[rescue] New acquisition... (AIX)

Jonathan C. Patschke jp at celestrion.net
Fri Apr 2 12:01:20 CST 2004

On Fri, 2 Apr 2004, Mike Meredith wrote:

> The big trouble I have with your allegation that Linux is pretty much as
> bad as Windows, is that I haven't seen that much trouble with Linux ...

Let me put it this way:  I've never had that much trouble with Windows
because I've been using it and writing pretty low-level software for it
for roughly 13 years.  Until they changed the whole world in Windows
2000, I felt like I had better mental documentation for Windows NT than
I had printed documentation (source aside, of course), for Linux.

It CAN be made secure, and it CAN be made stable.  It's just a really
long, tedious road to get there, which is why I don't recommend it to
clients I care about. :)

And that's the same argument I use against Linux.

OpenBSD?  Largely secure by default.  Consider turning off SSH access
from the world to prevent getting hit by the next hole-of-the-week, and
use pf to take care of the rest.

Solaris?  fixsolaris.txt has just about everything you need.  Also
filter off SSH access from the world because Sun uses an antiquated
ssh daemon.  Install ipf if you're more paranoid than that.

IRIX and AIX?  Turn off everything, install ssh, firewall it off from
the world, as they're anything BUT secure-by-default.

It's all fairly simple and, more importantly, known quantities.  But,
in Linux, you have abstraction violations like HTTP listeners
(optionally) in the kernel.  You really have to stay abreast of what
shiny new toy the developers tossed in there and make sure you don't
accidentally turn it on.  Oh, and hope they don't change the firewall
paradigm AGAIN[0], if you need to filter packets.

> 50 MBytes? Are you looking at 2.7.56 or something ? 2.6.4 is around
> 40Mbytes. A big chunk of that you'll never be running on any single
> platform.

Okay, so I was roughly 20% off.  40MB is still pornographically huge for
a compressed kernel distribution, whether I'm going to use that code or
not.  That's an AWFULLY large amount of code for people to maintain for
an implementation of an OS that made the KISS principle sexy.

> Actually they only half do it (which is probably good enough). If you
> have two hme's in a Sun box, they're 'hme0' and 'hme1'.

But you'll never have them switch places on you because that information
is cached in path_to_inst.  You'd have to boot -r to even frob that, and
I doubt Sun would ever change the probe order anyway because people with
large configurations would hurl nastiness at them.

[0] This is actually the reason why I quit using Linux.  I was primarily
    building firewalls for people with it.  This was in the 2.2 to 2.4
    transition days, and some dists would use ipchains, some iptables,
    some ipfwadmin.  I threw up my hands and went to OpenBSD.
Jonathan Patschke  ) "Being on the Internet is not the same as being
Elgin, TX         (   famous.  That's like calling Cheetos 'dinner'."
USA                )                                    --Metal Steve

More information about the rescue mailing list