From owner-freebsd-questions@FreeBSD.ORG Mon Feb 28 19:10:35 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DC8516A4CE for ; Mon, 28 Feb 2005 19:10:35 +0000 (GMT) Received: from smtp11.wanadoo.fr (smtp11.wanadoo.fr [193.252.22.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id B486043D58 for ; Mon, 28 Feb 2005 19:10:34 +0000 (GMT) (envelope-from atkielski.anthony@wanadoo.fr) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf1102.wanadoo.fr (SMTP Server) with ESMTP id 6C2231C000B6 for ; Mon, 28 Feb 2005 20:10:33 +0100 (CET) Received: from pix.atkielski.com (ASt-Lambert-111-2-1-3.w81-50.abo.wanadoo.fr [81.50.80.3]) by mwinf1102.wanadoo.fr (SMTP Server) with ESMTP id 33ADC1C000B5 for ; Mon, 28 Feb 2005 20:10:33 +0100 (CET) X-ME-UUID: 20050228191033211.33ADC1C000B5@mwinf1102.wanadoo.fr Date: Mon, 28 Feb 2005 20:10:31 +0100 From: Anthony Atkielski X-Priority: 3 (Normal) Message-ID: <592036132.20050228201031@wanadoo.fr> To: freebsd-questions@freebsd.org In-Reply-To: References: <663804712.20050228005329@wanadoo.fr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: Installation instructions for Firefox somewhere? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 19:10:35 -0000 Ted Mittelstaedt writes: > One of the several techs that work for that company has your > attitude. He's been burned a few times when he's installed patches > that broke existing software at a customer. > > However, the customers that he cares for have the highest percentage > of broken-into servers. (by outside crackers) I don't know that one can assume cause and effect here. Many updates are not security-related. Of the security-related updates, not all are relevant in a given environment. And since most security updates move in the direction of greater restrictions on what programs can do, they are especially likely to break existing applications. > From our point of view over at the ISP it seems to us that the pain > of dealing with an app that breaks as a result of a security update > is less than dealing with the pain of cleaning up a server that is > broken into. And we have also observed that no matter how long the > techs there work on a Windows server that has been broken into, once > it's broken into it seems to get regularly re-broken into in the future, > unless they nuke and repave it. The solution here is to stop using Windows, if possible. Windows systems are extremely complex and cannot easily be "stripped" to eliminate unnecessary vulnerabilities. You can close the holes you know about, but you don't know what other holes exist until Microsoft or someone else tells you about them, or until you're broken into. And you may be obligated to patch holes in software that is completely useless to you, simply because there is no way to turn that software off. Windows is a good solution for IT departments that have virtually no qualified people on staff. They can just plug in the servers and run them, and they can just apply every update that comes out. They'll spend more on hardware and licensing than they would with an open-source solution like FreeBSD, and they'll never have a firm handle on exactly what their servers are doing internally, but at least it lowers personal costs and allows a company to get some sort of server capability in house without searching for expensive IT talent. Used as directed, and with regular updates, Windows is moderately safe. > I guess your attitude is safe enough if you regularly backup and you > don't have critical data like credit cards or patient data or > whatever that you don't want to have spread around. Yes. Confidential data like credit cards or medical records requires some fairly extraordinary precautions, anyway, ideally involving physical barriers to compromise (by distributing functions over different servers, etc.). Unfortunately a lot of small companies (and some large ones--cf. ChoicePoint) are exceedingly careless about how they handle this type of data, and with the prevalence of credit-card commerce, there's a lot of exposed information out there. > Frankly I find this rather silly. The OS does very little that helps > a cracker. About the only thing that bugs in the OS will allow a cracker > to do is DoS a TCP/IP stack. > > The difficulty is in the application programs, such as nfs, samba, > http, telnetd, sshd, smtp, dns, etc. which all of in the past had > security holes discovered and closed - sometimes repeatedly. The > same goes for Microsoft's products. Agreed, but it reduces to the same thing, since each OS tends to bring with it a set of applications. You may have problems with telnetd on UNIX, but not on Windows, since Windows doesn't generally run telnetd. You won't have problems with IIS on UNIX. > Just because an app like IIS is bundled with Windows Server, and an > app like telnetd is bundled with UNIX, does not mean that when those > apps got cracked, that the OS was the problem. The whole environment was the problem. -- Anthony