Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
> There are a couple of issues there.
>
> Clearly linux sysadmins tend to be better trained than Windows ones, but
> if linux became the largest OS things would be different in that
> respect.
>
> However, linux distributions all tend to be much more secure than
> Windows by design. Using the blaster worm as an example, have you seen
> the rigmarole you must go through to try and disable DCOM - that's a
> service listening on an open port and you can't even easily disable it.
>
> If you don't want a Windows service to listen on an open port you
> generally have to stop the service or uninstall it. Often that's not
> possible, because of the way everything in Windows is interlinked. With
> linux you could leave it running, just stop it listening on your
> internet connection.
>
> Windows doesn't come with any sort of firewall, whereas every modern
> linux distro comes with iptables. Even distros for home use come with
> well chosen sets of default rules to protect your computer.
XP at least comes with a sort of pissy lil firewall thing. It's not very
good and nobody seems to know it exists but it is there.
> I think the linux flaw you mentioned was an SSL flaw rather than the SSH
> one. It required gcc being installed and executable on the host - if
> linux was being distributed, say on office desktops, sensible sysadmins
> aren't going to leave gcc in the build. I think that at least one of the
> big distros, either RedHat or SuSE no longer installs gcc by default.
>
> Updating linux tends to be a lot easier too, and can be done remotely.
> In a small office environment, I went round some time ago applying the
> MS patch that stops Blaster - that involved sitting at every desktop and
> rebooting. That quickly adds up to a lot of time. Updating IE tends to
> be worse, typically you have to do a download at each client machine,
> that can take an age. By making updates inconvenient, Microsoft almost
> go out of their way to stop them being applied. On linux it'd be a case
> of having an rpm or .deb on the local network. You could then use ssh to
> log in to the client or use any one of a number of tools to deploy the
> update automagically.
Red Carpet is definately easier to work with than Windows Update and
being Linux you can write a program to update your entire network with
it, do automatic updates on a cron job, or at least sit in one spot and
just logon to each machine to update it. :)
MS's patches are as you say somewhat frightening to install because they
often break as much as they fix.
> Nonetheless, the real problem with Blaster has been Windows techie staff
> that simply haven't been doing their job. It's inexcusable in a business
> environment that patches available since 26th March still haven't been
> installed on the clients. If I employed any of those techies, they'd
> have been shown the door - if this worm had carried a destructive
> payload it could have been catastrophic for a business.
Patches for Windows generally aren't installed until proven safe to
install or so despertly needed to be worth the risk. It's all just part
of the niceness of using big balls of patches instead of having them
well organized. Heaven forbid that someone have to apply more patches
but be able to make an informed decision about what they're doing. Users
are obviously to stupid for that. :P
--
So long and thanks for all the fish.
Michael <EMAIL:PROTECTED>
http://kavlon.org
_______________________________________________
discussion mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/discussion
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact