Related link: http://informationweek.com/shared/printableArticle.jhtml?articleID=29116929

Is all security destined to be outsourced? Is that really the future? Analyst firms adore big loud statements and this one qualifies: “All Big Companies Will Outsource Security By 2010″.

The justification is a classic “security isn’t a core competency” for most companies, thus they need to outsource.

There are also some minor bits that will get folks worried, such as this one: “application code review … simply can’t be done cost effectively in North America.”

Related link: http://www.knoppix.org

Well the latest version of Knoppix, 3.6, has been released, something you can tell because all the usual sites are either responding slowly or are completely down.

I was able to get the release via the torrent that is floating around.

This release sports a new light blue background that is not nearly as busy as some past releases. For the most part the release is incremental, with updates to the Linux kernel (2.4.27 and 2.6.7 currently) and a few software updates (although KDE3.3 was held back until it stabilizes a bit). Other than a different look, most Knoppix users who have been using 3.4 will find 3.6 basically the same, with their favorite programs where they were previously. So far (and I’ve only been using it a bit at this point) the release seems stable, but I’ve heard from probono (the author of klik) that it appears that there are some incompatibilities with 3.6 and the current release of klik, so if you use klik you might want to hold onto your Knoppix 3.4 CD for a bit longer until things straighten out.

So why the version increment if not much has changed? Well most of the software is incremental, but there is one big change to Knoppix with 3.6–the introduction of Fabian Franz’s FreeNX server. FreeNX is Fabian’s reverse engineering of the proprietary nomachine NX server only with an Open Source license. [Edit 2004-08-30 I originally labeled this project as reverse engineering but after getting more clear information about the development process behind it it’s clear that it is actually based from the Open Source libs that nomachine has released to provide a free alternative to the licensed nomachine NX server. Sorry for any confusion.] Fabian demoed this software at LinuxTag a few weeks ago and while it is still a rather new project, he has deemed it stable enough to introduce into this Knoppix release.

FreeNX (and nomachine’s NX server) act in many ways like VNC or RDP for those of you who use those protocols to remotely access your Windows or Linux machines, except that NX server works from the X protocol level. It does many different tricks to speed up and compress remote X connections that I won’t get into here, but suffice to say that the result is a pretty responsive remote X desktop over a dialup connection. It even uses the standard SSH port for its connections, so if you allow SSH into your network, you shouldn’t have to reconfigure your firewall at all to take advantage of FreeNX.

To start the FreeNX server in Knoppix 3.6, click K menu->KNOPPIX->Services->Start NX server. It will run through a quick configuration script and then you will be able to connect to that machine remotely with the NX client (which is actually Open Source and is included with Knoppix).

So, is Knoppix 3.6 worth the download? I would say that if you are happy with 3.4 and you aren’t interested in the FreeNX server that you would be fine to stick back with 3.4 for now, at least until it is upgraded to KDE 3.3. But if you are using an older release, 3.3 or older, or you want to try out FreeNX, I definitely recommend giving 3.6 a try.

So are you going to grab Knoppix 3.6? What version of Knoppix do you carry around?

Related link: http://www.immunitysec.com/downloads/tc0.pdf

It is simply unbelievable how many folks took it “seriously” and thought that it is yet another biased study telling you that Windows is better than Linux. Its NOT, it is something _completely_ different.

Here is my favorite quote (with my highlights): “Immunity’s findings clearly show that the best platform for your targets to be running is Microsoft Windows, allowing YOU unparalleled value for THEIR dollar.”

Related link: http://isc.sans.org/survivalhistory.php

Ahh security patches. With more and more desktop computers connected to the Internet 24 hours a day, even the home user has grown accustomed to running the various update programs for Windows to make sure that his software is patched (or at least he should!). Even with Microsoft’s increased focus on security, it seems that new critical vulnerabilities, the kind that let remote users gain Administrative privileges on your machine, come out every few weeks.

For a corporate desktop, you generally have an IT department and hopefully firewalls to limit a worm’s ability to scan for machines to infect. With a firewall, when the latest security vulnerability is announced you can safely download and install the patch from behind the firewall (or your IT department can do it for you). As new machines are installed (or imaged), the systems administrator can follow through with the latest updates, again behind the safety of the firewall.

