Slashdot Mirror
ZDNet Admits Mistakes in Recent SecurityTest
drsparkly writes "Linux Today is running this
story claiming that the recent ZDNet Linux vs NT security `shootout' was biased against Linux. Apparently ZDNet had neglected to apply 21 available security fixes. They claim that `enterprise businesses would not want to apply 21 individual fixes' and `most large companies would prefer the one large, sweeping-in-scope, fix'. Do they have a point? "
The Debian distribution has set up to do pretty much exactly what you're asking for for a long time now (right down to the distribution of ISO 9660 images for offline machines). In addition, the updates and fixes are better tested and more independant from each other than the corresponding ones in Windows, resulting in a more stable overall environment. It refrains from adding the security holes that Windows Update gives.
Personally, I prefer RedHat, because it gives me more individual control, but Debian sounds like it would be far better for you, and get you away from the nasty broken Service Packs.
----
----
Open mind, insert foot.
I now have a completely up to date 3.3-STABLE FreeBSD installation on my trusty old P90 that used to run a crufty old RedHat 4.2 install. By watching the FreeBSD mailing lists, I can tell if there's something new I need. If so...
cvsup stable-supfile
make world [1]
make install
make kernel
mergemaster
reboot
Presto! Completely up to date system. Why isn't it this easy with anything else? Why are binary distributions/updates/patches/etc so popular?
[1] Okay, this step takes seven hours on a P90.
I maintain that it is better to install isolated patches as opposed to one huge monolithic upgrade (as in service packs).
I don't mind upgrading an FTP or bind (or whatever) RPM on my servers, but I absolutely will not install an NT service pack on a production server until waiting at least a month to see what kind of problems arise. I made the horrible mistake of installing SP4 on one of our NT servers. Never again.
Jason.
So "most large companies would prefer the one large, sweeping-in-scope, fix" huh ? Quite right. Our corporate MIS has banned the application of hot fixes, patches or service packs beyond SP3 because ... wait for it ... it makes NT too unstable .
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Why are they complaining about having to install 21 patches? They needed to install 4 with the config they were using; cron, kernel, net-tools, and dev updates. None of the other services were installed thus they did not need updating. Maybe update X if they actually installed it and libtermcap (this is a fix for a local exploit, but better safe than sorry). So maximum of 6 updates.
On NT they installed SP5, IE 4.01, option pack 4 and SQL server SP1. That is 4 updates.
gee, strikingly similar...
Q.
The Red Hat fixes would have limited the scope of the intrusion, but the bottom line is that the guy got a shell at all because the 3rd-party CGI was buggy. This will be a problem if you're using NT or Linux or True64.
I'm torn on these kinds of tests. On the one hand, the test is attempting to prove the security of an operating system distribution, so that's really all that should be running. On the other hand, you are going to want to do something with that machine. Certainly a stand-alone Linux box with nothing else on it is not much of a real-world test.
In the end we're just serving to prove an old truism of security: You put a firewall in to keep out the 13-year-olds, but to stop the determinied crackers who are targeting your site in particular, you need to audit every piece of source you run. A very tall order, and always painful. It comes down to risk analysis and trade-offs.
[QUOTE]
, 2346293,00.html
All I have to say about
http://www.zdnet.com/pcweek/stories/news/0,4153
is that you all are idiots.
I rarely write about things, but this is an outrage. Anyone who thinks that
MS distributes all it's fixes in one large patch is a fool. I should know,
I was engineering lead on www.starbucks.com, one of MS most prominent sites.
In order to deploy a server, we would apply the latest service pack and then
between 30-60 hot-fixes. And that was just for the default software. Other
packages, like SQLServer, had at least two dozen hot-fixes.
A lot of times, these would conflict with each other in strange ways, and
uncover other bugs, which made it very difficult to deploy any fixes at all.
I would often try them out on my desktop (an NT Server) first so as not to
endanger the development environment. We even had one case where a hot-fix
wiped out our SourceSafe DB....
In contrast, the two Un*x OSs I use on a regular basis, Solaris and Linux,
have no such problems. Packages and RPMs are small, well-defined fixes to
particular problems, not some ubber-thing that has to itself be patched.
I don't know where you get your writers from, but I sure am glad I don't
read any of your publications. And with information like this (i.e. totally
useless and factually incorrect), it's doubtfull that I ever would.
Chris Maresca
Project Engineer, Organic Online, Inc.
ckm@organic.com
[/QUOTE]
-- I don't have a cool sig.
I like how I go to one website, and it automatically tells me what I do or do not have installed. Then I get presented with a list of new patches, arranged neatly into ranks like Critical, Highly Recommended, Fun and Games, even Beta Testing. I can even get told within minutes of a new critical patch being posted by installing Microsoft's Critical Update Notifier. Each patch included a description of the component involved so I can choose if it is right for that computer. Then, after checkmarking all the items I want, click a button to download and install the patches automatically.
= -=-=-=-=-=-=-=-
This is, in my opinion, a good system and I compliment Microsoft for adopting it. I only wish that the *nix community would be willing to host similar update servers, particularly for the popular distributions.
