Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Feb 2005 20:10:31 +0100
From:      Anthony Atkielski <atkielski.anthony@wanadoo.fr>
To:        freebsd-questions@freebsd.org
Subject:   Re: Installation instructions for Firefox somewhere?
Message-ID:  <592036132.20050228201031@wanadoo.fr>
In-Reply-To: <LOBBIFDAGNMAMLGJJCKNKEIPFAAA.tedm@toybox.placo.com>
References:  <663804712.20050228005329@wanadoo.fr> <LOBBIFDAGNMAMLGJJCKNKEIPFAAA.tedm@toybox.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt writes:

> One of the several techs that work for that company has your
> attitude.  He's been burned a few times when he's installed patches
> that broke existing software at a customer.
>
> However, the customers that he cares for have the highest percentage
> of broken-into servers.  (by outside crackers)

I don't know that one can assume cause and effect here.

Many updates are not security-related.  Of the security-related updates,
not all are relevant in a given environment.  And since most security
updates move in the direction of greater restrictions on what programs
can do, they are especially likely to break existing applications.

> From our point of view over at the ISP it seems to us that the pain
> of dealing with an app that breaks as a result of a security update
> is less than dealing with the pain of cleaning up a server that is
> broken into.  And we have also observed that no matter how long the
> techs there work on a Windows server that has been broken into, once
> it's broken into it seems to get regularly re-broken into in the future,
> unless they nuke and repave it.

The solution here is to stop using Windows, if possible.  Windows
systems are extremely complex and cannot easily be "stripped" to
eliminate unnecessary vulnerabilities.  You can close the holes you know
about, but you don't know what other holes exist until Microsoft or
someone else tells you about them, or until you're broken into.  And you
may be obligated to patch holes in software that is completely useless
to you, simply because there is no way to turn that software off.

Windows is a good solution for IT departments that have virtually no
qualified people on staff.  They can just plug in the servers and run
them, and they can just apply every update that comes out.  They'll
spend more on hardware and licensing than they would with an open-source
solution like FreeBSD, and they'll never have a firm handle on exactly
what their servers are doing internally, but at least it lowers personal
costs and allows a company to get some sort of server capability in
house without searching for expensive IT talent.  Used as directed, and
with regular updates, Windows is moderately safe.

> I guess your attitude is safe enough if you regularly backup and you
> don't have critical data like credit cards or patient data or
> whatever that you don't want to have spread around.

Yes.  Confidential data like credit cards or medical records requires
some fairly extraordinary precautions, anyway, ideally involving
physical barriers to compromise (by distributing functions over
different servers, etc.).  Unfortunately a lot of small companies (and
some large ones--cf. ChoicePoint) are exceedingly careless about how
they handle this type of data, and with the prevalence of credit-card
commerce, there's a lot of exposed information out there.

> Frankly I find this rather silly.  The OS does very little that helps
> a cracker.  About the only thing that bugs in the OS will allow a cracker
> to do is DoS a TCP/IP stack.
>
> The difficulty is in the application programs, such as nfs, samba,
> http, telnetd, sshd, smtp, dns, etc. which all of in the past had
> security holes discovered and closed - sometimes repeatedly.  The
> same goes for Microsoft's products.

Agreed, but it reduces to the same thing, since each OS tends to bring
with it a set of applications.  You may have problems with telnetd on
UNIX, but not on Windows, since Windows doesn't generally run telnetd.
You won't have problems with IIS on UNIX.

> Just because an app like IIS is bundled with Windows Server, and an
> app like telnetd is bundled with UNIX, does not mean that when those
> apps got cracked, that the OS was the problem.

The whole environment was the problem.

-- 
Anthony




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?592036132.20050228201031>