For the home desktop, it isn’t necessarily that easy. Some home users have software firewalls now, but many don’t. And even if you had a firewall, it may not be configured and running when you first connect that new machine to the Internet. The home user is left with the risky proposition of exposing the machine to attack during the potentially long download of patches. As the SANS study shows, it can take as little as 20 minutes for an attack to be attempted on a new machine on the Internet, so you are left running across the battlefield to get your bulletproof vest, hoping nothing hits you on the way.

I’ve already talked about how to scan for viruses with Knoppix, and many of the advantages to using Knoppix for virus scanning hold equally true for grabbing Windows patches. Since Knoppix isn’t vulnerable to Windows worms, you can keep the computer connected to the network and download the patches you need when Knoppix is running.

Microsoft offers standalone patches (including service packs) for Windows on their TechNet site in the form of individual .exe files so system administrators can download the patch once, and then apply it on all the machines on a network that need it.

So, say you have a new Windows XP machine on the network, and it has a number of vulnerabilities that need to be patched with Service Pack 2. Boot into Knoppix with the network cable attached. Then go to TechNet. Since Service Pack 2 is a hot item right now, you can find it linked to directly off of the main TechNet page, but if it weren’t, you could simply use their search to find it (for other standalone patches you can search by the Knowledge Base or Security Bulletin ID as well). In this case the download page is here.

Now it is important that if you are presented the option to download a large “network version” or a smaller version of a patch, to download the larger version, as this will ensure that you don’t have to be connected to the Internet when you apply the patch.

Under Knoppix, mount your Windows partition with read/write permissions (right click the partition’s icon on your desktop and click Actions->Change Read/Write Mode) and then download the patch and save it into your Windows partition. If you have NTFS, you will have to go through the Captive NTFS wizard (K menu->KNOPPIX->Utilities->Captive NTFS) to write to the partition.

Once the download has finished, reboot into Windows with the network cable unplugged. Then you can install the patch without exposing your system. Once the patch is finished, you can then plug the network cable back in and get back to business.

Since Knoppix can mount even brand new Windows images, you could potentially boot Knoppix before your new machine has booted Windows at all, download the patches you need directly to the machine, and then install them with the system disconnected from the network–the result being that the system gets fully patched without Windows being exposed to the Internet once.

What’s your favorite method for safely rolling out patches in Windows?

Related link: http://loop.interop-comdex.com/comments/199_0_1_0_C/

The line just about summarizes this truly insightful piece from Marcus Ranum: “Security is not about doing a lot of smart things. It’s about not doing a few dumb ones.”

I am a bit surpsised about “Don’t outsource security” stance though. While I’ve heard about some people having bad experiences with outsourcing security, it seems like it might be the best option for some small and medium companies with no security staff. Some say “we are in business of doing X and not in business of “doing IT”; thus we will outsource IT”. Same argument seem to apply to security perfectly…

Related link: http://www.plesman.com/index.asp?theaction=61&lid=1&sid=56233&adBanner=eBusiness

Normally I don’t take the time to write about FUD, especially FUD regarding Linux v.s. Microsoft. Perhaps I’m starting to feel a twinge of responsibility as a writer and an educator. Or perhaps deep down it just bugs me that another female writer penned this article for a Canadian IT magazine to which I subscribe.

Regardless, I don’t want to just concentrate on picking apart the article in order to disprove its technical inaccuracies, of which there are many. Instead, I want to step back and try to take a wider view.

This is easier said then done for someone who has been viewing the world from a technical perspective for the past decade. Yup, I admit that as soon as I finished reading the article, I fired up google and went looking for that hosting provider’s site. And yes, I did receive some satisfaction when I read in said company’s FAQ that their support representatives are both Microsoft and Redhat certified and that clients are permitted full “root” access to their hosted systems. I even went so far as to read the HTTP headers to see what OS and web server was in use.

And that’s when I had to laugh at my knee-jerk reaction. Exactly what had I just “proved”? That I was more technically adept than the interviewer and the interviewee? While I’m at it, should I also stretch that proof into a tidy piece of logic that concludes open source is therefore better than Microsoft? Q.E.D.

