidden linux worship, sour grapes or whatever...

But ZDNet (and Yahoo) lost much credibility with me when they couldn't figure out that Jesux was a joke.

My .02
Quux26

Does it matter?

[Bob-K]

This wasn't even a remotely valid security test, so who the heck cares about the details?

There's no way am I going to make a decision based on what happened in a test like this. I'm not even going to take it into consideration. It was entertaining, and I enjoyed it, I enjoyed reading about it, I hope the ZDNet people had fun doing it, and I hope the people who hacked it had some jollies.

But the results are as meaningless as Bill Clinton's sworn testimony.

Re:Does it matter?

[remande]

This wasn't even a remotely valid security test, so who the heck cares about the details?

The people who don't know that it is an invalid security test cares about the details.

Time and again, some magazine, company, or other shows NT's supposed improvements over Linux. Then somebody notices how the "test" was intentionally or unintentionally rigged. While this is great for the Slashdot community, this is the sort of stuff that needs to be seen by those who make the buy decisions.

Now that you know, you can argue this where you work or learn; when somebody points to this test as a reason to install NT at your site, you have an effective counterargument--and URLs to back it up.

Re:Red Hat fixes wouldn't have helped

[nas]

Yes, they would have. They probably would have prevented jfs from getting root. If he did manage to get root then he would have uncovered a new security hole. Unfortunately, due to ZD incompetence, we have learned absolutely nothing from this little exercise (except possibly the magnitude of ZD's stupidity).

Count the numbers...

[knarf]

Just look up any `hacked page' archive which keeps track of the OS for the original website, and start counting. Keep in mind that Microsoft operating systems are actually less popular as a webserver platform than Linux, and Apache is far more popular than any MS offering (see The Internet Operating System Counter and netcraft). To make it easy on you, I did a count on some of the recent attrition archives and came up with these results (I only listed Linux, NT, Solaris, FreeBSD and OpenBSD, so the totals will NOT match the sum of the individual OS's):

year=month total Linux NT Solaris FreeBSD OpenBSD

1999-10 53 4 29 14 8 0
1999-09 259 72 82 62 12 0
1999-08 318 68 106 77 9 0
--- --- --- --- --- ---
total: 630 144 217 153 29 0

(apologies for the funky formatting, it used to be a nice table but /. does not like tables, and does not support the tag...)

According to this logic, Linux is cleary more secure than Windows NT, especially when you `weigh' the numbers with the popularity (or lack thereof) for the individual operating systems.
Of course, the really interesting number is the 0 for OpenBSD. Pity though I have no idea how many OpenBSD sites there are out there...

Re:I work enterprise - multiple patches are the pi

[Adam+Knapp]

Well I don't know about enterprise settings but:

I worked for my college's computer services this summer; my job mainly consisted of applying patches to NT for 3 months. Admittedly, we have many more computers than you (I'd estimate 800+ or so in public labs and administrative offices, we are extremely wired for 1500 students) but with 5 other students and the college's professional staff we were unable to apply service packs to all of them. Why? because when installing that "one big easy install" not only do you have to kick the user of the machine off (they really don't like that) but you actually have to be there the whole time to click on those "friendly" buttons. NT's profiles (they are like home directories except they suck) aren't always updated correctly by the upgrade so the users have to fix and reinstall their programs. Computers that were running NT SP3 w/o IE4 a little bit slow now are completely unusable with all of the "improvements" that were "necessary". Not to mention differing support of hardware between the different service packs; SP4 broke some computer I worked on because of incompatibilities with the BIOS on some Compaqs which had no problems at all with earlier versions.

In contrast, if we had been using Linux, even if I hadn't created a script, I could have opened up a sh*tload of telnet sessions from the cold room and, without the user knowing or caring, updated each and every machine at the same time with only the packages necessary.

Windows NT Vs. Linux or why ZD is uncredible

[mbpark]

1. NT itself is a piece of crap to even maintain properly. SP2 and SP4 only proved that Microsoft does not properly test third-party products with their Service Packs. We waited until SP5, and ONLY after several rounds of serious tests to make sure that nothing got hammered.

