On Fri, Jan 26, 2001 at 11:50:00AM -0600, Elaine -HFB- Ashton wrote:
> Michael Stevens [[EMAIL PROTECTED]] quoth:
> *>I personally would have just as little faith in Solaris run by someone
> *>who didn't know what they were doing as I would in Redhat run by
> *>someone who didn't know what they were doing.
> I would have more faith in Solaris. On an acadmeic network, no firewalls,
> we had user workstations that pretty much lived on their own and at the
> mercy of their users. One day, one of the AI profs installed RedHat after
> most of us had left the computing dept...we heard that someone hacked into
> said linux box and sniffed the entire dept. passwords.
Were the solaris boxes setup by the same people who setup the redhat boxes
tho, or were two different people adminning them?
The scenario I'm guessing is:
a) solaris workstations setup by sysadmin, left on their own. users
don't have root.
b) redhat box setup by AI prof, left on own. users don't have root.
But that's just my guess from common practice at the university I've
attended. If this *is* the case, and the sysadmins have more experience
than the AI prof, the two cases aren't comparable, because they don't
both not know what they're doing.
> perhaps Linux gives people a sense of adventure or something, but Solaris
> in the last few years has become quite good at running well in spite of
> the chimps at the keyboard.
I'm working on the theory that everybody gets root exploits. Therefore,
no matter what it is, if you don't patch it for 6 months / a year,
it'll be exploitable.
We need a decent way to work out the difference between "box A is more
hackable than box B", and "box A is more likely to get hacked than box B,
due the type of exploits people tend to try". I suspect without detailed
evidence skr1pt k1dd1es are more likely to go for redhat.
Redhat is perhaps more likely to have security bugs spotted due to (I'm
guessing here), more installations in the world. Perhaps not.
I certainly have a *perception* more security issues are found in redhat
than in most other linux and unix (eg solaris) distributions.
And can't we have an discussion about which OS is best without bashing
a particular one all time? [1]
> *>How about a decently built rack mount PC running Debian[1], by
> *>someone who actually knows how to setup that particular OS decently,
> *>as compared with a Sun box running Solaris setup by someone good
> *>with solaris?
> I have a farm of suns, if you want to make a benchmark, I'll be very
> interested to run and compare the results.
I'm not interested in performance numbers. No. I like. I *am* interested
in performance numbers, but not right now. And I'm fairly sure big sun
boxes go significantly bigger and better than big pcs. This is one of the
advantages of Sun.
More interesting would be stuff like "redhat gets x security problems per
year, solaris has y problems", "we see x exploit attempts specific to
redhat, y specific to solaris", "on this metric of well-adminstered-ness,
these sets of sun boxes were found to have these numbers. this other set
of redhat boxes were found to have these other numbers".
I suspect a number of these issues could be found by someone reading bugtraq
more carefully than I do - I remember some of these types of stats being
discussed.
Michael
[1] Ok, yes, most of us suck here when the other OS is windows.