This is where I’m left with more questions than answers. What can and should be done regarding the media’s perceptions and misperceptions of open source? Should this even be tackled from a technical perspective or has the last 20 years of IT history proven that technical superiority is no match for slick advertising campaigns and aggressive marketing budgets?

I know I certainly don’t have the answers to those questions. But I do know that these are some of the questions that open source users and advocates have to consider and address.

Related link: http://www.oreillynet.com/pub/wlg/5369

In his latest blog post, Andy Oram discusses InstallShield’s presence at LinuxWorld and how their software is drawing interest from other commercial software vendors as a way to install their programs under Linux. I would argue that Linux already has a better solution, and that vendors would do better to do it “the Linux way” than try to shoehorn the flawed solution Windows users have to deal with.

InstallShield is supposed to solve the problem of program installation so that you simply run “setup.exe” in whatever form, it presents you with some “next” buttons to click, and the app is installed. Of course, if you want to update, you can’t use InstallShield for that. You either have to go to the company’s site and download updates (if you can, otherwise you have to run through a purchase form first, depending on the update), or in some cases you can use a custom proprietary update feature built into the program.

Of course, these update features are different for every application not just under the hood, but in look and feel. Symantec has their live update, MS wants you to open Internet Explorer and go to their website (or potentially download and upgrade things automatically in the background if you trust their patches won’t break anything). Of course, if you want to upgrade Office, you have to visit a totally different site than if you want to upgrade Windows itself. Most other vendors have an update program that falls somewhere in between Symantec and Microsoft.

What I don’t understand, is how is this easy? The end user has to learn a new update process for each vendor, and then either runs through the Windows installer to remove a program, or possibly uses an uninstaller the program provides.

For some time now, Linux has offered a much superior solution to this mess, something Windows simply can’t top, because vendors can’t cooperate. In case you haven’t tried this recently, here’s how it works:

If you talk to a Debian user for any period of time you will hear “apt-get install” this and “apt-get upgrade” that. For a long time Debian’s automatic dependency management with apt, coupled with the large package repository in Debian unstable (13,000 packages or so at the moment) meant you could use a simple command-line program and install and update basically any software you could want.

If any Windows users are scoffing now because I said “command line” and “simple” then just wait, I’ll get into the more “user friendly” solution in a bit.

Debian isn’t alone with its dependency management. Basically all modern Linux distributions have it, whether it’s SUSE, Redhat/Fedora with apt4rpm, yum, and up2date working together, Mandrake with urpmi, etc. All of this means the end user simply learns a single program, and manages any software they would want to install on the system with this program. What’s better, the user doesn’t have to go looking for the software. The package manager handles that. No more browsing downloads.com or [insert your favorite shareware repository]. You just run a program, tell it what to install, and it goes and gets it for you.

./configure && make && make install to install programs in Linux is obsolete for the desktop Linux user, and any of you old timers that are still telling newbies to install this way, shame on you! Heck, any of you who still tell people to install rpms by downloading the .rpm files and running rpm -Uvh *.rpm, shame on you too.

So, we have these command line applications, but if you want a GUI instead, Linux has those bases covered as well. SUSE’s installer already lets you browse through packages to install and update in a complete and simple graphical environment. Redhat/Fedora have Red Carpet, which you can combine with Open Carpet to install and upgrade almost any program you would want just by clicking one or two buttons. Debian provides synaptic, which works in much the same was as open carpet.

Basically in all of these cases, the end user has to learn a single program (that is easy to use as well) and if they want to install a program, they don’t have to find it on the web, download it, then run the executable. The user just finds the program in the list of available programs (or uses a simple search to narrow things down if they want), clicks it, and says “install this” and the program does all the heavy lifting. If the user wants to remove something, just choose the program, and click “remove” and the program is removed.

What’s better, when a user wants to upgrade all his software, he doesn’t have to track down the upgrade program for each application. Just click “upgrade” in the package manager and let it do the work.

The fact is, you simply couldn’t have this kind of functionality under Windows. Not because Windows programmers aren’t smart enough, just because the proprietary nature of the software, combined with the somewhat defensive nature Microsoft and its competitors often have, means you aren’t going to see the kind of collaboration and cooperation it would require to get this sort of solution working. At least not anytime soon.

