RE: on patches, for Linux, for Windows, for VMS.

-----Original Message-----
From: John Wallace [mailto:johnwallace4@xxxxxxxxxxxxxxxx]
Sent: January 6, 2008 5:42 AM
To: Info-VAX@xxxxxxxxxxxx
Subject: OT: on patches, for Linux, for Windows, for VMS.

You do yourself no favours at all with this Linux-related
disinformation,
Kerry (and my news client still can't make quoting work right with your
client :().

any OS platform can be made relatively "secure".

How does that work with VMS, then, which has long-standing known
security
holes in Internerd-facing components (hello JF), no sign that HP are
going
to fix them, no way for customers to fix them themselves, and limited
availability of free/open alternatives ?


Did JF officially log these issues with HP? (I seem to recall that he
might have, but would like to confirm)

Unfortunately, with 5-20 new security patches being released each and
every month with Windows and Linux, the challenge is "how do you keep
it
secure?"

See RH link I posted earlier. These new security patches need to be
reviewed every month to determine if there is a potential impact to
your
environment or not.

Question - how many Linux admins do you know are even aware of all the
monthly Linux security patches - let alone have the expertise and time
every month to do this security review?

s/Linux/Windows. How many Windows admins do you know are even aware of
all
the monthly Windows security patches - let alone have the expertise and
time
every month to do this security review?

Is it just my interpretation, or do you choose to (mostly???) knock
Linux
rather than Windows too? Windows is a much bigger target,
technologically a
much easier target, and getting people off Windows rather than trying
to
discourage the already open-minded from looking at Linux ought to be
more
rewarding for an independent-minded enterprise-class IT consultant.
Perhaps
you reckon this phase is already won? Or is not worth fighting?


Nope, nice try, but while it might be argued that Linux is a shade better
than Windows, both are pretty much in the same leaky boat.

If, for whatever reason, someone did not want OpenVMS, then from a mission
critical enterprise perspective, my personal view is that they would be far
better off looking at the available enterprise UNIX offerings.

Fwiw, while everyone is free to choose what ever their personal OS religion
preferences are, I just do not think that mission critical environments can
afford Windows or Linux.

The IT world is centralizing in a massive way and the one bus app per OS
instance culture combined with all of the monthly security patches is just
not a good centralized platform to face the future with.

Either way, maybe 2008 might even be the year that the Vistas and the
associated incompatible Office (and possiby Studio) releases make the
typical company 'sWintel-only IT department (and more importantly their
managers) wake up, to the extent that it hits the MS-ecosystem's bottom
line
(well I can dream can't I?).

Back to the Linuxes: I don't know RH, but if you knew SUSE like I know
SUSE
(?) you'd know that it typically takes a maximum of two seconds per
SUSE-supplied patch to review whether it's related to the security of
Internerd-facing components (kernel, daemons, some utilities, etc),
rather
than the security of typical optional desktop apps which come bundled
for
free in the package - patches to these optional desktop components make
up
most of the SUSE patches.


Great - you are an experienced Linux SysAdmin with time very month to spend
reviewing these security patches. Now, how do the SysAdmins in large corp's
with literally hundreds of these one Bus App, one OS Linux (or Windows)
environments do the same thing? Especially when the Dev groups often do
their own thing with respect to maintaining their systems? Even when
the Operations groups maintain the servers for the developers, they
typically know very little about the services the Dev's use on those
systems.

It also seems appropriate to point out that the co-operation of the
Linux
supplier is typically not needed to fix a hole if something bad does
turn
up; if the vendor chooses to ignore it, you just need the co-operation
of
the Linux community. Try that with Windows, or even (these days) with
VMS.


Yeah, this is the age old argument about doing it all yourself. And the
counter argument is how do you maintain version control if you are
installing / creating all these patches yourself? What happens when
the vendor releases a large kit or release and your patches break
something - perhaps during a cluster fail-over or something else you
had not thought about.

From a company perspective, what happens when you leave and they only
have some junior staff who only have Operations background. Yes, you
can hire another experienced SysAdmin, but then he/she needs to review
all the patches you applied and why. And of course, this assumes that
you have documented your patches very well. And of course, you test
your critical applications with these Custom patches before putting
into production.

And if there is a security breach discovered because of some server
OS patch you put together (or received from the Internet community),
depending on the criticality of your business, your company may have
to explain to auditors where you (and hence the company) personally
screwed up - as opposed to blaming the vendor for some security hole
in their offering.

This age old argument goes both ways and it really depends on Mgmt's
relationship with their vendors, risk mgmt and where they want their
senior IT staff to spend their time.

I do know from experience that there seems to be a growing trend among
senior IT mgmt that they do not want their senior IT staff playing in
the OS weeds. They want their senior staff working more closely with
the BU's to show them how IT can help them address their needs and
become more competitive.

OS patching and maint is not very high on the BU priorities. Ok, its
not even on their radar screen - they could not care less.

This is not to say that open source stuff does have a play in some
areas, but lets not put it on some higher pedestal as there are real
issues that many promoters tend to overlook.


Regards

Kerry Main
Senior Consultant
HP Services Canada
Voice: 613-592-4660
Fax: 613-591-4477
kerryDOTmainAThpDOTcom
(remove the DOT's and AT)

OpenVMS - the secure, multi-site OS that just works.

.

Relevant Pages

  • RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause
    ... supply of patches (Windows NT4/95/98) these systems should go offline ... Security is always a trade-off. ... This is how Linux and other ... Apache virtually owns the market with more than 60%. ...
    (Full-Disclosure)
  • Re: Any GIMP users (Linux)
    ... It's the latest high-end gaming graphics cards that might be issues. ... As for updates/upgrades and security -- far better than windows. ... the linux security model is simply much better than the Windows ...
    (rec.photo.digital)
  • Re : Re: Deploring *nix Philosophy ( Was Re : Splitting archives across floppies )
    ... Yes, I do love Linux. ... security scheme meets his/her needs.And when an user is added,whether the ... > I have wrecked floppies and CD's in Windows by removing them before the ... > enough about cars try putting oil into the car via the dipstick. ...
    (Fedora)
  • Re: Closure of a previous question and new questions on system security apps...
    ... and if you're measuring your security applications by sheer ... I had considered Opera but when I tried their windows edition a year ... Windows software looses something in the translation. ... "standard" on Linux boxen is ClamAV. ...
    (Ubuntu)
  • Re: the exploit that wasnt
    ... regarding OS X security, and does so well. ... You do NOT measure an OS' security by how many patches there are ... MS Windows ... and certainly Windows Vista fixes a lot of problems. ...
    (comp.sys.mac.advocacy)