1a. Certain clients that used third-party messaging, web server, or application server products made by competitors such as Sun or Netscape had serious issues when SP4 was installed. So did Samba in one of our test cases. Leads me to believe that M$ wanted SP4 to push the M$ products over the competing products.

2. The Install of NT itself on a bare box is abyssmal. It takes about 10 reboots to get everything installed right with the Hot Fixes and the Service Packs. Linux takes one with 6.1. By the way, the install is about 5x as fast as W2K even in graphical install mode of RH6.0.

2a. Plus, there's the monitoring of NTBUGTRAQ for the latest exploits. Sometimes they hit 5 a week. The MS people post fixes 2 weeks later.

3. Linux, on the other hand, is mostly stable. Fixes are out within hours. I don't have these issues.

4. Linux isn't tightly integrated with Apache.
If I want to change web servers for reasons of security or such then I can. Can I do that easily with NT? The answer is no, unless you run Apache for NT. Then you still have the issues of the operating system.

4a. IIS is the biggest security hole of a web server I have yet seen. The bugfixes hardly fix anything. Doubt me and think NT is god? Read NTBUGTRAQ or actually run an NT server connected to the Internet. Microsoft and their COM objects are causing a whole mess of havoc.

5. Security hole in a Perl script on the hackpcweek site? I wonder why nobody tried to do the same with COM objects or the numerous buffer overflows on NT? Better yet, let's see how long it takes Redmond to come out with a fix! IF anyone wanted to not follow the rules of that contest, I am sure something like that would easily take down the box.

6. I hear too much from NT admins about "Wait until Windows 2000". Y'all can shut up about your vaporware. I interviewed two admins. One was a W2K freak. The other mentioned that MS should fix their products before releasing new ones. Guess which one got the offer? Shut up about how great MS is until I see stable shipping product or get out. Linux is right here, right now, and is constantly being updated. It's also open source and audited by thousands. Beat that, Redmond. Giving a closed source preview of a product doesn't make it like Linux. Open the source and show those API's like WNetEnumCachedPasswords.

6a. I have seen portions of that code, and it is MESSY. They probably won't release it out of embarrassment. I wouldn't.

7. ZD is advertising-driven. Guess who buys most of their advertising? Microsoft. Do you HONESTLY think ZD is going to bite the hand that feeds them? I think not. They are Microsoft's bitch. Anyone who reads anything from ZD should realize that. It's a PHB magazine, meant for people who choose not to pay attention to what is going on in IT. Until Red Hat, VA, Sun, SGI, and other non-MS companies advertise, then they will be continue to be the puppets of Redmond.

Until next time....

Parity

[wct]

I think the main complaint is an absence of parity between the two platforms. On one hand, NT had the five service packs applied, which are IMHO fraught with more difficulties to install than rpm'ing 21 patches. MS's service packs are renown for breaking other things from previous packs, and are usually released a long time after the bugs they fix are identified.

I really wouldn't have a problem with this at all, if ZDNet hadn't made the blanket conclusion that NT was easier to secure. That's an overwhelmingly ignorant statement to make.

Just click .exe

[jimfrost]

Simplistically speaking that's right, but practically speaking it's not.

Before applying SPs I wait at least a few weeks to see what people report as breaking under the new SP. There's usually something, and all too frequently (two NT4 SPs out of five!) applying an SP has a detrimental impact on system stability.

On top of that you may have to reapply SPs after installing new packages (particularly those from Microsoft) and you want to create a new emergency repair disk. These things are not necessary under Linux.

IMO, having adminstered both systems (and a bunch of others) for years, I much prefer the small patch approach where I can pick what I want to apply according to my needs: e.g. if I'm not running ftp I don't really need to apply an ftp patch.

But as it turns out there is a way to get all-inclusive patches for Linux. Install a new release. They come out every few months, much more frequently than Microsoft service packs, and generally include all previous patches. The upgrade process is fairly similar in difficulty to applying an NT service pack. Interestingly this isn't mentioned.

