Rattle wrote:

] Microsoft is not _not_ a good place to pull your security
] people from, IMHO. Granted, I know know jack about Schmidt,
] but Microsoft is the source of most of the security problems
] that threaten our network infrastructure. For Jah's sake,
] you'd be better off getting computer security people from the
] RIAA, they have been hacked a few times less then the average
] MS product..

I wanted to comment just on this one thought. First, regardless of what you think about MS in terms of product quality, business ethics, whatever... you cannot defendably state that their products are any less or more vulnerable to hacking and security breaches than any other computer 'system'. The reason why people site MS as vulnerable or 'doing a poor job' at security issues is because that's all the media focuses on. Particularly 'tech' media, like Slashdot et all.

First, MS products are by far the dominant market leaders in their category. There are simply more installations of them than any others. So when there is a weakness (ie. Slammer) then obviously there is going to be more damage. That's not MS's fault. If it were Linux or OS X that had market domination, people would still bitch.

Second, 99% of the vulnerabilities that get cited are crap. Things like stack smashes and buffer overrides are hardly new and are hardly vulnerabilities, since executing rogue code using these techniques is only theoretical. Read the CERT advisories. Even the people finding these vulnerabilities state that they are unable to execute code; just that the possibility theoretically exists.

Thirdly, I've been very impressed by MS's ability to patch things on a timely basis. Granted, they have not been the perfect example of admitting to certain things, nor have they the optimum toolsets necessary to patch things up (Windows update is not very well designed for managing large installations or automated operations). BUT, they don't suck. It's hard to blame MS on things like Slammer when the damn patch was available for 6 months.

Finally, modern systems are extraordinarily complex. Too complex perhaps. And so that is going to create weaknesses and vulnerabilities that no QA system will be able to keep up with. With the proliferation of digital technologies encompassing dozens of platforms and thousands of 'chunks', it's inevitable that there will be faults. Just like real life. While I think it's a good process to continue to pursue perfection, even though it's unattainable, the fact is that people like MS get shit on in the process through no fault of their own.

flynn23 wrote:
] Thirdly, I've been very impressed by MS's ability to patch
] things on a timely basis. Granted, they have not been the
] perfect example of admitting to certain things, nor have they
] the optimum toolsets necessary to patch things up (Windows
] update is not very well designed for managing large
] installations or automated operations). BUT, they don't suck.
] It's hard to blame MS on things like Slammer when the damn
] patch was available for 6 months.

This is the only point I'd really care to dispute.

In the case of Slammer, they had a patch out already. And I am willing to bet that if Microsoft patches didn't break Microsoft system on a regular basis, it would have been applied in more places. Just about every MS admin I know takes a "wait and see" approach on MS patches. They are almost never to be trusted. That attitude even takes place within Microsoft, which is why a bunch of their systems got nailed too. Their systems lack real package management, IMHO, hence they have an update QA problem thats unsolvable.

And how easly it is to patch your systems, and the quality of those patches are a very very very key thing. On that particular issue, all the other OS vendors slay Microsoft. With the exception of Sun, who's patching system hasn't changed much in the past several years, but they got N1 on the way to fix that and other things I'm told. You can pratically get automated with your software patching with RedHat these days, and I have been pretty impressed with the quality of their updates since the pre 6.x days when _everything_ sucked.. I have not had a RedHat update break my system in a while. I've had MS updates break systems way too often to attempt to quantify it.

This has always been my biggest complaint about Microsoft systems. They are designed for dumb end users.. But they require dumb end user to be on top of their shit to keep them up to date, and they offer no way for centralized "clue" to mind the herd. Its a flaw in their overall security strategy that no matter how on top of their security shit they get, it will always be what damns them in the end. They are getting better with this, but still not good enough. Still not even up to the level currently attained by the OSS crowd, and the OSS crowd can do better too.

Exploits come out for services like OpenSSH, which pratically every linux users has on, (I'd argue that there are more copies of OpenSSH running open on the net then MS SQL) and it never becomes an issue for even %5 of the usebase because the patching tools are effective, and it gets eliminated quickly.

Granted, Slammer was a pretty special case because it was a UDP one packet exploit, and it propagated uber fast. But what it really comes down to, is that you are going to be hard pressed to find a high number of Linux boxes with a remote exploit thats been published and fixed for _six months_. One reason for that, effective package management tools.

They do suck. Its only been recently that they have been making a concerted effort to not suck in terms of security. Their userbase had to bitch for years to get them to make the efforts they are making now. They would have _never_ done it on their own. In the past they lead the pack in recess days. I wish them success in their new security push. For the sake of our global IT infrastructure, I hope they get it together.

Rattle wrote:
] flynn23 wrote:
] ] Thirdly, I've been very impressed by MS's ability to patch
] ] things on a timely basis. Granted, they have not been the
] ] perfect example of admitting to certain things, nor have
] they
] ] the optimum toolsets necessary to patch things up (Windows
] ] update is not very well designed for managing large
] ] installations or automated operations). BUT, they don't
] suck.
] ] It's hard to blame MS on things like Slammer when the damn
] ] patch was available for 6 months.
]
] This is the only point I'd really care to dispute.

[some stuff deleted]

] And how easly it is to patch your systems, and the quality of
] those patches are a very very very key thing. On that
] particular issue, all the other OS vendors slay Microsoft.
] With the exception of Sun, who's patching system hasn't
] changed much in the past several years, but they got N1 on the
] way to fix that and other things I'm told. You can pratically
] get automated with your software patching with RedHat these
] days, and I have been pretty impressed with the quality of
] their updates since the pre 6.x days when _everything_
] sucked.. I have not had a RedHat update break my system in a
] while. I've had MS updates break systems way too often to
] attempt to quantify it.

I will agree that M$'s update system is definitely not the best. It's geared for single user use, even for server updates. Dumb. But I can't say that things are breaking systems. In the over 10 years that I've been admin'ing M$ servers, I've only had ONE patch go bad, and that was SP2 for NT 4. It only took about a week before they had that fixed. And you were mostly safe if you checked 'backup files' during the upgrade and then rebooted using the emergency floppy (if I remember correctly). I don't know a lot of other admins who have dissimilar experiences to my own. It's just as easy to patch an M$ server as it is to patch a Linux server.

] This has always been my biggest complaint about Microsoft
] systems. They are designed for dumb end users..

see my other meme. End users *are* dumb, but the machines should be smart enough to take care of themselves. We have the technology. We know how to do it. This priesthood of techs is bullshit.

As for M$, they will likely implement a .Net based system for system management. So it's going to take years, and have to reach version 3.0, before it's worth a shit.

] But they
] require dumb end user to be on top of their shit to keep them
] up to date, and they offer no way for centralized "clue" to
] mind the herd. Its a flaw in their overall security strategy
] that no matter how on top of their security shit they get, it
] will always be what damns them in the end. They are getting
] better with this, but still not good enough. Still not eve... [ Read More (0.4k in body) ]

flynn23 wrote:
] I will agree that M$'s update system is definitely not the
] best. It's geared for single user use, even for server
] updates. Dumb. But I can't say that things are breaking
] systems. In the over 10 years that I've been admin'ing M$
] servers, I've only had ONE patch go bad, and that was SP2 for
] NT 4. It only took about a week before they had that fixed.
] And you were mostly safe if you checked 'backup files' during
] the upgrade and then rebooted using the emergency floppy (if I
] remember correctly). I don't know a lot of other admins who
] have dissimilar experiences to my own. It's just as easy to
] patch an M$ server as it is to patch a Linux server.

Most of my windows admin experience comes from the NT4 days... And I clearly remember having to reapply the service packs every time I did anything remotely signifigant to the machine or I risked re-introducing vulnerabilities and bugs. Even with Slammer, many articles referred to the user perception of patching problems. I'm sure I'm not the only one who has had that problem. Patch machine, machine magicly develops weird bug.. Chances go up higher the older the install. Maybe black clouds just float over head whenever I'm touching an MS machine.

Even with XP, very recently.. After applying patches that windows update automatically downloaded, Photoshop started crashing on me. Reinstall Photoshop, everything is fine.. Clearly the patching system crushed something Photoshop was using.. Nothing else was done to the machine. Weird stuff like that. I run into it _every_ time I spend any time using an MS machine. I also find myself having to reboot after almost every update with XP. Rebooting after patches is really lame. And patching MS machines remotely is a royal pain. I have had nightmares about being responsible for a farm of windows boxen..

Where its important, they fail. Its that simple.

] see my other meme. End users *are* dumb, but the machines
] should be smart enough to take care of themselves. We have the
] technology. We know how to do it. This priesthood of techs is
] bullshit.

I agree.

] As for M$, they will likely implement a .Net based system for
] system management. So it's going to take years, and have to
] reach version 3.0, before it's worth a shit.

MS is not going to be the one who brings us a workstation that requires zero attention to keep up to date.

] I dunno about this. I will agree wholeheartedly that package
] management and update management on OSS type systems is
] better. But even RHN falls down in terms of managing a large
] installation with any type of control, audit, or failsafe. You
] still have to manually select packages that you wish to be
] updated. And application is to individual machines; there is
] no grouping. And there's no facility for updating ... [ Read More (1.0k in body) ]

Decius wrote:
] After all the controversy about possible revised versions of
] this document, you mean to tell me that they fucking approved
] it without allowing public comment on the final draft?! If
] this thing is significantly different from the version they
] posted online in October, then you can rack this up as the
] administration giving the security industry, and the public at
] large, a big middle finger. This is NOT democratic, and if
] they think for one second that they have all the right answers
] we are in a lot of trouble.

They saw it politically advantageous to do something in the wake of Slammer that made them look like they were on top of things. Plus, any way of doing something that pisses on the democratic process clearly gets this administration's nut off. At least, thats how it appears.

Its a homeland security issue after all, and that gives you license to do away with the American way of doing things because this is a "Do or Die" time that requires decision makers that decide things in a decisive mannor, to fight dictators we need to well. . . yea.. We trust our leaders to do such things, thats why we elect them with a majority vote. To take control.

Yes sir, I feel my security is in good hands. All the security experience the guy from Microsoft is bringing to the table will certainly pay off. They will do a good job of eliminating all that open source software creeping its way into our national infrastructure like a damn virus. Damn "peer review" means the terrorists can see it! God damned communists...

ug.

] (Slightly reminded of the military establishment's opinion of
] Rumsfeld.)

Aren't you glad we have an arrogant administration at a sensitive time like this?