Even if somehow all major Windows vendors and shareware authors did decide to collaborate, it would still be more complicated for the end user than Linux, because you wouldn’t be able to upgrade to Microsoft Office 2003 from Office 2000 with a click of a button. You would have to incorporate some kind of payment structure (possibly with passport) to automate the process.

In addition, these GUI package managers are getting better and easier to use every day. Adding an InstallShield to the mix would just throw a monkey wrench into the works, as you would have to run one program for your open source programs (the majority of your Linux software) then some other proprietary software that was installed with InstallShield, but doesn’t provide an integrated update tool.

In my humble opinion, if you are a vendor who wants to break into the Linux market with your software, take some time to learn the “Linux way” of installing software. I know the InstallShield paradigm is familiar and appealing, but in the long run the Linux way is a win for everyone.

How do you install and upgrade your Linux software? Your Windows software? Which do you think is easier?

It’s been a hectic summer for me–it seems I haven’t had a chance to stop long enough to put together all of the cool items I’ve come across. So brace yourself for a hodge-podge of mostly BSD related miscellany.

EuroBSDCon has listed this year’s talk schedule:

http://2004.eurobsdcon.org/talkschedule.html

It looks like a good line-up for both talks and tutorials. I just hope I won’t be too nervous when my turn arrives…

NYCBUG is revamping their website to include a lot of useful content:

http://dev.nycbug.org/

Note that this is still under development. The old web site is still available at:

http://www.nycbug.org

NYCBUG is a very active and supportive user group, so much so that their mailing list includes users (including myself) which are geographically located far from the Big Apple. I am definitely looking forward to the Kirk McKusick meeting on October 16th. It will also be my first trip to the Big Apple and should get me all geared up for Karlsruhe, Germany.

Speaking of user groups,

http://www.bsdusergroups.org/

has been revamped. If your group isn’t already listed, take advantage of the “Add your Group” link. I also recommend that user groups sign up for the O’Reilly user group program:

http://ug.oreilly.com/

in order to take advantage of the newsletters, free review books, and book discounts.

For those who have been patiently waiting, the BSD Success Stories pamphlets are soon going to be a reality. I did discover that summertime isn’t the best time to ask for something to be published–way too many people go on holidays and tech conferences. In the meantime, the rest of the 13 stories will be posted to:

http://advocacy.daemonnews.org/

Give it a day or so for the stories to filter their way past the moderator.

Have you had a chance yet to see the new advocacy site at Daemonnews? It has the makings of becoming a good reference. I don’t know about you, but Daemonnews is one of my daily Internet stops.

A second reader wrote me a few weeks ago about hack #82 from BSD Hacks. As it turned out, it was used as part of a series of articles he was writing on his adventures setting up an embedded system using FreeBSD. With his permission, here are the articles he has so far, with more to come:

http://www.hempeldesigngroup.com/embedded/stories/bdgFreeBSDEmbedded.html

Since I originally wrote hack #82 last winter, I’ve re-hacked it using an alternative method. I wrote it up as part of the next FreeBSD Basics article which should publish August 26th.

Finally, I received my copy of Richard Bejtlich’s “Tao of Network Security Monitoring” and am trying to sneak in a bit of reading as I can:

http://www.amazon.ca/exec/obidos/ASIN/0321246772/qid%3D1091647962/701-5151931-4537144

I’ve mentioned before that Richard’s blog (http://taosecurity.blogspot.com/) is another one of my daily Internet stops as he combines my two favourite subjects: FreeBSD and security. So far, I’m really enjoying the book and appreciate Richard’s logical, thorough approach and the plethora of useful URLs to additional references interspersed on nearly every page. His discussion on “accessing traffic in each zone” is very practical and definitely written by someone who has “been there done that”. And within the first 100 pages I’ve already come across undocumented or poorly documented BSD commands which Richard explains in detail.

My only caution to readers is that they’ll enjoy the book a lot more if they bring to it a fairly solid understanding of networking, TCP/IP, and general security concepts. After all, this is an Addison Wesley, not a “teach yourself network monitoring in 24 hours”. I do think that those with the networking and security background will appreciate the level of experience Richard has brought to the book. And, this point can’t be championed enough: this book was written to demonstrate how open source tools on open source operating systems are ideal for network monitoring.