Slashdot Mirror
PCWeek Summarizes hackpcweek.com Test
Banraeth writes "This week's PC Week contains a story about the results from their hackpcweek.com security test site. They explain the object of the test, how many attempts they got, the structure of the attempts and the way someone finally got in. The article reads really well and very clearly explains the anatomy of a break-in for those of us who aren't Linux security gurus.
"
You missed the last page where they have the "PC Week Labs recommends ..." chart. The second to last recommendation is "Install all vendor-recommended updates: Assign this task to a specific person within the organization. Allocate budget for it. Also subscribe to hacker magazines such as '2600' and patrol hacker Web sites. Read all CERT advisories."
After saying that a corporation wouldn't want to install patches as they were released, they certainly have a funny recommendation for NT adminstrators. Allocate budget? Subscribe to hacker magazines? All that, and all we asked for was 21 measly patches.
Sorry, PC Week. Get your act together, or step aside. I've got work to do...
-Brent--
RedHat has the equivelant of a Service Pack available-- the updates. These updates contain a number of bug fixes, etc. And RedHat encourages users to get the updates.
So why don't people do it? Because none of the bugs are "well-known", i.e., they don't get news coverage on ZDNet, with headlines screaming "Sky Is Falling, LINUX Insecure!"
But Microsoft tends to get that. Partially because they write shitty software (let's be honest), and partially because it's a name that people recognize and will relate to. It makes for good sensationalism.
My solution, offered with tongue firmly implanted in cheek, is to sensationalize every exploit for Linux. "crond Found Insecure at 8:00 AM, Bob Young Not Answering Phone at Lunch Time!"
Seriously, though, maybe we need to put just a little more emphasis on getting the updates. Now we have an example-- "Hey, Joe, did you download the RH updates? They say that if PC Week had done that, they wouldn't have been cracked!"
In the discussion that followed the successful crack, there was mention of AutoRPM as one solution for staying up to date. So PCWeek jumps in and says "AutoRPM is the only solution." Um.... ok. Or you could just subscribe to the Red Hat mailing list...?
They complain about how hard it is to remember "secure" passwords such as "[Athl!g" and how they had to keep a list (in cleartext I suppose) on a laptop. Try something like "TcIoOtLtWeD" which is nice and easy to remember.*
And of course, as everyone has mentioned, first they say that Red Hat had 21 security updates available, and turn around and lament that there's no place to go to see which security updates are available... durr....
Overall, they just sound clueless and/or heavily influenced.
*"This contest Is one Of the Lamest things We've ever Done."
I totally agree with your assessment.
I will go further and say that it is obvious that this whole test was simply a horse and pony show to prove that Linux is just inheirently insecure.
One can only wonder at the motivations of a company that runs a security test without installing Linux security patches and goes to the length of installing unauditted CGI scripts.
I believe that this test was paid for and ran by Microsoft. Any objective tester for an operating system would have gone to the trouble to install the security patches and report how difficult the task is.
That PC Labs is still claiming that "Linux" doesn't have a central site for its security updates is clearly FUD directed towards those who do not read forums like these.
Linux does have a kernel site that is a central repository for all fixes. But it wasn't a kernel security problem that we are talking about here.
The security hole that allowed a breakin was three fold. An insecure cgi script allowed a person to try to write a file. Wrong directory permissions allowed a file to be overwritten. A know security hole was exploited.
Audit all scripts before you put them on your box. Use the -T flag and use strict option even though they make programming a real pain. Get all updates from your software company and install them. Ensure proper directory permissions for all directories and files. Go to your distribution vendor and download all security patches.
PC Labs only had to goto one place on the whole net to get updates for their Redhat software. All the software. The site is http://redhat.com/support
That's right, not only do you get hundreds of software packages, but you only have to go to one place to get updates on all of those fixes.
Imagine how many sites you would have to visit to upgrade all the software on a Windows box that has an equal amount of software as a Linux box. It wouldn't be one site, that's for sure.
Sounds to me like Linux would be much easier to maintain.
They are just sooooo wrong. Not applying 21 security patches to the Red Hat System (and those patches were readily available from the Red Hat errata) because that was something "a real life sysadmin would never do" but still they applied the SP 5 for NT... as if that's something a sysadmin would do? This is just way bad... I smell another Mindcraft here
---
Killroy Woz Here
They're correct, there isn't one. But there is a central place to get updates for RedHat Linux:
ftp://updates.redhat.com
They can't make it easier then that, and unlike Microsoft's update site you don't need to click through gobs of advertisements.
