Date: Fri, 19 Apr 2002 18:22:44 -0400 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: Greg Fortune <megatontech@pacbell.net> Cc: Brett Glass <brett@lariat.org>, Ken McGlothlen <mcglk@artlogix.com>, security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419182244.A27580@cowbert.2y.net> In-Reply-To: <5.1.0.14.2.20020419101925.00ab2200@postoffice.pacbell.net>; from megatontech@pacbell.net on Fri, Apr 19, 2002 at 12:08:25PM -0700 References: <878z7k4oz9.fsf@ralf.artlogix.com> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> <5.1.0.14.2.20020419101925.00ab2200@postoffice.pacbell.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Apr 19, 2002 at 12:08:25PM -0700, Greg Fortune wrote: > At 08:30 PM 4/18/2002 -0600, Brett Glass wrote: > > >Having a local build server is a nice idea, especially if you're > >a large shop, but doesn't get newcomers a safe version to install > >(important; if they're hacked they'll sour on FreeBSD) or give > >an admin a build to which she can just upgrade quickly and know > >that the latest holes are closed. > > > >--Brett > > Brett, > > I've been watching this thread quietly, as I am a "newcomer" to FreeBSD. > However your intimation that we'll run for the hills like children at the > first sign of difficult offends me. > > First, anyone connected to the net who ever thinks that their box is ever > "safe" needs a reality check. Pretty good assumption for a newcomer, eh? I > came to FreeBSD because of its security and groups like this. If my site > gets hacked, I'm not going to "sour" on FreeBSD, I'm going to take > advantage of this group and all the other wonderful resources available to > this community and figure out what I need to learn to do better. > > Just because we're new to FreeBSD doesn't mean we're sheep. We all know > where the sheep graze. Nobody ever told me that FreeBSD was easy. Nobody > ever told me it was secure "out of the box". What I heard was that if I was > willing to learn how to do it, FreeBSD has the potential to be one of the > most powerful and secure operating systems out there. I never thought that > all the work was going to be done for me, or that the process would be easy > of end. If technology was easy, sysadmins would get paid minimum wage and > have to wear polyester uniforms and funny little hats. > It has been said (by various people, mostly those from the latter computing age of PDP,VAX,and s/390) that a good sysadmin is one that should be able to script (or otherwise automate/routin-ize) themselves out of a job. Administration is just that. Read: management from the desk, planning, communications, finding people and tasking them to deploy or implement. Sysadmin-ship historically was maintaining system components that could not maintain themselves. This included loading software from tape, backing up to tape, providing user-requested features and fixing failures. With modern systems, the OS is but one very small part of the whole equation. It is supposed to provide a user-computer interface to load and run programs. It ought to be as automated and easy to implement as possible, with high reliability and security. There really is no reason why UNIX or FreeBSD should be harder to deploy or implement than WinNT or Solaris. A "solution" being the buzzwords of these days, is exactly what it should mean. You are supposed to tell your boss "we need this functionality, this vendor supplies something with that. It costs this much compared to this other thing, and the implementation time is 1 day" Unless you are truly masochistic, I'm pretty sure you don't want to spend your nights trying learning the nuances of an OS that you picked because you lost an OS flamewar with your favorite security mailing list ;) In effect, the old saying "Unix is userfriendly, it's just picky about its users" should really ring less and less true as we develop more advanced versions of it. > Anyone who runs from an OS due to their own inability to learn how to > properly configure/maintain it can go run Windows and contribute to > Microsoft's ongoing track record for security and stability. > It isn't running away. see above :) At a company, you don't *learn* how to properly configure an OS, you do it. Years ago, I used to work at a place where the motivational poster was "This is not a University". Companies who hire administrators expect that their people know what's going on and enough knowledge to run the systems. I suppose if someone wants to migrate software platforms they should be educated to some extent about the target platform, but how do we use this as a FreeBSD selling point instead of hindering potential users to begin using FreeBSD? (see comment below) If it's going to take additional human resources to implement FreeBSD over some other OS, with the same sort of stability and reliability, then maybe it's not such a good idea. Sysadmins have better things to do than maintain build servers and worry if the next patch breaks the OS. They should be figuring out improvements in efficiency, user training, uptime, infrastructure growth and assessing the needs of users or clients. > You sound like you know exactly what you want. Why not put it together? > Hey, if you build it, it'll be done exactly the way you want it done, won't > it? Don't let this opportunity pass you up! Here's your chance to have a > piece of FreeBSD work perfectly for you! I'd code it, but my skills aren't > up to snuff (yet) and I don't figure that any of these kind people should > have to bear the burden of holding my hand. So I send my money to O'Reilly > and I spend my time learning how to do new things. One of these days I will > contribute to this body of work, but not until I've got the chops (I'd like > to fix bugs, not introduce them ;-) ). > > If you aren't careful, one of these days you'll be griping about the update > mechanism I wrote, because I won't code it the way you want, I'll code it > the way I want. > > Life is wonderful when you just deal with what IS. I read this list to > learn how to use the tools I currently have to do the best job I can, not > to watch theory wars via email. If you don't like things the way they are, > step up to the plate and do something about it. Otherwise, we all heard > what you said, so please remain in the audience and take your seat. > > Personally, my hat's off to the fine folks who post the security > notices, analyze the bugs, write the code, debug the code, and maintain > the source tree, all for a FREE OS! Without the people who actually do all > the work that you're complaining about, you'd have to do all that work > yourself (or "sour" on FreeBSD, as you put it). Try applying THAT across > 1000 servers sometime. But then again, the objective of FreeBSD advocacy is to say that we provide a suitable replacement enterprise level OS in a production environment on mission critical systems. The main argument would favor improved binary patch system with minimal downtime and maximum stability. If more people are to expected to adopt open source operating systems, then Brett's point is that a successful binary patch system is also an important marketing feature. Normally, with commercial vendors, the sysadmin will consult those technicians to result in a working solution to a patch. That's the price of a support contract. You are walked through the upgrade process, and if something breaks, the vendor is responsible for fixing it. (I'm talking about large implementations here, such as our S/390 support contracts. Downtime of over an hour is unacceptable, so the protocols for microcode updates have been written by IBM for our customized systems, and in the case they failed to forsee an event, they have a tech on hand. Similarly, I've never seen any particularly involved AIX patch because we needed to reinstall all the core binaries for an update - we just install the binaries on the patch CD, and half the time don't even need to reboot.) With open source, mailing lists such as these are typically your main source of support. However, utilities facilitating easy system upgrades such as a reliable binary patch system would again be beneficial not only to existing users, but also to potential users. As a sidenote, linux operators commonly exclaim why I have to spend hours compiling all of my core software, and then take down the system to patch a system when all they do to fix vulns is to download the latest rpm or deb. Similarly, microsofties download the latest SP (even though it's usually 5 months later :) and reboot. > > -Greg > > P.S. If you really must respond to this, please email me directly. No need > to clutter the group with more witty banter or high drama. > > Greg Fortune > Megaton Technologies > megatontech@pacbell.net > ------------------------------------------ > "Those who say it can't be done should > get out of the way of those who are doing it." -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020419182244.A27580>