Re: Installation instructions for Firefox somewhere?

From: Anthony Atkielski (atkielski.anthony_at_wanadoo.fr)
Date: 02/28/05

  • Next message: Jim Pazarena: "cvsup gcc" 
    Date: Mon, 28 Feb 2005 20:10:31 +0100
To: freebsd-questions@freebsd.org

    Ted Mittelstaedt writes:

    > One of the several techs that work for that company has your
    > attitude. He's been burned a few times when he's installed patches
    > that broke existing software at a customer.
    >
    > However, the customers that he cares for have the highest percentage
    > of broken-into servers. (by outside crackers)

    I don't know that one can assume cause and effect here.

    Many updates are not security-related. Of the security-related updates,
    not all are relevant in a given environment. And since most security
    updates move in the direction of greater restrictions on what programs
    can do, they are especially likely to break existing applications.

    > From our point of view over at the ISP it seems to us that the pain
    > of dealing with an app that breaks as a result of a security update
    > is less than dealing with the pain of cleaning up a server that is
    > broken into. And we have also observed that no matter how long the
    > techs there work on a Windows server that has been broken into, once
    > it's broken into it seems to get regularly re-broken into in the future,
    > unless they nuke and repave it.

    The solution here is to stop using Windows, if possible. Windows
    systems are extremely complex and cannot easily be "stripped" to
    eliminate unnecessary vulnerabilities. You can close the holes you know
    about, but you don't know what other holes exist until Microsoft or
    someone else tells you about them, or until you're broken into. And you
    may be obligated to patch holes in software that is completely useless
    to you, simply because there is no way to turn that software off.

    Windows is a good solution for IT departments that have virtually no
    qualified people on staff. They can just plug in the servers and run
    them, and they can just apply every update that comes out. They'll
    spend more on hardware and licensing than they would with an open-source
    solution like FreeBSD, and they'll never have a firm handle on exactly
    what their servers are doing internally, but at least it lowers personal
    costs and allows a company to get some sort of server capability in
    house without searching for expensive IT talent. Used as directed, and
    with regular updates, Windows is moderately safe.

    > I guess your attitude is safe enough if you regularly backup and you
    > don't have critical data like credit cards or patient data or
    > whatever that you don't want to have spread around.

    Yes. Confidential data like credit cards or medical records requires
    some fairly extraordinary precautions, anyway, ideally involving
    physical barriers to compromise (by distributing functions over
    different servers, etc.). Unfortunately a lot of small companies (and
    some large ones--cf. ChoicePoint) are exceedingly careless about how
    they handle this type of data, and with the prevalence of credit-card
    commerce, there's a lot of exposed information out there.

    > Frankly I find this rather silly. The OS does very little that helps
    > a cracker. About the only thing that bugs in the OS will allow a cracker
    > to do is DoS a TCP/IP stack.
    >
    > The difficulty is in the application programs, such as nfs, samba,
    > http, telnetd, sshd, smtp, dns, etc. which all of in the past had
    > security holes discovered and closed - sometimes repeatedly. The
    > same goes for Microsoft's products.

    Agreed, but it reduces to the same thing, since each OS tends to bring
    with it a set of applications. You may have problems with telnetd on
    UNIX, but not on Windows, since Windows doesn't generally run telnetd.
    You won't have problems with IIS on UNIX.

    > Just because an app like IIS is bundled with Windows Server, and an
    > app like telnetd is bundled with UNIX, does not mean that when those
    > apps got cracked, that the OS was the problem.

    The whole environment was the problem. 

    -- 
Anthony
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Jim Pazarena: "cvsup gcc"

    Relevant Pages

    • RE: IIS6 Security and other web servers
      ... IIS6 Security and other web servers ... I know of no Windows architecture that is exposed directly to ... I know of a number of LAMP-type servers that are ... exposed directly to the Internet with no intervening layers. ...
      (Security-Basics)
    • Re: Microsoft Windows Network & Web Client Network - somebody connected to my computer?
      ... I use Windows XP. ... Doing the best I can at absorbing the necessary information about security. ... > UPDATES and PATCHES ... You should at least turn on the built in firewall. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Allowing Internet Access to Programs.
      ... > Hi, I am new to security issues, so, please be patient with my questions. ... Greetings Bill, ... it comes to critical updates. ... MVP for Windows Server - Software Distribution ...
      (microsoft.public.security)
    • Re: System Restore and more problems
      ... ActiveX controls may not load as expected in Internet Explorer due to ... Security Bulletin release to rest Administrators controls. ... Windows updates and my CD drive. ...
      (microsoft.public.windowsxp.help_and_support)
    • RE: Javabyte/verify virus, HOW DO I GET RID OF IT? AVG COULDNT
      ... Follow my malware removal instructions and also protection steps.Read and ... Do this by repeatedly typing F8 while Windows is starting. ... Download all the security updates - Critical updates with express install. ...
      (microsoft.public.security.virus)