webuploader, profile picture
Uploaded bywebuploader
PPT, PDF598 views

BPotter-L1-05

The document discusses the differences between Windows, FreeBSD and Linux operating systems in terms of security. It argues that while Linux has many benefits, deploying it poses operational security risks due to loose development processes and lack of a unified patching model. FreeBSD provides a more structured and secure development approach compared to Linux, while Windows aims to integrate security throughout its development lifecycle.

Embed presentation

Download to read offline
Windows vs FreeBSD vs Linux Or: Why Deploying Linux in your Environment is Suicide
Don’t Believe Anything I Say "Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it.” - Buddha Daytime - Security consultant “ Beltway bandit” in Linthicum MD Night - Founder of the Shmoo Group, Capital Area Wireless Network, periodic author
For Your Safety and The Safety of Those Around You Linux Zealots Windows / BSD / Others This talk may be not much more than flamebait You may be reminded of a /. Discussion This talk is meant to be interactive
Lets Talk about Security For the feds, “Information Assurance” Tactical Coding Error vs Design Flaw Script kiddie vs Dedicated Attacker Host Hardening vs Long term operational security
Long term Operational Security Often overlooked aspect of “security” We are not an end in and of ourselves. Further, an IDS does not operational security make Any idiot can be trained to secure a host Look at all the security books on the shelf Running a long term secure enterprise is the tough thing
Enter Rant Mode
Potter’s Pyramid of IT Security Needs IDS Patch Mgt Op. Procedures Firewalls Auth / Auth ACLs Software Sec Honeypots Sophistication and Operational Cost
Why Does the Development Method Matter? You can certainly do belly button contemplation to say why it does or does not matter Structured process is the only way to build a secure and scalable system Or Having many eyeballs and lack of clear direction means the best and most useful stuff is what will get integrated, not all the fluff. There is no right answer… Process driven code can suck horribly There are often not “many eyes” looking at security Corp View OSS View
But really, is there a difference? Beyond what the zealots say, and what the media says… Is there a real difference? Assessing this difference is a real PIA with lots of red herrings Methods of determining difference Examine the development processes Examine the history of security in the architecture Vulnerability statistics? Examine the future directions of security Ideally get statistics from enterprises on how they spend their security budgets and why I’m not Burton or IDG… So I just asked friends…
Let’s talk about Vulnerability Statistics Vulnerability stats are (generally) an artifact of tactical coding errors, not bigger problems “ In the last year we cut the number of patches we released from 35 to 12” Well, if you’re rolling up many vuln fixes to one patch, it doesn’t count Further, the impact from the vulns may vary as well Not just an MS problem… MDKSA-2004-037 Whose code was the vuln in? Kernel? Integrated Application? Third Party?
But We’re ahead of ourselves. First, Windows! Developed as a complete system And then some… Applications are tightly integrated with operating system. Obviously, MS works as one organization, and Office upgrades are aware of Windows upgrades and vice versa Kernel MS Created Core Sys Utils MS Created Applications MS Created
Windows Release Methodologies Publicized well in advance Much of it is marketing spam, but there is obviously a HUGE developer network that seeds new technology info well in advance of release MS has a habit of once they’ve dominated a market, they stop dealing with the market IE is a prime example This has a negative impact on security MS will only integrate as much security as the market demands. The OSS world will continue to integrate security b/c it’s the right thing to do
Windows Security Roadmap Many long term security initiatives Internal code security programs Security is woven through their entire development process Tho with the recent announcement of Land II, they may not quite be there yet Security functionality roadmap Including a full MLS compliant OS by 09 Definitely aware of Security Operations
FreeBSD FreeBSD is designed and developed as a complete end to end system Kernel to userland system utilities Structured development process Core team, and accountability for all parts of the core OS Beyond userland system utilities, thirdparty software is packaged by the FBSD team Either in binary or source packaging (or both) Kernel FBSD Created Core Sys Utils FBSD Created Applications FBSD packaged
FreeBSD Release Methodologies For Core system, there is a FreeBSD Release Engineering team. For Third party software, there is also a team dedicated to “produce a high quality package set suitable for official FreeBSD release media.” More info at http://www.freebsd.org/releng/
FreeBSD Security Roadmap FreeBSD provides EOL info WELL in advance of EOL occurring to give operators a heads up. Many integrated security features Securelevels are a great feature Expanded ACL control, jails (!chroot) While not a Roadmap ala Microsoft, still a great start.
Linux It’s Bazaar, right? Linus et al control the kernel Community creates the rest with some loose coordination Distros use Duct Tape as a “value add” to put everything together While they’re all “Linux” they’re basically different OS’s Aren’t they? Kernel Linus Created Core Sys Utils Community Created / Distro Pkg Applications Community Created / Distro Pkg
A Choice Slashdot Quote First, why do I give a shit about the bloat of the graphical envinron vs the bloat of the kernel? It’s all part of the OS as far as I care Second, stop with this GNU/Linux vs Linux crap
Linux Kernel Release Methodologies Whenever they feel like it Whenever they feel like iterating the third digit Changes with each major release 2.0 was different than 2.2 than 2.4 than 2.6 Not necessarily done in conjunction with distros Distros released at the same time will often use different kernels Frankly, it’s all at Linus’ and his deputy’s control
Distro Release Methodologies Even tho they’re all “Linux”, they’re like their own OS So there… Some are very slow evolutions and rely on uber admins Debian is the ultimate example Others attempt to have structure and make things easier on the user The Old ReadHet, Ubuntu, etc… However, since they’re really only responsible for the packaging and glue code, they’re at the whim of the community for features, especially security A distro will not, for instance, write their own firewall code
Linux Security Roadmap Not much out there for “Linux” There’s barely a kernel roadmap… RedHat released a security roadmap 2 years ago that basically amounted to “Integrate SELinux into RH distro” Really, that’s about all I found… Others have insight? Lots of add-on things (GRSec, etc…)
And now, Patching Patching is a core Security function, and releasing patches should be a core vendor function MS used to release patches whenever it “made sense” Now they’ve gone to monthly roll-up patches Concerns about losing resolution (aka: making 0day attacks a problem) have not materialized Certainly simplifies ongoing Ops Regression testing / QA can be scheduled in advance and patch deployment times are reduced
Patching on the *NIXs FreeBSD Kernel Patches direct from FBSD developers Linux Kernel Patches can be applied from kernel.org code Patches can be applied from distro code Which is right? Third party patches (network stack, KDE, etc) Patches direct from developer Patches from distro Core system utils in FBSD come from FBSD developers Again, which is right? *NIX patches easier to understand, easy to mass deploy More difficult to determine if it’s needed
Lets not Forget about SnR So, it’s not just about the architecture Security admins have to stay up to date I.e. We can justify why see surf the net all day The hell that is the Linux Distro security announcements We whine about the bad SnR on an IDS, why don’t we whine about the SnR on disclosure lists V u l n e r a b I l I t y T i m e l i n e Vuln Disc. Patch Rel. Ubuntu Rel . Mandrake Rel . Red Hat Rel . Debian Rel . OpenLin Rel . FBSD Rel . Bugtraq Mod. Approves . BillyJoe Rel .
The Future Linux continues to survive by brute force and a worldwide network of zealots The Linux zealots make Apple users look tame MS will continue to push the bounds of security beyond what the stereotypical OSS operating system can do Especially from an operational security perspective The BSD’s will continue to be the leaders in the OSS movement wrt operational security
Questions? Answers?

