OT- Heads Up - Sasser plug

Well thank you kindly brother bob - I agree with your assessment of the 'by the book' system as well.

As to my own experiment here at radio free dexterdyne - it is the concerns your assessment raises exactly that I am prototyping. I say again - I use my prototype thin server model here to secure the system itself - it is simply an added benefit that my workstation can then be operated as a complete registered domain service without as a result.

Thusly - while it is always possible that I (or anyone) may be cracked (on any OS) - my prototype provides a professional measure of control and real time reporting so a given probe doesn't go rogue. As you say, 'you're in the door' - but - you can't really prowl the house openly on a dexterdyne build.

Then it is simply a matter of responsible and ongoing deny/allow and creative configuration administration exactly like 'real infrastructure' - which is actually what sets most Unix/MVS installs apart from most MicroSoft infrastructures.

I do not basically trust hardware appliances like firewalls on the network

- because in the end they eventually become unmonitored in real world operation and they do nothing in the event someone behind the firewall opens 'something new'. As to software fire walls, they are as subject to compromise as anything in a given OS service stack. Check this out on both counts:

Where MicroSoft (as well as more and more traditionally higher level operating systems) are screwing the pooch - is in the very heavily marketed premise that you can automate system administration and cost save in the HR budget by 'letting the vendor look after it' and/or hiring cheap based on Certification rather than experience.

Basically - you are rewarded or boned based entirely on what custodial expertise you actually pay for regardless of what the marketing droids of all stripes would have people believe. And that, in a nutshell, is why MicroSoft infrastructures are more often the victim of plagues. It is made to be ready and well understood prey by cost cutting in combination with cheap administrative talent.

I agree that your "thin Windows" is the way to go. However, I still have those "architectural-business" issues. While I could provide lots of example, I'm sure you know too well how much garbage gets installed with any MS app. It's often not needed - but just in case one MS app has to work with another it's installed. The list of "stuff your system doesn't really need" is almost endless. But, you won't catch MS telling you what's needed because the goal is a homogeneous system with everything installed.

Agreed. The chief difference though, is that the Unix/MVS/VMS/you-name-it real operating systems come with detailed instructions as to what needs to be accessible to the product you are installing. They install in a defined area and when they need to put something in a system area or replace a system module, they tell you about it. Not MS, wrong model for them.

Agreed again, but they still serve a filtering function, IMHO. Serious physical security is built with rings of defense. You have to get past level 1 to hit level 2. That's generally a good strategy even in computer security design. And, while firewalls are not infallible and are subject to attack, at least the people building them are thinking about security as a primary job... not as an annoying department that makes developing software more difficult. At the very least, they give you a place to shut off the network when an internal or external attack has been exposed.

He, he, he. I agree. Unfortunately, MS "sells" something else. They'll sacrifice security any day to make the Admin's job "easier".

Yep... and it's part of their strategy. MS only cares about security holes to the extent that it affects sales. Again, that's my key point. Security is note really one of their goals... it's an annoying side track for them.

As compared to an MVS installation where you effectively network across processor cards and resources in a single room or closed rack loop - rather than a fiber network. Effectively every MVS session boots it's own complete and limited OS within the session bubble. Everything that makes that happen - the equivalent juicy stuff at Unix root (see below) - is mostly be done in the hollow floor room and in video taped person.

Currently agreed - but as inexperienced administrators/home users/newbies in a hurry to move over from Windows - it will effectively open the OS's up exploit based on the popular knowledge base. The more popular a given OS becomes - and given most folks move to Unix to network resources effectively and securely - eventually the more now secured OS configurations will become similar enough to automate effective remote attack. But - I completely agree - it may always be better than stock MicroSoft as some levels though given that you can better secure root - if you bother to make the time to know how and if Redmond doesn't actually fix it.

See my most recent thread post to brother bob on the subject of getting what you pay for.

Good lord - I hope he's OK - now brother Grunff knows actaully useful stuff. We had better snuff this thread out before we lose any of the other important regulars.. :) ..

Well that's because I'm not really a 'windows person' per say - I started out on punch cards back when and have been learning on my own as things came up ever since. This of course means I'm completely 'overqualified but uncertified' according to my last three interviews.

The joke's is on them though, the last one (HRM - City of Halifax) saw Sasser and MyDoom go through them like grain through a duck. Shut the entire municipal (and much of the provincial) network down for the day(s).

Somewhat less embarrassing than having the provincial HR resume database breached and circulated last year - but bloody typical of the level of HR management and systems talent hiring where I live.

Consequently - I'm building a very interesting and quite new Flash Application for pennies on the dollar for an out of province consultancy. Very rum stuff - works as a complete standalone and can encrypt/share data with pretty much anything you are willing to give a data key to. Natively dumps wipes the arrays from memory (virtual and otherwise) on exit. Depending, I think I may be able to get it to work standalone or on a network connection on anything from a PDA to a Mainframe - as long as it can be made to run on or communicate with Macromedia Flash 5.

Well I'll try harder next time, but not really a windows zealot so much as a Systems Admin who still gives a crap about operating my node responsibly. Sounds stupid and trite these days I guess - it's not an important node to anyone else but the fans and myself I suppose - but I'm kinda proud of it anyway.

On that note - I have to get back to work now.

Cheers and best wishes brothers and sisters.

Why Flash ? As an applications developer, I think you are in the wrong tree and re-inventing the leaf.

Have you published your "thin client" prescription ? It sounds like something that would be useful to a lot of folks... perhaps including me :-)

Works on pretty much all OS's (most recent sony PDA for example) as a standalone or a plugin and is natively network chummy. Can be easily adjusted to connect with pretty much any database remotely or standalone without a lot of fuss. Mostly, it's a *really* small .exe once compiled. When I'm done, you can create, manage, edit, save, search, export and print across almost a thousand multi-field records - but the running executable itself is a single file only 700kb in total. Only 250kb if you use it as a plugin - but it's heavier in live ram that way. My angel/client builds and configures them for people and organizations.

Putting aside that it is more boring than monitoring fruit rot for most normal people with real lives more than 25 feet from a stinking wall jack

- basically, anyone with the interest and time can replicate my installation given I've stuck to mostly open-source (save the mail server

- you want shrink wrapped Non-MS there). Poke around the site - I've written it up somewhere. I build, configure and manage dexterdyne servers for people and organizations on an M&E basis