There are just a couple things that I think should be changed:
1) Link to knowledge base and security alerts. When I see an item listed, I want more than just a one or two line blurb. And vice versa...if I get a security alert on a mailing list, or find a reason why I'm getting a certain bug, I want to click a link and see the fix added to my downoad queue.
2) Make it easier for it to work with secure or offline servers. I should be able to download an ISO image that contains an entire copy of the update website. So, all I have to do is pull down the ISO, burn it, pop it into the CD-ROM of the secure or offline server and PRESTO! I can browse a local copy of the same update site.
3) Download histories with option to uninstall. Right now my Windows Updates are buried under a half dozen items in some Add/Remove Programs control panel. I'd rather be able to see a list (sorted by date) of items I have installed so I can check off the one I want to uninstall. So, if I SWEAR it's a patch that is causing my problem (even if tech support doesn't agree with me) I don't have to reinstall to get rid of it.
Service Packs stink because I get a whole bunch of stuff I DON'T want just to get the one of two things I DO want. The only reason I install Service Pack 3 on stand-alone machines is so I can install MSIE...and the only reason I install Service Pack 5 on those same machines is so I can use 17GB hard drives. Sure, I could probably abort the install after it decompresses the files and just install the new ATAPI.SYS file...but then I'm skating on "unsupported territory". So I have cross my fingers and pray that this isn't another Service Pack 2 or Service Pack 4 or lose my support options.
I think everyone agrees that individual patches would be better since it allows ultimate user control. The only problem has been keeping tracking of where they are, what they do, and which have been installed. So, let's get them all organized...how about it?
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-- I wonder which will go down in history as the bigger failure: the War on Drugs or the War on Filesharing
It's a little-known fact, but ZDNet recently held a car security test. They left two cars equipped with different security systems on the streets of LA, to see which ones real-life crooks could steal. The first car, equipped with MS MySafeCar, was locked, secured, and parked next to the second car, which was a convertible with the top down, keys in, and Linux Carsec turned off. The second car was stolen, prompting ZDNet employees to rejoice and marvel at the advertising budget for, er, security miracle that is MS MySafeCar.
When Carsec proponents noted the discrepancy between the two cars, ZDNet replied that "the average car user would not want to lock 2 to 4 individual doors."
ZDNet, in response to the information that Carsec comes with power locks, stuck their fingers in their ears and starting humming "Ol' MacDonald."
Do they have a point? Yes, atop their heads.
-- I can't think of anything witty to put here. Sorry.
In an update to the story, an anonymous source at ZDNet admitted that they used a genuine IT manager during the tests. "The decision not to apply the fixes came about due to our adherance to realistic simulations. We feel most IT managers are clueless, so we used a representative sample from our own labs. He made the decision," said the source, speaking under conditions of anonymity. "We feel this better represents the real world scenario."
In unrelated news, seismologists reported a strange disturbance, which they claimed was caused by thousands of sysadmins nodding their heads in agreement at the same time. The phenomenon has tentatively been titled "the Slashdot Effect".
Having been an NT admin for awhile... It is not just a question of installing five huge service packs. And I'm not talking about hotfixes either.
There are a number of pieces of software from Microsoft that require the service packs to be applied in differing order:
The place I used to work before used Site Server (extension to IIS). For the personalisation feature to work on this, a completely bizare sequence had to be followed:
Install (approximate - I think this was more complicated):
Service Pack 3
Internet Explorer 4
Option Pack 4
(some crucial DLLs have now been deleted/overwritten with incompatible versions)
Service Pack 3
Option Pack 4
Site Server 3
You can now install Service Pack 4 & 5 if you want more things to break or you can cut your losses and stick to things that you know work (even if they aren't secure).
The problem with this process is that it is badly documented, denied on Microsoft's site and unknown to most MS users. We got this process from someone who spent days installing and uninstalling the software until it worked. Therefore it takes *days* to install a "decent" version of NT.
This is not the worst bit. The worst thing is that we bought Site Server for all of those built in features (many of which simply didn't work). It wasn't cheap and we ended up just writing our own stuff due to the poor quality of the documentation, lack of speed (dual Pentium Pro, 128MB RAM) and general flakiness.
The problem with all this software is that Microsoft doesn't write applications anymore. Everything has hooks in the O/S which means that departments within MS end up writing software that messes with everything. Incompatibilites arise and no-one is willing to tell you how to fix it without charging you huge consultancy fees.
My new web server boxes run Linux. When fixes come in, thousands of users are willing to help you out with any problems you have. They actually know. The applications do not send tentacles into the O/S, choking functionality out of other applications. My sites run fast. I never need to write ASP in my life ever again. I'm happy again.
Other example? To get a certain feature of MS Visual Interdev running on her machine, a friend of mine had to remove Service Pack 5 & 4 from her machine (Then re-install SP3). Only then would database diagrams re-appear as a feature...
I sense that many people here have not actually really experienced the joys of NT first hand. It is much more of a nightmare than you think. And good NT admins simply don't seem to exist. I'm sure there are some out there. Maybe. The recent joys of the Windows 2k machine that MS couldn't keep up due to running out of disk space, etc indicate that there simply aren't any. Even at MS.
I also know of a well know a major UK hosting provider which is withdrawing the NT dedicated server hosting. Too many problems. Too many security holes. Really bad remote management tools. End of story.
</RANT>