More Related Content

PPT
FreeBSD - LinuxExpo
bywebuploader
 
PPT
CLI313
bywebuploader
 
PPT
CFInterop
bywebuploader
 
PPT
visagie_freebsd
bywebuploader
 
PPT
freebsd-watitis
bywebuploader
 
PPT
Mak3
bywebuploader
 
PPT
3_System_Requirements_and_Scaling
bywebuploader
 
PPTX
Software update for embedded systems
bySZ Lin
 
FreeBSD - LinuxExpo
bywebuploader
 
CLI313
bywebuploader
 
CFInterop
bywebuploader
 
visagie_freebsd
bywebuploader
 
freebsd-watitis
bywebuploader
 
Mak3
bywebuploader
 
3_System_Requirements_and_Scaling
bywebuploader
 
Software update for embedded systems
bySZ Lin
 

What's hot

PDF
Distro Recipes 2013: What’s new in gcc 4.8?
byAnne Nicolas
 
PDF
Bsd ss
byDru Lavigne
 
PPTX
Design, Build,and Maintain the Embedded Linux Platform
bySZ Lin
 
PDF
Devsummit 2010
byDru Lavigne
 
PDF
Embedded Linux Quick Start Guide v1.5
byChris Simmonds
 
PDF
Using open source software to build an industrial grade embedded linux platfo...
bySZ Lin
 