US Citizen living abroad? Register to vote!
No central infrastructure, as in you *have* to get patches to Microsoft OS's from Microsoft, and you can get patches for Red Hat's product from, none other then, Red Hat!
Of course, you can *also* follow freshmeat.net, or other freely available "portals" to also keep Linux up to date. Then again, NTBugtraq is just as good a resource for keeping up on Microsoft issues as anything.
Microsoft has a "central infrastructure? Yeah right! How many times have you heard of a security problem from Microsoft first? The difference is not the infrastructure, it's that with MS OS's you have to *wait* until Microsoft responses before *you* can do anything about it.
-Brent--
Something someone else said kind of crystallized this for me - it didn't occur to PCWeek, and it wouldn't occur to a Windows Admin, that an OLDER system could be more secure, would it? I mean, if I'm going to put up the most secure Windows machine I can, I'm going to use the latest Windows, because it fixes what was wrong with the older versions of Windows. The idea of fixing an older version while developing a new version is anathema to MS development. This shows through in the fact that many of their patches represent the addition of new features as well as the correction of issues. There is no separation between "Works Better" and "Does More" like there is for the Unix world.
-=Best Viewed Using [INLINE]=-
Yup. What they are basically claiming is that IT managers wouldn't want to apply those patches. C'mon, there is nothing at all of value on any of my three systems, and I keep them up to date on a daily basis. If I were paying someone to do IT for me, and they refused to do something I could do myself (rpm -ivh *) I'd personally clear their desk into the street. To claim that it wouldn't be done because autorpm "doesn't let you know what is going on to your system" is completely disingenous.
~luge
IAAL,BIANLY
One Of the Many ACs writes:
."))
I don't think so. For any operating system it is impossible to track all of the patches for every single program for that one operating system in one place, but a good place to start would be:
http://www.securityfocus.com/ (aka: BUGTRAQ)
ZDnet has a point here. I have they same problem they have when keeping my boxen secure. (Of course nothing is more secure than off (Hey, it would be left on if I wasn't on dialup.)) BUGTRAQ is very good, but what they (and I) would like to have would be a freshmeat of security patches. (Call it rancidmeat (it all about bugs, get it? Oh I crack myself up sometimes (but not this time).).) It could be run just like freshmeat, nothing actually there, just links to the patches. Have it summerize BUGTRAQ and several other official and "unoffical" security sites, and provide links to the patches. Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)
M$ Propaganda^H^H^H^H^H^H^H^H^H^H^H^HZDnet writes:
The hackpcweek.com site also showed us that some simple security
measures, such as complex passwords, are great in theory but nearly impossible in practice. The hackpcweek site comprised six servers. Imagine how difficult it was to remember passwords such as [Athl!g. We couldn't...
Ahh geez, and they wonder why they had security problems. I"m sorry but this is just stupidity on their part. I have a minimum of 12 different passwords each as arcane as theirs and I have no problem. (For "added security" none of them are based on any sort of mneumonic phrase). Of course if they actually used the passwords on a daily basis, then they would remember them and wouldn't have to have them written down. (Eventually you'll "forget" the password when typing them in becomes automatic. ("What's your password?" "Uhhh... *goes to a keyboard and types* apparently Ghj3$/f
Clueless as usual, they didn't do the research, but assumed (probably based on the feedback they got) that the *only* way to patch Linux was to use autorpm and that the process went something like this:
Checking current installed packages....
Downloading new packages....
Installing packages....
Done...
Your server is now secure.
Please do this at least once a day.
Please note that this will *not* run from cron.
#
Of course, a few minutes on Red Hat's site would have shown that they could download the patch manually and verify what it did. *Then* they could use autorpm to automate the process of getting the patches on all the servers
So, how does running "setup.exe" to install a service pack provide you with any more ability to see what's being done the the server then PC Week's idea of AutoRPM?
-Brent--
They take two pages to describe how he painstakingly went through the process of scanning the Perl scripts, trying to squeeze in an executable under the exact right size, and ultimately gets to a dead end.
And then, in one line, they tell you he got an exploit off Bugtraq and got root access.
