[4407] in WWW Security List Archive
Re: UNIX less secure than Win95? (was Re: Septic about (Funds ...)
daemon@ATHENA.MIT.EDU (Jim Harmon)
Fri Feb 14 00:08:35 1997
Date: Thu, 13 Feb 1997 21:16:53 -0500
From: Jim Harmon <jim@telecnnct.com>
To: Hallam-Baker <hallam@ai.mit.edu>
Cc: Charles Brian Hill <hill@unr.net>, mattm@sumac.digex.net, jay@homecom.com,
www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Hallam-Baker wrote:
> > Hmmm....You might want to check your sources. I believe ApplixWare from
> > Red Hat is available for aroun $500, with a student version for $79. This
> > is comparable to Microsoft's Office Suite, whose student version costs
> > approximately twice as much.
>
> I suspect its too little too late. If red hat ported their stuff to the
> other UNIX systems perhaps it would be viable. As it is I would have to be
> really committed to UNIX to go down that route. I might just have been
> that commtted to VMS but the problem was not enough others were.
Saying that RedHat should support all flavors of UNIX is very much like
saying any 3rd party MS-based developer should port their apps to every
release of DOS 1.0-6.22+ (including PC/IBM DOS, Dr.DOS, etc), and
Windows (including Win 1.0-3.11, Win for Workgroups, Win95, and NT for
x86/RISC/Mini/Mainframe Workstation/Server/EnterpriseServer.)
Doesn't that sound rather ludicrous?
> There are questions as to whether the Mac is still a viable O/S with a
> user base ten times that of UNIX. I would not be optimistic about
> either.
If that's the case (I'm not sure your quesitmate is accurate) with a
10:1 ratio of PC's to MAC, that means there's 100:1 ratio of PC's to
UNIX boxes.
Since more than 10% (perhaps 20% or more) of all PC's (again a
guestimate) run UNIX of one flavor or another, and at least 5% of all
MACs run a flavor of UNIX, and the percentage is growing, I don't see
how UNIX is going to die.
I'm including all professional as well as personal machines in this
discussion.
> Its somewhat ironic that despite all the anti-Bill paranoia Microsoft
> grew fat writing applications for the Mac when everyone else ignored
> it.
It's also Ironic that Mr.Bill created DOS by porting modified (equate to
minimized) portions of UNIX to the Intel 8086 in the first place.
Even further Ironic that Apple has now committed, with the
reinstallation of Steve Jobs as Chief Whatever, to the entirely
UNIX-like NEXT OS, and as I've heard it, dropping the MAC-OS v8.0
they've been talking about for about a year.
> > As for the exorbitant cost of UNIX applications, keep in mind what comes
> > with the software. On the whole, UNIX applications are supported
> > indefinitely from the time of purchase.
>
> Not my experience. I pay more for maintanance on my UNIX boxes than I
> do for my PC software in total. The PC software is so cheap I barely
> think about the upgrade costs. If we buy a PC we tend to buy office
> and assorted other goddies as a matter of course.
You also pay more maintenance for a parts on a Mercedes than you do for
identical parts on a Hyundai Excel.
What I've experienced is the support cost of PC software is EXTREMELY
high relative to the support cost of a UNIX Server product.
Microsoft charges $30.00+ per phonecall whether they help you or not.
You spend hours (sometimes) on the phone tracking down information that
should have been on the web support sight anyway, and you have so many
more individuals to deal with --(My modem doesn't... My spreadsheet
is... My xxxx is yyyy.... Can you tell me how to...) and at my hourly
rate, plus the cost of followup calls to vendors, I can honestly say
that each S/W package in the MS side of my operation costs 2-5 times
more than the flat-rate we spend on UNIX support.
Especially when I can serve all my UNIX users in centralized products at
one time, from one location, instead of visiting offices all day like I
do for MAC and PC support. (Yes, we have the ability to do remote
support of these systems, but it's far simpler in Human Terms to deal
directly with the users at their desks.
> > Take a look at SunOS (a brief and
> > oversimplified example, I apologize). Sun still supports the older SunOS
> > as well as continuing development on Solaris. Vendors tend to offer much
> > more long term support with UNIX applications.
>
> Sun supports sunos because many of the users still refuse to move to
> Solaris becuase they claim its too buggy.
Solaris is an entirely different flavor of UNIX than SunOS. The
majority of resistance, as far as I can see is based more on the
conversion complications then on bugs.
It has a different underlying file structure, even if many commands are
similar. It's like a PC user suddenly walking into his office and
finding a MAC in it's place -- or vice-versa.