PPTX
Embedded Linux/ Debian with ARM64 Platform
bySZ Lin
 
PDF
The end of embedded Linux (as we know it)
byChris Simmonds
 
PDF
Kernel Recipes 2014 - The Linux Kernel, how fast it is developed and how we s...
byAnne Nicolas
 
PDF
Read-only rootfs: theory and practice
byChris Simmonds
 
PDF
Kernel Recipes 2013 - ARM support in the Linux kernel
byAnne Nicolas
 
PPTX
linux interview questions and answers
byGanapathi Raju
 
PDF
Kernel Recipes 2013 - Easy rootfs using Buildroot
byAnne Nicolas
 
PDF
Fuzzing the Media Framework in Android
byE Hacking
 
PDF
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
byAnne Nicolas
 
PPTX
Upgrade Ubuntu 18.04 Security with Secureboot
byJonathan MICHEL-VILLAZ
 
PDF
FusionInventory at LSM/RMLL 2012
byNouh Walid
 
ODP
Embedded Systems
byOSU Open Source Lab
 
PPTX
Defeating x64: Modern Trends of Kernel-Mode Rootkits
byAlex Matrosov
 
PPTX
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 
Distro Recipes 2013: What’s new in gcc 4.8?
byAnne Nicolas
 
Bsd ss
byDru Lavigne
 
Design, Build,and Maintain the Embedded Linux Platform
bySZ Lin
 
Devsummit 2010
byDru Lavigne
 
Embedded Linux Quick Start Guide v1.5
byChris Simmonds
 
Using open source software to build an industrial grade embedded linux platfo...
bySZ Lin
 
Embedded Linux/ Debian with ARM64 Platform
bySZ Lin
 
The end of embedded Linux (as we know it)
byChris Simmonds
 
Kernel Recipes 2014 - The Linux Kernel, how fast it is developed and how we s...
byAnne Nicolas
 
Read-only rootfs: theory and practice
byChris Simmonds
 
Kernel Recipes 2013 - ARM support in the Linux kernel
byAnne Nicolas
 
linux interview questions and answers
byGanapathi Raju
 
Kernel Recipes 2013 - Easy rootfs using Buildroot
byAnne Nicolas
 
Fuzzing the Media Framework in Android
byE Hacking
 
Distro Recipes 2013 : Contribution of RDF metadata for traceability among pro...
byAnne Nicolas
 
Upgrade Ubuntu 18.04 Security with Secureboot
byJonathan MICHEL-VILLAZ
 
FusionInventory at LSM/RMLL 2012
byNouh Walid
 
Embedded Systems
byOSU Open Source Lab
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
byAlex Matrosov
 
Windows privilege escalation by Dhruv Shah
byOWASP Delhi
 

Similar to BPotter-L1-05

ODP
Foss Presentation
byAhmed Mekkawy
 
PDF
Open Source Enterprise Security Solutions
byevolutionaryit
 
PDF
FOSS Enterprise Security Solutions
byevolutionaryit
 
PPT
Linux and Samba in 75 Minutes
bywebhostingguy
 
PPTX
Unix Security
byKumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
 
ODP
Introduction to Free and Open Source Software (FOSS)
byDong Calmada
 
ODP
Intro To Linux
bytechlug
 
PPTX
introduction to Linux operating system .pptx
byAnuradhaJadiya1
 
PDF
The Right Way to Patch Management for Linux - JetPatch.pdf
byJetPatch
 
PPT
linux system and network administrations
byhaile468688
 
PPT
Linux Intro
byLokesh Kumar N
 
PPT
Software security
byRoman Oliynykov
 
PPT
Linux Vulnerabilities
bySecurityTube.Net
 
PPT
Linux Operating System Vulnerabilities
byInformation Technology
 
PPTX
Case study operating systems
byAkhil Bevara
 
PDF
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
PDF
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
PPT
Chapter 8 - nsa Introduction to Linux.ppt
bygadisaAdamu
 
PPT
Intro to linux
byRavi Prakash Giri
 
PPT
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 
Foss Presentation
byAhmed Mekkawy
 