They're very quiet about that last bit... Yet it seems to me like it's the essential part of the exploit. Yes, accessing online resources and security websites is one of the main tools in the cracker's arsenal. Far from me to say that these sites should be banned! What I mean is, they should be read as much by the admins than they are by the crackers.
"There is no surer way to ruin a good discussion than to contaminate it with the facts."
From reading the way the cracker finally got in, does anybody know if one of the security fixes that were available would have actually stopped this exploit? It seems more like the CGI was the culprit, and the lack of security patches, while an issue in general security, had nothing to do with this particular break-in.
From what I remember it was the Cron hole that allowed him to exploit the CGI scripts hole, so without the Cron hole he wouldn't have been able to do it, and yes there is a patch out for that.
Kintanon
Check out JoshJitsu.info for Brazilian Ji
> C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest.
But is that the message the PHBs will hear? Is that what ZD wants them to hear?
The whole art of FUD or any other sort of propaganda, if you're good at it, is to say things that you can defend in their surface form, but which bear a between-the-lines message that twists the truth to your advantage.
If they had merely wanted to evaluate the difficulty of securing systems, they didn't need a shootout. A single system would have sufficed.
Printing such loaded messages is inexcusable, particularly from a rag that is subject to reasonable charges of conflict-of-interest.
BTW, but I'd be willing to wager that if you did a reader survey on this article, you'd find that more remembered the between-the-lines message than remembered the objective facts presented in the article. Such is the nature of the human mind (and that's why FUD and propaganda often works so well).
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
You were asking PC Week, right?
Personally, I would never use an OS where features are specifically added that allow you to do malicious things, and requires more software, not to "prevent" it, but to stop it ASAP after it happens.
NT Security model is the worst that I could ever imagine. At least security holes in Linux and other Unixes rely on bugs that can be fixed without breaking a lot of legitimate stuff
-Brent--
No, autorpm is a third party program. I've been using it since RedHat 4.2.
You can get it from ftp://ftp.kaybee.org/pub/redhat/RPMS/noarch
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
Speaking of which, at some point in the near future I'll probably need some help cataloging updates(I'll eventually start using bots to help). If anyone is interesed, e-mail me.
Nobody should run publically accessible CGI scripts that don't have taint mode enabled. Just start off your scripts with
#!/path/to/perl -T
and fix everything that breaks.
You will close off a lot of security holes that way...
Ben
My usual seat in the cluetrain is at A HREF="http://pub4.ezboard.com/biwethey.ht
as a sysadmin for a huge NT network (Server and workstation) applying 21 patches would be nice and easy! Let's see, each new pc that comes in..
Apply SP-3 (no higher because sp4&5 are severly unstable) add 13 hotfixes and the Y2K hotfixes, patch I.E., patch Office, patch Outlook... That's a total of 23 things to do where most of these "patches" take 1-2 hours to download, force a fix to be applied because to fix what the fix broke.
This "contest" was a huge joke. PC mag has never EVER had any clout with me or anyone I know, 90% of the time they either do basic things like an article on "how to turn on your computer" or " the mouse really isnt a foot-pedal" basically a useless mag except for the inept that really shouldnt be using a computer to begin with.
This test proved one thing to me.... they wanted to scream "MEE TOO! MEE TOO!" with the ranks of other real mags.
Do not look at laser with remaining good eye.
For example:
Two of the updates are Netscape fixes. Is their server running a copy of Netscape ? Not likely ! Therefore, we're down to (19) fixes.
Two more are updates for XFree86. Well, they probably are running X ! You know, they are used to pointy-clicky administration!
Another is an update for "mars-nwe". Isn't that a client type program for logging into Netware servers ? Again, probably doesn't apply to their setup.
A fix for KDE...okay, that can make Linux look like Windows, so, they probably are using it!
A fix for gnumeric, a Gnome spreadsheet program.
How many more of the RedHat updates don't apply?? If I don't have the RPM for "pump" installed, I certainly am not going to install the "fix" for it!
