Writing Secure Code: 8 Basic (Microsoft) Rules

31 Oct 2006

While reading some things today, I stumbled across this MSDN Mag article titled, “8 Simple Rules For Developing More Secure Code“.

There is nothing groundbreaking in this article, but it is a good collection and summary of these important and truly basic, programming principles. Some are easier to implement in an existing development pipeline and a couple could require some very large changes. Still, it’s worth considering.



Response: Oracle Announces the Same Enterprise Class Support for Linux as for It’s Database

25 Oct 2006

I have known Marc Christiensen for years and have a lot of respect for him. He does a great job of keeping on top of things, which is why I was surprised that he didn’t catch the problems found in the Oracle press release he quotes in his recent post.

I’ll quote the part he quoted and intersperse it with my comments.

Today Oracle announced that it would provide the same enterprise class support for Linux as it provides for its database, middleware and applications products. Oracle starts with Red Hat Linux, removes Red Hat trademarks, and then adds Linux bug fixes.

Sound like what CentOS and White Box Enterprise Linux (WBEL) do. OK, that’s fine.

Currently, Red Hat only provides bug fixes for the latest version of its software.

Wrong.

Red Hat provides seven (7) years of support from the release date of Red Hat Enterprise Linux (RHEL) release (since RHEL3, only 5 years for RHEL2.1), including the production of errata packages for both security and bug fixes. This means that support, including updates, will not be terminated until after October 2010 for RHEL3 and February 2012 for RHEL4.

This often requires customers to upgrade to a new version of Linux software to get a bug fixed.

Wrong.

However, it is true that Red Hat does not backport drivers or other new feature support to released versions.

Oracle’s new Unbreakable Linux program …

Oracle’s “Unbreakable Linux” program has been around for years. Perhaps, they meant to convey that this new incarnation of the (existing) Unbreakable Linux program, which now includes an Oracle branded Linux distribution.

… will provide bug fixes to future, current, and back releases of Linux. In other words, Oracle will provide the same level of enterprise support for Linux as is available for other operating systems.

Thus implying that Linux is backwater, until Oracle steps in and makes it acceptable. Sounds like big software company marketting people to me :) .

Oracle is offering its Unbreakable Linux program for substantially less than Red Hat currently charges for its best support.

Given that Red Hat has support option from nothing (no support contract is required) or pay-per-incident phone support up to 24×7 on-site Red Hat employees managing your systems with a couple dozen options in between, “best support” could mean a lot of things.

Of course, tons of people get confused easily by Red Hat’s “licensing” costs. No! They are not charging you for a license. Everything in RHEL is free and open. You can buy both a support contract and/or (a) subscription(s) to Red Hat Network (RHN).

“We believe that better support and lower support prices will speed the adoption of Linux,

Well, duh!

… and we are working closely with our partners to make that happen,” said Oracle CEO Larry Ellison. “Intel is a development partner. Dell and HP are resellers and support partners. Many others are signed up to help us move Linux up to mission critical status in the data center.

I’ve got news for you Oracle, Linux is already mission critical in lots of data centers, including yours. That’s right, Oracle has been using Linux as the platform for delivery of their hosted applications services for years. I am also personally familiar with enough Fortune 500 companies data centers to say that they all have at least one of their mission-critical applications running on Linux. But don’t take my word for it; almost all of them have made public statements in some form or another which indicate that this is the case.

Please, will you folks stop treating Linux like something you are coming along to save from “certain self doom”. You’re not. Most of you are, on the other had, making wonderful contributions, but all of our Linux are not belong to you.

Although this last one isn’t really that big of a deal, it’s yet another example of how marketing people in companies that should know better keep implying that Linux isn’t ready for “real world” workloads.

BTW: I’m sitting in a lousy hotel room in Austin, Texas with NyQuil in my system, feeling sick and extremely drowsy. Maybe I should post while in this state, but I’m doing it anyway (isn’t that one of the corollary definitions of “stupid”?). So, if I messed up a detail or a link, please, let me know, but bear with me. Also, I only have Internet access in the evenings, if it’s working (took a couple of hours to get a stable connection tonight). I’ve gotta go sleep now. I sure hope I don’t feel this crappy, tomorrow. Goodnight.



Centralized Food Processing Puts Us at Risk

20 Oct 2006

This very well written article describes (in very easily understood terms) how the centralization and industrialization of food processing in the U.S. has lead to the point where contamination can easily occur and is very hard to track down. It also points out how we could easily make the problem much, much worse.

Rather than talking further about this, I’ll let you read the article. It’s very good. But I would like to point out that there are a lot of parallels in network & systems security that could be drawn here.