Open Source Enterprise Security Solutions
byevolutionaryit
 
FOSS Enterprise Security Solutions
byevolutionaryit
 
Linux and Samba in 75 Minutes
bywebhostingguy
 
Unix Security
byKumar Setty, HCISPP, CISA, CCSK, ITIL, CHSP
 
Introduction to Free and Open Source Software (FOSS)
byDong Calmada
 
Intro To Linux
bytechlug
 
introduction to Linux operating system .pptx
byAnuradhaJadiya1
 
The Right Way to Patch Management for Linux - JetPatch.pdf
byJetPatch
 
linux system and network administrations
byhaile468688
 
Linux Intro
byLokesh Kumar N
 
Software security
byRoman Oliynykov
 
Linux Vulnerabilities
bySecurityTube.Net
 
Linux Operating System Vulnerabilities
byInformation Technology
 
Case study operating systems
byAkhil Bevara
 
CNIT 123 Ch 8: OS Vulnerabilities
bySam Bowne
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
bySam Bowne
 
Chapter 8 - nsa Introduction to Linux.ppt
bygadisaAdamu
 
Intro to linux
byRavi Prakash Giri
 
Threats, Vulnerabilities & Security measures in Linux
byAmitesh Bharti
 

More from webuploader

PPT
Michael_Hulme_Banff_Social_Networking
bywebuploader
 
PDF
socialpref
bywebuploader
 
PPT
cyberSecurity_Milliron
bywebuploader
 
PPT
PJO-3B
bywebuploader
 
PPT
LiveseyMotleyPresentation
bywebuploader
 
PDF
FairShare_Morningstar_022607
bywebuploader
 
PPT
saito_porcupine
bywebuploader
 
PPT
ScalabilityAvailability
bywebuploader
 
PPT
scale_perf_best_practices
bywebuploader
 
PPT
7496_Hall 070204 Research Faculty Summit
bywebuploader
 
PPT
Chapter5
bywebuploader
 
PPT
WCE031_WH06
bywebuploader
 
PPT
securing_syslog_onFreeBSD
bywebuploader
 
PPT
bh-us-02-murphey-freebsd
bywebuploader
 
PDF
evans
bywebuploader
 
PPT
COMO2006
bywebuploader
 
PPT
FacebookandMySpace
bywebuploader
 
PDF
SocialNetworkingSitesandtheJobSearch
bywebuploader
 
PDF
CollierMagid10_17_06
bywebuploader
 
PDF
facebk_wkshp-1
bywebuploader
 
Michael_Hulme_Banff_Social_Networking
bywebuploader
 
socialpref
bywebuploader
 
cyberSecurity_Milliron
bywebuploader
 
PJO-3B
bywebuploader
 
LiveseyMotleyPresentation
bywebuploader
 
FairShare_Morningstar_022607
bywebuploader
 
saito_porcupine
bywebuploader
 
ScalabilityAvailability
bywebuploader
 
scale_perf_best_practices
bywebuploader
 
7496_Hall 070204 Research Faculty Summit
bywebuploader
 
Chapter5
bywebuploader
 
WCE031_WH06
bywebuploader
 
securing_syslog_onFreeBSD
bywebuploader
 
bh-us-02-murphey-freebsd
bywebuploader
 
evans
bywebuploader
 
COMO2006
bywebuploader
 
FacebookandMySpace
bywebuploader
 
SocialNetworkingSitesandtheJobSearch
bywebuploader
 
CollierMagid10_17_06
bywebuploader
 
facebk_wkshp-1
bywebuploader
 

Recently uploaded

PPTX
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
PPT
connectives-linking words in English.ppt
byAmrMohammed82
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
PPTX
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
PDF
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
PPTX
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
PDF
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
PPTX
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
PDF
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
PPTX
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
PDF
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PDF
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 
Becoming Frontier for Dynamics 365 Finance PPT
byjonbravetti
 
connectives-linking words in English.ppt
byAmrMohammed82
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
Chapter 2 Computer Threat .pdf
byGetnet Tigabie Askale -(GM)
 
Profiting from Technological Innovation: Managing Intellectual Property to Bu...
byDavid Teece
 
Fortify Your Digital Defenses with ServiceNow Security Operations by Suma Soft
byGavin Ellis
 