I was happy with the article in general... especially the detailed log of how the hacker broke in. It is true that CGI scripts can potentially be security holes in an otherwise very secure system. My only problem with the article, however, is the treatment of the Red Hat official updates. You mention that there is no central place to find "linux" updates. Well, there is. Red Hat provides a central source for all of their official updates. This is the same thing as Microsoft providing its Service Packs. Red Hat guarantees that these security updates are okay to apply to your system... and, in fact, they don't release them unless you *should* install them on your system. You mention the program "AutoRPM" (I'm the author of this program). The best way to use this program is to have it regularly (i.e. every night) check the official set of updates from Red Hat and apply them if new ones come out. What you do, however, is configure AutoRPM to check the PGP signature of the updates before it applies them. When Red Hat releases security updates, the patches are signed with their private PGP key. If you configure AutoRPM properly, it will use Red Hat's public key to check this signature. In other words, with only a few changes to the default config file, you could have setup AutoRPM to automatically install *official* and *verified* security updates from Red Hat. The only reason this isn't the default configuration is that PGP doesn't come with Red Hat (due to US export restrictions on cryptography). If you would have spent the 5 minutes to properly install and configure AutoRPM, the Red Hat Linux machine would *not* have been hacked (at least not in the way it was) because the cron security exploit would have been automatically patched by AutoRPM. - Kirk Bauer
I agree with the "But no administrators..." part. I do not agree with the "The only option..." part.
I, for one, had the cron patch installed. I'm not a security guru. I'm not a bona fide sysadmin. I'm just a desktop Linux user who likes to take care of the easy stuff.
And easy it was: I am subscribed to Red Hat's mailing list, and they send me a message whenever security updates are available. I read the message, and fetch the update if it applies to me. The elapsed time is usually about 30 seconds + download time.
Autorpm is not the "only" option.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Sheesh, evil *and* a jerk. -- Jade
| I'm the sysadmin for a small ISP, and no I
... mentioning it on Slashdot. ;) )
| haven't had time to apply the 21 patches on
| all of the redhat boxes, the various BSDI
| patches, updates to all the '98 boxes, etc.
This is a good point, though I don't personally believe that security should be as low of a priority as a lot of people seem to think it is.
For example, the ISP I use runs its systems on Redhat Linux. They provide shell accounts, which is good - and one of the reasons I chose them. However, I've noticed that they're quire far behind on security issues, and it'd be essentially trivial for someone to root their boxes, if it hasn't been done already. (Now I've done it
I also notice that they're behind on versions of sendmail *despite* having been warned about it several times. Thus, all the mailservers they run (and there are several) are wide-open relays just waiting for a malicious spammer to start spewing out junk mail.
As for the 21 patches, not all of them would be appropriate for a server machine - particularly if the service isn't installed (for example, if you have no FTP daemon, why do you need an FTP patch?).
Did you *see* all the stuff that they did to the NT server? Heck, even installing all 21 RPMs sure looked easier to me!
-- Rick
What were they going on about with AutoRPM? I'm sure that selecting a package to install and going to the Package-Info option tells you were the RPM comes from. And it has a PGP verification option...
What I want to know is how they can in one breath say they took all reasonable security procedures that any sys admin worth his/her salt would take and the next say they are going to add the 21 security patches and test again ,,,
If you keep using the latest and greatest stuff then yeah, of course you're going to need someone on staff auditing your system's security all the time. The point they miss, though, is that code matures from people looking at it, fixing holes, and changing the packages to be distributed in a default tightly-locked state. (When was the last time you worried about a vulnerability in finger?)
Admins will always need to be aware of security. But it's getting more and more to the point that you can set it and forget it. Especially if you spend the ten minutes to keep up to date with the new patches on updates.redhat.com.
I notice two statements off the bat that not only are both wrong, but they contradict each other.
First they say there is no single place to get all the updates. Since they are running RedHat, that is wrong, because they could get them from ftp://updates.redhat.com/
Second they say that if you want to keep up with the security updates, your only choice is to run autorpm, but that's a bad idea because it installs software without you knowing what is going on. Leaving aside the fact that this contradicts the first statement, it's also dead wrong. If you set one configuration variable in autorpm, instead of installing the updates, it will just download them, and send you an email advising that they are downloaded. Then you can pick and choose which ones to install using "autorpm --apply", which will show you what the package is, where it got it from, all the rpm info, and let you choose to install, defer installation for now, or remove it from the queue. It doesn't get any simpler than that.
Would you rather get your security patches the day after they are available, or would you rather wait for Microsoft to bundle several security patches up into a Service Pack CD?
The next Cmdr Taco duplicate will be ready soon, but subscribers can beat the rush and see it early!
PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement.
Well that is very interesting isn't it. Then why weren't the available security fixes for redhat applied. Bah. They went to the trouble of getting service packs for NT, but couldn't rpm -Uhv *
While any operating system needs patches and updates, there is no central repository for testing or approving patches to the Linux system.