Interestingly, ZD says "Imagine the work involved in integrating 21 separate fixes into a change process to be deployed across an enterprise." Actually that doesn't have to be a lot of work. You can set up a master system and use rdist to propagate patched software to everything all at once. This kind of environment is easy to set up (the software is stock) and allows the software to do the grunt work of upgrading systems. You need to buy extra software to do this kind of mass upgrade on NT.

Re:Small, isolated patches better

[jflynn]

"Of course new users are still left to install all 21."

I'm not arguing that small, isolated patches are infinitely superior to mega-packs including both fixes and features.

However if a company like RedHat wants to provide support that people would buy, then making a patch or script available to fix all known security problems since last release might be a worthwhile product that new users would appreciate, especially those switching from Windows.

If you want to get into ease of use features, something with the functionality of Windows Update could also be popular. It should be done Unix style though. The update site sends the information about what is available to the local computer on request, which then compares it to what is installed and offers the user an opportunity to select packages to update or install. From this a script is generated locally that will download and install the required software. Category filters for "Security", "Bug", and "Feature" would also be nice.

Perhaps their new online update support in 6.1 addresses this. Can anyone describe it for me?

Nope

[Hynman]

Not after the Red Hat updater dingus in RH 6.1!!!
As I inderstand it it's automatic? is this correct? I have not had a chance to check it out.

How hard is this?

[linuxguy]

ncftp updates.redhat.com/pub/updates/6.1/RPMS/
> bin
> get *rpm
> bye
rpm -Uvh *rpm

Now really how hard is that? This "enterprise" crap is making me sick. These enterprises are hiring people who have peanuts for brains? They would much rather go to Microsoft's website, find the latest patch, download it, sit through the update, reboot the computer AND do the update and reboot process again after they install a new application (This is recommended by most all NT service patches). How many steps is that?

Anybody who can use ftp will tell you that it will take less time and effort to update the Linux machine. Now the "ENTERPRISE" IT guys, they just have a small problem.

They have never heard of ftp.

But they are perfectly capable of maintaining the company mainframe. A a whole lot of them work at Ebay and ZDnet also.

You'd like Debian

[Gleef]

The Debian distribution has set up to do pretty much exactly what you're asking for for a long time now (right down to the distribution of ISO 9660 images for offline machines). In addition, the updates and fixes are better tested and more independant from each other than the corresponding ones in Windows, resulting in a more stable overall environment. It refrains from adding the security holes that Windows Update gives.

Personally, I prefer RedHat, because it gives me more individual control, but Debian sounds like it would be far better for you, and get you away from the nasty broken Service Packs.

----

Re:I like the WindowsUpdate idea

[Greg+Hewgill]

I'm surprised nobody has mentioned FreeBSD and its cvsup system. After mucking around with Linux for a couple of years and never really getting comfortable with maintaining a system with RPMs etc, I disovered FreeBSD not too long ago.

I now have a completely up to date 3.3-STABLE FreeBSD installation on my trusty old P90 that used to run a crufty old RedHat 4.2 install. By watching the FreeBSD mailing lists, I can tell if there's something new I need. If so...

cvsup stable-supfile
make world [1]
make install
make kernel
mergemaster
reboot

Presto! Completely up to date system. Why isn't it this easy with anything else? Why are binary distributions/updates/patches/etc so popular?

[1] Okay, this step takes seven hours on a P90.

Small, isolated patches better

[Tack]

I maintain that it is better to install isolated patches as opposed to one huge monolithic upgrade (as in service packs).

I don't mind upgrading an FTP or bind (or whatever) RPM on my servers, but I absolutely will not install an NT service pack on a production server until waiting at least a month to see what kind of problems arise. I made the horrible mistake of installing SP4 on one of our NT servers. Never again.

Jason.

How many current NT patches ?

[Cally]

I've just rebuilt my NT Workstation, this time I decided to get really anal about security -- auditing everything, applying all available patches, hotfixes etc. Microsoft release 'Service Packs' that aggregate all the available fixes and patches; NT 4.0 is now on SP5. However after installing that there are merely the ... twenty ? thirty ? other patches and fixes to apply to NT alone. There are multiple patches for Office and Internet Explorer, too, and the holes they're patching are mostly things that could leave root (Adminmistrator) access vulnerable. There were 13 NT security alerts & patches in September /alone/.

