MS SQL Server 2005 Adds Security Features 248
nycsubway writes "Microsoft is planning to add in its own encryption and decryption to its newest version of SQL Server. From the article: 'The company is writing complex encryption and decryption functionality directly into the product so customers don't have to procure security features from a third party, or roll their own when the product becomes generally available next year.' I would also hope the default sa/password will no longer be there."
Good Thing (Score:5, Interesting)
Mysql has this already [mysql.com] In the case of AES Encryption
Mysql has this already [mysql.com]
But in the case of having something asymmetric, something like this would be *incredibly* nice. I'd looove for a free software package to integrate something like OpenSSL in, so that I could encode a column using a certificate variable.
Still, Microsoft is doing a good thing overall.
Re:Good Thing (Score:5, Interesting)
For everyone else, the notable thing is that Microsoft has decided that unencrypted data is not secure on a server running their software.
Re:Good Thing (Score:2, Interesting)
Much more than just a patch (Score:5, Insightful)
"Security" isn't just something you fix with a bandaid, unlike "Security holes" which can often be fixed that way. Right now if you don't want crackers cracking into your databases, don't let them onto your database server box. SSL is a bit of a step up, because it gives you more granularity about who can do what once they're there, but it's still not the issue here. Storing the *entire* database encrypted with a single key that is known by the object that lets people access data is a bit more than a bandaid -- maybe it's an arm sling, but it's still an external issue.
Real database security is a major redesign - protecting against people who ask nicely is one thing, but designing the database system so that each data item owner's private data is encrypted with their own keys and shared fields are encrypted with shared keys and reading the raw disk instead of using the DBMS interfaces just gets you cyphertext is much more than external patches. Furthermore, it affects the users' interaction with the database, because now they've got to define which items should be visible to which users and manage the keys they use for that access.
Re:Much more than just a patch (Score:3, Interesting)
Re:Good Thing (Score:5, Informative)
This announcment refers to the encryption of columns (which, yes, mySQL has).
That said, Microsoft are correct in stating that the hard part is key management. It's a pain in the arse to make sure everything is kept where it needs to be, and is available for recoveries etc.
Re:Good Thing (Score:3, Informative)
Re:Good Thing (Score:2)
Until it becomes an open standard, I believe the encryption should continue to be done at the application level where database vendor independence can cont
Re:Good Thing (Score:2)
There's also the basic problem that proprietary encryption. Either in concept or implimentation tends not to actually work very well.
Microsofts default encryption pass (Score:5, Funny)
Re:Microsofts default encryption pass (Score:3, Funny)
- President Skroob
Re:Microsofts default encryption pass (Score:2, Informative)
Dark Helmet actually said that line in regard to President Skroob. In fact, after hearing the combination, Skroob exclaims that it's the same combination as his luggage. You can tell I've watched it for the umpteenth time
Re:Microsofts default encryption pass (Score:2)
Actually Dark Helmet said it to King of Droidia after hearing the combination to Droidia's Air Shield. Dark then told it to President Skroob later, and Skroob said that it's the same combination than in his luggage.
So, Dark Helmet said the line before realizing that Skroob's an idiot. It was said in regard of King of Druidia, not President Skroob.
Re:Microsofts default encryption pass (Score:3, Insightful)
I remember when I first installed WinNT on a computer, (shudder - glad I won't be doing that again). First thing I did was change the administrator account to another name and disabled the 'guest' account. Same thing with that stupid '1234' default password on my RT314 router from Netgear - changed it immediately. Even if the default password was
Repeat after me.. (Score:4, Insightful)
Encryption is not security....
Encryption is not security....
Encryption is not security....
Re:Repeat after me.. (Score:2)
And why not? And by that definition, is a password not security either?
Re:Repeat after me.. (Score:5, Informative)
Re:Repeat after me.. (Score:5, Insightful)
Your Transaction Is Pending... (Score:3, Interesting)
Your transaction was canceled waiting for the server operator to enter the database password. Please try again when the operator is back from lunch.
It does not really matter if the data is encrypted or not. Whatever agent is accessing the data has the password, and if it is compromised, the data is also compromised. Add to that, the encryption credentials must be stored somewhere, in which case it is vulnerable, or entered manually by an operator, in which case rebooting
Yes but... (Score:2)
In other words, yes, if you break an app, you get _it's_ data, but you don't get any data that other apps might have in the database. That's a significant win if you have a few applications, with only a small shared data set between them, as now sloppy code elsewhere _isn't_ your problem.