TopMate ES11 3-Wheel Electric Scooter: Comfort, Stability, and Independence f...
byTopmate
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
Pervasive Encryption - Keeping Data Secure.pdf
byPrecisely
 
UNIT 1- Introduction to Basic of Computer Fundamentals
bypawarbhaktiit
 
Unlocking Gen AI Capabilities Within UiPath Document Understanding
byDianaGray10
 
computer science class 11 ( phishing and fraud mails) .pptx
bybalajichess314
 
Zniber Partners. Audience Foresight for Confident Decisions
bySamuel Zniber
 
congo red stain nd PAS STAIN histopathology
bybushrariaz1240
 
Salesforce Sales Cloud and Generative AI Present a Fresh Approach to Personal...
byMinuscule Technologies
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
2025-CB-NCAE-slide-deck.pptx-1-83.pdf Virtual Orientation on the Administrati...
byNelizabethEsplaguera1
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Hart, Inc. M&A Data Transition Checklist
byHart, Inc.
 

BPotter-L1-05

  • 1.
    Windows vs FreeBSDvs Linux Or: Why Deploying Linux in your Environment is Suicide
  • 2.
    Don’t Believe AnythingI Say "Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it.” - Buddha Daytime - Security consultant “ Beltway bandit” in Linthicum MD Night - Founder of the Shmoo Group, Capital Area Wireless Network, periodic author
  • 3.
    For Your Safetyand The Safety of Those Around You Linux Zealots Windows / BSD / Others This talk may be not much more than flamebait You may be reminded of a /. Discussion This talk is meant to be interactive
  • 4.
    Lets Talk aboutSecurity For the feds, “Information Assurance” Tactical Coding Error vs Design Flaw Script kiddie vs Dedicated Attacker Host Hardening vs Long term operational security
  • 5.
    Long term OperationalSecurity Often overlooked aspect of “security” We are not an end in and of ourselves. Further, an IDS does not operational security make Any idiot can be trained to secure a host Look at all the security books on the shelf Running a long term secure enterprise is the tough thing
  • 6.
  • 7.
    Potter’s Pyramid ofIT Security Needs IDS Patch Mgt Op. Procedures Firewalls Auth / Auth ACLs Software Sec Honeypots Sophistication and Operational Cost
  • 8.
    Why Does theDevelopment Method Matter? You can certainly do belly button contemplation to say why it does or does not matter Structured process is the only way to build a secure and scalable system Or Having many eyeballs and lack of clear direction means the best and most useful stuff is what will get integrated, not all the fluff. There is no right answer… Process driven code can suck horribly There are often not “many eyes” looking at security Corp View OSS View
  • 9.
    But really, isthere a difference? Beyond what the zealots say, and what the media says… Is there a real difference? Assessing this difference is a real PIA with lots of red herrings Methods of determining difference Examine the development processes Examine the history of security in the architecture Vulnerability statistics? Examine the future directions of security Ideally get statistics from enterprises on how they spend their security budgets and why I’m not Burton or IDG… So I just asked friends…
  • 10.
    Let’s talk aboutVulnerability Statistics Vulnerability stats are (generally) an artifact of tactical coding errors, not bigger problems “ In the last year we cut the number of patches we released from 35 to 12” Well, if you’re rolling up many vuln fixes to one patch, it doesn’t count Further, the impact from the vulns may vary as well Not just an MS problem… MDKSA-2004-037 Whose code was the vuln in? Kernel? Integrated Application? Third Party?
  • 11.
    But We’re aheadof ourselves. First, Windows! Developed as a complete system And then some… Applications are tightly integrated with operating system. Obviously, MS works as one organization, and Office upgrades are aware of Windows upgrades and vice versa Kernel MS Created Core Sys Utils MS Created Applications MS Created
  • 12.
    Windows Release MethodologiesPublicized well in advance Much of it is marketing spam, but there is obviously a HUGE developer network that seeds new technology info well in advance of release MS has a habit of once they’ve dominated a market, they stop dealing with the market IE is a prime example This has a negative impact on security MS will only integrate as much security as the market demands. The OSS world will continue to integrate security b/c it’s the right thing to do
  • 13.
    Windows Security RoadmapMany long term security initiatives Internal code security programs Security is woven through their entire development process Tho with the recent announcement of Land II, they may not quite be there yet Security functionality roadmap Including a full MLS compliant OS by 09 Definitely aware of Security Operations