So "most large companies would prefer the one large, sweeping-in-scope, fix" huh ? Quite right. Our corporate MIS has banned the application of hot fixes, patches or service packs beyond SP3 because ... wait for it ... it makes NT too unstable .

They only needed to install 4

[Quikah]

Why are they complaining about having to install 21 patches? They needed to install 4 with the config they were using; cron, kernel, net-tools, and dev updates. None of the other services were installed thus they did not need updating. Maybe update X if they actually installed it and libtermcap (this is a fix for a local exploit, but better safe than sorry). So maximum of 6 updates.

On NT they installed SP5, IE 4.01, option pack 4 and SQL server SP1. That is 4 updates.

gee, strikingly similar...

Red Hat fixes wouldn't have helped

[ajs]

The Red Hat fixes would have limited the scope of the intrusion, but the bottom line is that the guy got a shell at all because the 3rd-party CGI was buggy. This will be a problem if you're using NT or Linux or True64.

I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.

In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.

I complained...

[ckm]

[QUOTE]

All I have to say about
http://www.zdnet.com/pcweek/stories/news/0,4153, 2346293,00.html
is that you all are idiots.

I rarely write about things, but this is an outrage. Anyone who thinks that
MS distributes all it's fixes in one large patch is a fool. I should know,
I was engineering lead on www.starbucks.com, one of MS most prominent sites.

In order to deploy a server, we would apply the latest service pack and then
between 30-60 hot-fixes. And that was just for the default software. Other
packages, like SQLServer, had at least two dozen hot-fixes.

A lot of times, these would conflict with each other in strange ways, and
uncover other bugs, which made it very difficult to deploy any fixes at all.
I would often try them out on my desktop (an NT Server) first so as not to
endanger the development environment. We even had one case where a hot-fix
wiped out our SourceSafe DB....

In contrast, the two Un*x OSs I use on a regular basis, Solaris and Linux,
have no such problems. Packages and RPMs are small, well-defined fixes to
particular problems, not some ubber-thing that has to itself be patched.

I don't know where you get your writers from, but I sure am glad I don't
read any of your publications. And with information like this (i.e. totally
useless and factually incorrect), it's doubtfull that I ever would.

Chris Maresca
Project Engineer, Organic Online, Inc.
ckm@organic.com

[/QUOTE]

I like the WindowsUpdate idea

[JoeShmoe]

I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically.

This is, in my opinion, a good system and I compliment Microsoft for adopting it. I only wish that the *nix community would be willing to host similar update servers, particularly for the popular distributions.

There are just a couple things that I think should be changed:

1) Link to knowledge base and security alerts. When I see an item listed, I want more than just a one or two line blurb. And vice versa...if I get a security alert on a mailing list, or find a reason why I'm getting a certain bug, I want to click a link and see the fix added to my downoad queue.

2) Make it easier for it to work with secure or offline servers. I should be able to download an ISO image that contains an entire copy of the update website. So, all I have to do is pull down the ISO, burn it, pop it into the CD-ROM of the secure or offline server and PRESTO! I can browse a local copy of the same update site.

3) Download histories with option to uninstall. Right now my Windows Updates are buried under a half dozen items in some Add/Remove Programs control panel. I'd rather be able to see a list (sorted by date) of items I have installed so I can check off the one I want to uninstall. So, if I SWEAR it's a patch that is causing my problem (even if tech support doesn't agree with me) I don't have to reinstall to get rid of it.

Service Packs stink because I get a whole bunch of stuff I DON'T want just to get the one of two things I DO want. The only reason I install Service Pack 3 on stand-alone machines is so I can install MSIE...and the only reason I install Service Pack 5 on those same machines is so I can use 17GB hard drives. Sure, I could probably abort the install after it decompresses the files and just install the new ATAPI.SYS file...but then I'm skating on "unsupported territory". So I have cross my fingers and pray that this isn't another Service Pack 2 or Service Pack 4 or lose my support options.