> > When you argue that UNIX has little future, you should consider what is
> > currently being done with UNIX...at least 80% of servers on the internet,
>
> Nope, its considerably lower and shrinking. Last I followed the figures it
> was under 60%.
With Apple switching to NEXT, you'll see that 60%, and raise it by 30.
:)
> > as well as 80% of the research computing machines. There are many
> > applications which Windows 95 or Windows NT, for that matter, simply
> > cannot handle.
I have to differ on this point. The leading developers of engineering
and scientific software are very rapidly porting everything possible to
NT. The world-leader in graphic application development for UNIX in
1989 is now the world leader in professional graphic engineering s/w for
NT. (look for Intergraph Corp. at http://www.ingr.com/ if you're
interested.)
The basic reason for this is that Microsoft has quietly declared that NT
will replace UNIX. Knowing that doesn't make it so, as UNIX is still
the development platform of choice at all major educational
institutions, which feed the scientific and engineering industries with
UNIX literate professionals on a constant--not deteriorating--basis.
The only 2 reasons NT has made as big an impact on UNIX as it has so far
are it's price (not cost--since cost includes maintenance, upgrades,
learning curve, support time, etc.) and availability.
> Installed base is one thing. I'm less than impressed by several people in
> this building who dismiss NT without having used it. I notice that there
> has not been a Sun box delivered on this floor for over a year. There have
> been 20 or more PCs of which about half run NT and half run Linux.
Now we're talking about economics vs. applications. To be consistant
with guesstimating numbers, let's say PC's cost 10% of the price of a
RISC based UNIX box, out of the gate. Since Linux is freeware, and NT
is a bundled price built into many PC's the ratio you quoted is about
typical for professional desktops. PACKAGE prices for commercially
available S/W is lower for NT--up front-- than for Unix, but I would be
willing to guess that much of the use the Linux machines you talk about
are not running lots of little apps from commercial vendors.
They're probably very productively performing 80% or more of their work
with freeware, GNUware, and command-line shells.
The remaining apps cost 1000-5000, or more, but it's basically a limited
expendature, and (as mentioned earlier) has excellent support to nearly
any level of complexity you can name, some/much of which is freely
offered by folks who appear on these subscription lists.
If you add up the prices of each app under NT, then add the costs of
maintenance, and support, and upgrade, and etc., and the number of apps
per user (if they aren't using integrated suites) you'll see a whole big
bunch of work and costs and complexity that isn't quite there in the
UNIX world.
Please don't get me wrong, I +>LIKE<+ NT and Win95, and I like some of
the tools available for network support of NT and Win Users at my
disposal, I like the technology behind MAC's too., but UNIX wins
hands-down when it comes to versatility, ease of use, and sophistication
of command and control operation.
> Having seen the last days of VMS I've long known the way things are
> going. If we didn;t have free system support on UNIX systems I would
> expect the changeover to be more rapid.
(WARNING--the numbers being quoted below are PFA! -Pulled From Air- in
accordance with other quotes in this discussion and long-standing
statistical estimation practices... :)
VMS is dying, not particularly due to the cost of support, although that
contributed, it's due to the increadible cost of the systems themselves.
A VAX 650 used to retail for over $1/2 millionUS, BEFORE adding
applications and peripherals. The VAX's typically supported 15-30
simultaneous users, without GUI's.
You can get 100-200 TIMES the compute power in ONE pentium-based
enterprise server running UNIX today at under $50K. (say $150K with
client licensing)
NT Server claims it will support 500 users on one multi-CPU (and support
a GUI for each) server platform at one time.
That's why VMS is dead... the cost of the platform, not the cost of
supporting the S/W.
Add the potential of putting a pentium (or 68xxx) on every desk, and for
that same $500,000.00 investment, a SMALL corporation today has the
compute power of most 3rd-world countries just 10 years ago--combined.
> > Ah, months? I would assume you are not experienced in UNIX System
>
> No, I have been using them for 15 years. I've recently been looking
> into security for the type of site where security breakins are
> reported on CNN. Its a somewhat higher level of game. Basically until
> recently I have not had occasion to secure a machine of any type to
> the level we have.
Check out Stalker and WebStalker, two highly recommended--and US
Government certified for DOD and DOD Vendor use, and SIMPLE to operate
Security Utilities. They each compliment each other, Stalker taking
full advantage of the entire UNIX accounting system for security
monitoring, reporting, and control. I was told that NT versions are
being prepared for release this year.
> > Administration. I, or any other thoroughly competent system administrator
> > would be able to implement any given level of security in one day or less.
>
> Not if you have to invent the idea of what the security level means.