Well isn't that special. http://www.redhat.com/corp/support/errata/rh60-err ata-general.html
Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure.
Last I checked, no hole in the kernel was exploited. As for the other components, you buy from redhat to get the central infrastructure. You could roll your own distro if you wanted to worry about updating all of the individual packages. When you buy a distro, you pay a company money to package things for you, so when you need an update, you go to them.
The only option for Linux is to use a utility called autorpm, which polls a server for updates and automatically installs them
Again wrong. I don't use debian myself, but I believe they have a system for doing just that in a much more secure manner.
The bottom line is daunting: Don't let your guard down--ever.
Right. Basically like they did by not applying the fixes put out by redhat and using unaudited cgi scripts.
This sig is false.
If Pankaj was a network admin in charge of securing the system he'd be fired. 'Nuff said? No. To spread the FUD that Redhat is insecure because the patches are difficult to download is a disservice to anyone interested in an alternative to Microsoft. This definitely smells like another Mindcraft. I wouldn't be surprised if prominent members of the open source community refuse to even deal with ZDNet anymore because they recognize that whatever ZDNet is involved with is most likely a hatchet job.
C'mon, this article is actually pretty good. ZD isn't bashing Linux, they are basically summarizing the hacking contest...saying what they did right, and what they did wrong. Notice in the "PCWeek Labs recommends" section they didn't say, "Don't use Linux. It's insecure." They give helpful recommendations to keep any system secure. Install all security patches, DUH!
They note that they didn't apply the patches RedHat had. They are admitting that they made a mistake here. They're saying, basically, "Don't DO that!"
They note that there is no central repository for verified Linux patches. Well, yeah...there isn't. There is one for Redhat's distribution...which of course is what they were using. Apparently they didn't know about the site. They do now, though, and are applying the patches to retest.
The point of the article can be summarized in the first sentance: "Security is hard." Not "Linux is Bad, NT is Good."
The only thing I can find wrong with the article is that they don't describe in enough detail what they did to the NT system (aside from disabling services)
-partap
After getting severly lambasted for his previous flippant response to this hack, this Pankaj Chowdry character has the nerve to serve up more obfuscating, deflecting drivel.
...there is no central repository for testing or approving patches to the Linux system. My god this man is a boob. "The Linux system" in question here is RedHat, specifically version 6.0. Redhat lists the errata for each version that they release, complete with cross-referenced bugs and resolution comments. How is this any different than accepting a Service Pack from Microsoft (which Pankaj conveniently forgets to acknowledge were applied to the NT box by, guess who...Microsoft) ? Did Pankaj retest each of the bug fixes included in the Service Packs. I would suspect that he didn't. Yet, all of a sudden Pankaj wants to be Super Administrator and retest each of the bug fixes that Redhat has already certified.
Once again he talks about the Linux server needing 21 patches for the RedHat 6.0 release which had been out for only a couple of months. Is he for real? Is this some kind of excuse for not doing his job and performing an adequate security check on the box?
He goes on to say
Pankaj then goes on to disparage the autorpm utility because no administrators in their right minds would use this sort of utility because they would have no idea what was being installed on their server.
I would like to request that Pankaj release his testing methodology used to verify what was included on Microsoft's Service Packs and whether they a) fixed everything that was broken and b) did not introduce new avenues of exploitation into his system
I don't understand how this person was able to get this past his boss. But then I forget that his boss is John Taschek who has lost any ounce of credibility that he ever had in his handling of this any other "independent" comparisions of Microsoft and Linux products.
Keep up the good work Zdnet and Ziff-Davis. Just keep it up.
Hates people who have stupid little sigs
Alot of posts are focusing on the lack of patches applied to the RedHat box. While that is a big issue, nobody has touched on this yet:
They are attacking Open-Source/Free Software as well. And doing it with blatant but subtle lies, no less. They go to all the trouble to point out that it's an Open Source CGI ad app, when in fact it's NOT. It's source VIEWABLE, and editable. Very important distinction. You cannot contribute fixes back, and cannot share those fixes with your neighbor. The community cannot collectively pound out holes and bugs in this package.
As much as I appreciate OSI's work, the term Open Source is just a can of worms. How many people now have it in the back of their minds that Open Source is just less secure? Baseless FUD.