I think everyone agrees that individual patches would be better since it allows ultimate user control. The only problem has been keeping tracking of where they are, what they do, and which have been installed. So, let's get them all organized...how about it?

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

ZDNet Car Security Contest

[Coda]

It's a little-known fact, but ZDNet recently held a car security test. They left two cars equipped with different security systems on the streets of LA, to see which ones real-life crooks could steal. The first car, equipped with MS MySafeCar, was locked, secured, and parked next to the second car, which was a convertible with the top down, keys in, and Linux Carsec turned off. The second car was stolen, prompting ZDNet employees to rejoice and marvel at the advertising budget for, er, security miracle that is MS MySafeCar.

When Carsec proponents noted the discrepancy between the two cars, ZDNet replied that "the average car user would not want to lock 2 to 4 individual doors."

ZDNet, in response to the information that Carsec comes with power locks, stuck their fingers in their ears and starting humming "Ol' MacDonald."

Do they have a point? Yes, atop their heads.

Update - ZDNet admits using Real PHBs

[Lucius+Lucanius]

In an update to the story, an anonymous source at ZDNet admitted that they used a genuine IT manager during the tests. "The decision not to apply the fixes came about due to our adherance to realistic simulations. We feel most IT managers are clueless, so we used a representative sample from our own labs. He made the decision," said the source, speaking under conditions of anonymity. "We feel this better represents the real world scenario."

In unrelated news, seismologists reported a strange disturbance, which they claimed was caused by thousands of sysadmins nodding their heads in agreement at the same time. The phenomenon has tentatively been titled "the Slashdot Effect".

No no no no no no!

[jem]

Having been an NT admin for awhile... It is not just a question of installing five huge service packs. And I'm not talking about hotfixes either.

There are a number of pieces of software from Microsoft that require the service packs to be applied in differing order:

The place I used to work before used Site Server (extension to IIS). For the personalisation feature to work on this, a completely bizare sequence had to be followed:

Install (approximate - I think this was more complicated):
Service Pack 3
Internet Explorer 4
Option Pack 4
(some crucial DLLs have now been deleted/overwritten with incompatible versions)
Service Pack 3
Option Pack 4
Site Server 3

You can now install Service Pack 4 & 5 if you want more things to break or you can cut your losses and stick to things that you know work (even if they aren't secure).

The problem with this process is that it is badly documented, denied on Microsoft's site and unknown to most MS users. We got this process from someone who spent days installing and uninstalling the software until it worked. Therefore it takes *days* to install a "decent" version of NT.

This is not the worst bit. The worst thing is that we bought Site Server for all of those built in features (many of which simply didn't work). It wasn't cheap and we ended up just writing our own stuff due to the poor quality of the documentation, lack of speed (dual Pentium Pro, 128MB RAM) and general flakiness.

The problem with all this software is that Microsoft doesn't write applications anymore. Everything has hooks in the O/S which means that departments within MS end up writing software that messes with everything. Incompatibilites arise and no-one is willing to tell you how to fix it without charging you huge consultancy fees.

My new web server boxes run Linux. When fixes come in, thousands of users are willing to help you out with any problems you have. They actually know. The applications do not send tentacles into the O/S, choking functionality out of other applications. My sites run fast. I never need to write ASP in my life ever again. I'm happy again.

Other example? To get a certain feature of MS Visual Interdev running on her machine, a friend of mine had to remove Service Pack 5 & 4 from her machine (Then re-install SP3). Only then would database diagrams re-appear as a feature...

I sense that many people here have not actually really experienced the joys of NT first hand. It is much more of a nightmare than you think. And good NT admins simply don't seem to exist. I'm sure there are some out there. Maybe. The recent joys of the Windows 2k machine that MS couldn't keep up due to running out of disk space, etc indicate that there simply aren't any. Even at MS.

I also know of a well know a major UK hosting provider which is withdrawing the NT dedicated server hosting. Too many problems. Too many security holes. Really bad remote management tools. End of story.
</RANT>