  • 14.
    FreeBSD FreeBSD isdesigned and developed as a complete end to end system Kernel to userland system utilities Structured development process Core team, and accountability for all parts of the core OS Beyond userland system utilities, thirdparty software is packaged by the FBSD team Either in binary or source packaging (or both) Kernel FBSD Created Core Sys Utils FBSD Created Applications FBSD packaged
  • 15.
    FreeBSD Release MethodologiesFor Core system, there is a FreeBSD Release Engineering team. For Third party software, there is also a team dedicated to “produce a high quality package set suitable for official FreeBSD release media.” More info at http://www.freebsd.org/releng/
  • 16.
    FreeBSD Security RoadmapFreeBSD provides EOL info WELL in advance of EOL occurring to give operators a heads up. Many integrated security features Securelevels are a great feature Expanded ACL control, jails (!chroot) While not a Roadmap ala Microsoft, still a great start.
  • 17.
    Linux It’s Bazaar,right? Linus et al control the kernel Community creates the rest with some loose coordination Distros use Duct Tape as a “value add” to put everything together While they’re all “Linux” they’re basically different OS’s Aren’t they? Kernel Linus Created Core Sys Utils Community Created / Distro Pkg Applications Community Created / Distro Pkg
  • 18.
    A Choice SlashdotQuote First, why do I give a shit about the bloat of the graphical envinron vs the bloat of the kernel? It’s all part of the OS as far as I care Second, stop with this GNU/Linux vs Linux crap
  • 19.
    Linux Kernel ReleaseMethodologies Whenever they feel like it Whenever they feel like iterating the third digit Changes with each major release 2.0 was different than 2.2 than 2.4 than 2.6 Not necessarily done in conjunction with distros Distros released at the same time will often use different kernels Frankly, it’s all at Linus’ and his deputy’s control
  • 20.
    Distro Release MethodologiesEven tho they’re all “Linux”, they’re like their own OS So there… Some are very slow evolutions and rely on uber admins Debian is the ultimate example Others attempt to have structure and make things easier on the user The Old ReadHet, Ubuntu, etc… However, since they’re really only responsible for the packaging and glue code, they’re at the whim of the community for features, especially security A distro will not, for instance, write their own firewall code
  • 21.
    Linux Security RoadmapNot much out there for “Linux” There’s barely a kernel roadmap… RedHat released a security roadmap 2 years ago that basically amounted to “Integrate SELinux into RH distro” Really, that’s about all I found… Others have insight? Lots of add-on things (GRSec, etc…)
  • 22.
    And now, PatchingPatching is a core Security function, and releasing patches should be a core vendor function MS used to release patches whenever it “made sense” Now they’ve gone to monthly roll-up patches Concerns about losing resolution (aka: making 0day attacks a problem) have not materialized Certainly simplifies ongoing Ops Regression testing / QA can be scheduled in advance and patch deployment times are reduced
  • 23.
    Patching on the*NIXs FreeBSD Kernel Patches direct from FBSD developers Linux Kernel Patches can be applied from kernel.org code Patches can be applied from distro code Which is right? Third party patches (network stack, KDE, etc) Patches direct from developer Patches from distro Core system utils in FBSD come from FBSD developers Again, which is right? *NIX patches easier to understand, easy to mass deploy More difficult to determine if it’s needed
  • 24.
    Lets not Forgetabout SnR So, it’s not just about the architecture Security admins have to stay up to date I.e. We can justify why see surf the net all day The hell that is the Linux Distro security announcements We whine about the bad SnR on an IDS, why don’t we whine about the SnR on disclosure lists V u l n e r a b I l I t y T i m e l i n e Vuln Disc. Patch Rel. Ubuntu Rel . Mandrake Rel . Red Hat Rel . Debian Rel . OpenLin Rel . FBSD Rel . Bugtraq Mod. Approves . BillyJoe Rel .
  • 25.
    The Future Linuxcontinues to survive by brute force and a worldwide network of zealots The Linux zealots make Apple users look tame MS will continue to push the bounds of security beyond what the stereotypical OSS operating system can do Especially from an operational security perspective The BSD’s will continue to be the leaders in the OSS movement wrt operational security
  • 26.