ZDNet sickens me more each day. Sigh.
Sure it's work (so is freshmeat), but certainly it's doable. (Disclaimer: I'm not saying this ficitional site would be perfect, but it would be better than what we have now which is a hodgepodge of several different sites. I ceratainly would like to take part in something like this.)
I'm working on this. I registered linuxpatch.com (not hosted yet) last week. E-mail me if you'd like to help. I'm still in the very early stages, though.
Nice article, but the guy who cracked the box wrote up a detailed account of *exactly* how he did it, complete with code:
http://hispahack.ccc.de/en/mi019en.htm
Very interesting reading.
-jason
http://www.kottke.org
"home of fine hypertext products"
Seems to me that PC Week is leaving holes in their article large enough to drive a truck through. For example, their server CERTAINLY should not be running all the services that there are patches for on RedHat. So when you run autorpm or whatever your should even have an upgrade option associated with these services, right? How many patches are really needed for an http server? 4? 5? And look at all the configuration changes they made for NT! It's HUGE compared to what they did for Linux. It seems to me that admining all of these is far worse than admining 21 patches FOR WHICH YOU HAVE THE SOURCE CODE.
These guys are a bunch of bozos. Sigh.
smtp.innova.net is 208.211.173.3 Check it out on ORBS - it's already been abused by spammers.
To quote the article:
Now, the interesting question is whether or not this should be considered to be an inevitable overhead cost of maintaining an internet presence?
In general, I think that security measures are becoming more powerful and easy to configure and administrate. Of course, as the de rigeur features of internet services change and evolve, the number of potential exploits increase.
Unfortunately, I think the "5% of hackers" the article mentioned will *always* be ahead of any automated security measures due to the nature of the security flaws being exploited - those which are due to new code that hasn't been "burn tested" in the real world. Thus, these costs seem to indeed be inevitable.
I think this is actually a corollary to Eric Raymond's apt observation, "Given enough eyes, all bugs are shallow." Consider: a company may have 5 or 6 people testing new code for security flaws before release. There may be over 1000 people trying to find the flaws (to exploit them!) after release. Who do you think is going to have better luck?
How can they reconcile these two statements:
"PC Week Labs went to great lengths to take the same security measures on the Linux and Windows NT servers running the site that any IT manager worth his or her salt would implement."
and
"Also contributing to the hacker's success were incomplete security updates on our test site."
As other articles about this topic have pointed out, they deliberately only did half the job, but here PCWeek is trying convince us that they did a great job. Personally, I think "any IT manager worth his or her salt" would try to keep up with the latest patches on a weekly basis. This was not an objective test, this was using the buzzwords of the moment to sell magazines and generate page views. Considering how many PHBs read PCWeek, I can't see this article as being anything but damaging to efforts to convince managment that Linux is "as good or better" than NT.
Dirk
"All I wanted was a Pepsi, just one Pepsi....."
What does this test prove?
If you look at this test as a contest between NT and Linux, then it proves nothing. Also, it's not an accurate test of ZD's abilities to secure a web server vs. another company.
It does provide a behind-the-scenes look at how both sides (for lack of a better word) work. Details were provided on how the system was secured and how it was compromised. An admin reading this article might see parallels to his own situation. A clueless newbie might find the details of the crack amusing.
I thought the article was well done. Both NT and Linux can be secured, but most aren't... at least not against a determined and skilled attacker.
Am I reading this right???
"At the time we began the tests, Red Hat Software Inc. had 21 security updates available for Red Hat 6.0, which had been out for only a couple of months."
and in the same parahraph
"...there is no central repository for testing or approving patches to the Linux system. Kernel patches can be obtained from a verified source such as kernel.org, but most other components have no central infrastructure."
Is that not just a little self-contradictory? They're running a redhat machine, redhat has 21 security updates available, but wait.. there's no central infrastructure! I guess going to the vendor, creator, and supporter of your operating system isn't the central place to get updates for said operating system.
Either they're totally clueless, or just a bunch of microFUD spin doctors.
No central infrastructure??? Maybe not across distros, but each distro has its own, unique infrastructure for realeasing fixes and updates to the users. They should have used the resources given to them BY REDHAT, and they know it. They just dont care, dont want to lose M$ advertising, and dont want to admit they fscked up.
Welcome to the wonderful world of online journalism.
72656B636148206C72655020726568746F6E41207473754A