Stalker and Webstalker allow you to "click and play" highly
sophisticated and highly secure policies in about 1/2 hour. For both.
> > only so far as you let it be. If you don't like this, TURN IT OFF.
> > (That's the general rule with UNIX.)
>
> Easier said than done. The rest of the O/S tends to be tested with a
> large set of facilities enabled. Its suprising what depends on what.
> I did not expect turning off rpc to have the effect it did for a
> standalone machine.
>From what I saw and read about WebStalker, it will customize your
external access to internal GUI's and such with 2-3 menu's of
"interview" during installation.
The configuration appears to use SSL security for GUI (Secure HTTP) to
allow access to control/report information on your internal web only,
and is internally passwd protected.
> > For ... inexperienced [user's] personal productivity, UNIX may as
> > well be dead last. You yourself are the limiting factor as to how
> > productive you are with UNIX. Realistically, UNIX cannot be
> > compared with any of the Microsoft so-called "operating systems."
> > If you would like to get
> > into a technical discussion of the merits of various operating
> > systems, I would oblige. However, this discussion is tending more
> > towards productivity and usefulness, so I'll move on.
>
> I have fifteen years of systems level programming and was involved
> in the design of one. Before calling me inexperienced look at the
> acknowledgements section of the HTTP RFC.
Very impressive. I don't believe he was calling >you< inexperienced, I
think he was referring to the experience level(s) of your userbase.
UNIX does have a ramp-up time to become proficient, and I don't think
anyone here disagrees with that.
I see the basic contention here that "one system is dead because another
exists", and contrary to all the foobar behind the "230 flavors" of
UNIX, UNIX should have been dead 20 years ago. It's not, and it won't.
I personally believe (read that as an OPINION) we're going to see NT
become more like UNIX in overall concept, if not GUI and coding, and
(with MAC's going to NEXT) UNIX itself, in all it's wonderfully diverse
flavors will migrate more towards the NT4.0/Win95 GUI.
20 years from now the winner will probably stand as a merging of all
three.
If we discuss the relative merits of each environment,
UNIX has the power commandline and infinite subtlety of direct control
no other system comes close to providing.
NT has the security "features" most `real' OS's wish they had.
MACs make user training and support almost heavenly--at the lowest level
of sophistication.
NT 4.0 has gone farther to mesh those three points so far than anything
else, at varying compromises. Again, my opinion-- :) --but the least
implemented or the three is the commandline.
> > Like I said, if there is a feature of UNIX that has security holes
> > that you can't fix, just turn it off. You might be interested to
> > know that you can turn off more daemons than just inetd.
>
> "Just turn it off" - thats the point. I'VE TRIED IT - not half as easy
> as it sounds. Just compiling a list of all the undocumented features
> takes a significant amount of time.
This is where tools like Stalker and WebStalker come in. You tell it
what to turn off --or on--, it knows how.
> > Microsoft's idea of how to compete with UNIX is to remove virtually
> > all the functionality from UNIX, in order to make it more secure
> > (kind of like burning your house down because you have a broken
> > window) and then tout it as the perfect internet or intranet
> > solution. However, since all the functionality is gone, no one with
> > the requisite experience and/or knowledge to properly run it will be > > able to be productive.
Isn't that the basic premis of any self-imposed paranoiac security
administrator? Take away all functionality and restore only the things
that the users threaten to kill you over?
:) Sounds like the definition of a full-featured firewall. :)
> Actually the problem with Microsoft has nothing to do with their
> [expletive removed] funtionality. There are more twiddle facilities
> than anyone could ever need. Theoretically I can do far more than the
> UNIX box does. Only problem is that the documentation is lousy, there
> is too damn much of it and there is far too much overlap.
Microsoft's paradigm has been to provide lots of software platforms
cheaply. Due to the broad spectrum of 3rd party development on PC's and
the after-market documentation industry it created, noone can hope to
contain/constrain/codify or control what is written about MS Apps, and
to what level of clarity. A great number have tried, and to limited
success.
Fortunately, Win95 and NT4.0 have STARTED to reduce paper documentation,
unfortunately, all the electronic MS documentation has no format worth
mentioning (in comparison to MAN pages). As far as I can tell, except
for CueCards and Wizards, the only real content in MS documentation are
hundreds and hundreds of "do me" recipes, and no technical meat. That
goes double for the Resource Kits. :)
--
Jim Harmon The Telephone Connection
jim@telecnnct.com Rockville, Maryland
( "PLEEEEEEZE don't even THINK the opinions raised above are those of
ANYONE but myself. My employer(s) have their own opinions, and none
of them are relevent to what I've discussed here. :)
