Free security patches - but what does free mean?

Some of you may have noticed a bit of a change on "sunsolve":http://sunsolve.sun.com lately. About a week ago Sun rolled out the newest changes to our main service and support delivery page. Two of the biggest changes from a user experience point have view may have been in the way we provide patches.

In order to get patches for Solaris 10, you need to do 2 things. You must first register and create an account (free) and us must use the Sun Update Manager (also free) to get your patches. The Update Manager makes it easier to manage patches, and includes a command line interface for people who prefer patchadd. Most patches will now require a service contract of some sort. If you‘re giving away the OS, the way you make money is charging for the extra value of service and support (how else would Linux companies be worth anything financially?)

Over the last 6 months or so, I was occasionally in meetings where folks were talking about the new patch delivery mechanisms and entitlement. I got to sound like quite a broken record as I repeated “Security patches must always be free”. The good news is security patches were still free, the bad news is, to some people requiring registration and using the update manager counted as not free.

A number of customer let us know in a hurry that they didn‘t agree with this definition (and frankly, neither do I). In the security world, a free patch is entirely free. Free of charge, free of registration, free of overhead, free of our tools. I‘m happy to report that I was able to make this case and security patches are once again available via HTTP or FTP from sunsolve (just find the patch readme and click the link).

I believe Solaris is one of the most secure Operating Systems on the planet, but even we have security bugs. Everybody, whether a customer or not, is better off when people keep their systems up to date with security patches. Anything we can do to make security patches easy to get and install (you can still install them with the Update Manager if you choose) is a good thing.

Some of our competitors seem to get this, and some don‘t.

Posted at 04:26PM Aug 09, 2005 by drscholl in General  |  Comments[1]

What does Open Solaris mean for security vulnerabilities?

There are many ways "Open Solaris":http://opensolaris.org will change life around here. As they guy in charge of dealing with security vulnerabilities, people (both inside Sun and externally) keep asking me witty questions like “are you ready for this?” or “getting any sleep?”

There are a million predicitions of what opening Solaris will mean in a security sense. In a lot of ways it reminds me of the hype/hysteria around Y2K. The paranoid (Y2K will cause every computer on the planet to crash) types think once the bad guys can look at Solaris code they’ll find more security bugs than we can keep up with. The trusting (Y2K will be the biggest non event since Geraldo Rivera opened Al Capone’s vault) types figure Solaris source has been available for a fee or to universities for long enough that there aren’t any security bugs left.

Not surprisingly, I think the truth lies somewhere in the middle. Yes, I believe we’ve done a pretty good job over the years of fixing most of the obvious and even not-so-obvious security bugs. We’ve come a long way in inspecting our code with an eye towards how someone might try to break it. On the other hand, I certainly don’t believe our (or anyone’s for that matter) code is security bug free.

I believe there are 2 big unknowns with security and Open Solaris. The first is, what kind of people will find security bugs or ways to attack our product?

Will they be miscreants (either individuals or organized) who will quietly exploit what they find, or will they be friendly members of the community who will report things (to security-alert@sun.com if you’re wondering) so we can fix them.

The second big unknown I wonder about is the integrity of some of the unpublished and largely unused parts of our code. Occassionally our engineers have added or made use of unpublished interfaces (essentially undocumented features). No, these aren’t backdoors, or hidden video games behind the spreadsheets, they’re usually special code bits so some piece of hardware will work correctly or take advantage of something. I’m not as confident that over time these interfaces have been as rigorously inspected as they rest of the code base. And, while most of them are likely not even turned on by default, I wouldn’t be surprised if some enterprising bad guy out there comes up with some way of taking advantage of some of these.

The bottom line is, like many things with Open Solaris, I believe we’ll have to wait and see. The best we can do is make it easy to report potential security issues, and make sure we take them seriously, investigate them, and fix any bugs as quickly as we can.

Posted at 08:00AM Jun 14, 2005 by drscholl in General  |  Comments[0]

Introduction

I’ve been thinking for a long time that I should get off my backside and start a blog. There are a number of things in the security community that benefit from informal sharing of information and spreading best practices among interested parties. Sounds like a perfect opportunity to take advantage of blogging.

So who am I? I wear a number of hats and carry a number of titles, but perhaps the most relevant one is Manager of the Security Engineering and Coordination Team. This team is essentially the interface between Sun and the outside world for all things related to security issues/problems with our products. Think you’ve found a vulnerability in Java? Want to know about the latest Solaris security patches? Got a question about JASS? We’re a great place to start.

We’re the folks behind the Security Resources on Sunsolve: http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec

We’re also the folks behind security-alert@sun.com

Hopefully, in my blogs to come, I’ll share some of how we manage and react to potential security vulnerabilities in Sun’s products. I’ll share why we do things the way we do and some of the considerations that must be evaluated in our decision making. I’ll also be writing about the challenges and opportunities from a security perspective of Open Solaris.

Posted at 02:47PM May 24, 2005 by drscholl in General  |  Comments[0]