'Course, if you've got everything in one table
Re:Repeat after ME.. (Score:3, Insightful)
thats a foolish statement (Score:5, Informative)
security is about defense, in depth, of your data. simply putting out "bug-free" software will help, but it is not the be all and end all of security. there are other layers that your software relies upon that can be compromised.
strong encryption is a good way to *help* secure your data. sure, it is essentially security through obscurity, but even that has a bad rep.
realize this: if someone wants your data, they CAN get it. you might as well make them jump through some hurdles to get to it. hopefully by the time they crack your encryption the data would be useless anyhow.
also, security through obscurity does help ward off casual hackers. i know i certainly dont want to wait 4 weeks for john the ripper to crack some passwords. id just move on to easier targets.
Re:thats a foolish statement (Score:2)
If someone hacks in and has access to the machine, what stops them waiting around for a moment until someone uses the database, and grabs the password?
Also I don't understand how this will quite work, but I don't think it will stop sql injection etc.
Insightful (Score:2, Insightful)
How true...
(Note to self: remove encryption ASAP!)
Its MSFT bashing time... (Score:3, Funny)
Re:Its MSFT bashing time... (Score:5, Insightful)
Re:Its MSFT bashing time... (Score:3, Funny)
Re:Its MSFT bashing time... (Score:3, Funny)
No they arent, they are just not British
Re:Its MSFT bashing time... (Score:3, Informative)
I must admit it doesn't look like it has encryption (yet?), but it has everything else you mentioned, and it has SPEED.
And, Slashdotters, it's Open Source. So run up the flags for it! Why is everybody, but everybody, talking about MySQL when Firebird is just as free, has a LOT more funtions (the transaction handling is great), and it's FAST.
We use Firebird in a rather serious business environment, and have been very happy with it.
Have a look at http://www.firebirdsql.org/ff/foundation/FBFac
Re:Its MSFT bashing time... (Score:2)
I need them, which is why I use PostGreSQL.
Re:Its MSFT bashing time... (Score:2)
Nice, but... (Score:5, Insightful)
Re:Nice, but... (Score:2)
It's that eternal "but I need the system to be able to restart automagically from a crash" versus the "I need to enter the passphrase to bring up our app" conflict. Often, convenience wins over security. Or as they used to say:
secure, convenient, reliable, pick any two.
Re:Nice, but... (Score:2)
err I mean with microsofts history, err you know what I mean.. Just one more thing to update every week
Re:Nice, but... (Score:5, Insightful)
Because really, a person with enough determination can break any form of encryption by simply heading to the hardware store, buying a pair of pliers, and using them on the testicles of whatever unlucky bastard happens to know the 'key'.
Re:Nice, but... (Score:2, Funny)
Suddenly, the value of female sysadmins doubles...
Re:Nice, but... (Score:2)
Strap someone in a chair, and place an opened box of Bensons and a lighter just out of their reach. Every so often, light one up, inhale deeply, and blow a little smoke towards the victim {but not enough for them to get any nicotine out of it -- most of it should go away from the victim in order to add to their general sense of helplessness}.
A typical smoker will, if deprived of nicotine for long e
Am I the only one this bothers? (Score:5, Interesting)
I guess what I'm saying is that you can't compare closed source with Open Source. It would be dangerous to.
Re:Am I the only one this bothers? (Score:5, Insightful)
in the same way.... (Score:2)
Well I suppose I could replace them with better ones that wouldn't burn me, but hell they came with the car and
On the other hand pro-drivers will replace there air bags.
Re:Am I the only one this bothers? (Score:5, Insightful)
Since Windows XP, Microsoft has done almost a 180 (well...maybe like a 135........but still) in terms of security. They've put extensive security-related features into XPSP2 assuming it ever comes out, their newest server is locked down as tight as anything can be out of the box (although enabling stuff isn't difficult, it's not online by default) and they generally use standards-based encryption.
I think that MSSQL 2005 security will probably be very good. Or at least, *good enough* The government probably can read everything anyways -- but the point is, if Joe Hacker (or Jaing Hackerong) can't read it without expenditure of time and money beyond anything he would have access to, then the mission is accomplsihed.
The whole point of cryptography is not to keep people from reading what you're saying. It's to raise the cost of figuring it out so high that it's not worth it to most people to break.
The future's so bright, I avert my eyes (Score:5, Informative)
MSSQL 2005 security will probably be very good
I think you can understand why longtime Microsoft watchers will be kind of unimpressed by this sort of thing. We've heard it before. Sure, this may be the time (pretty much the first) that MS actually does what it says to the level that reasonable people expect, but positive statements about Microsoft products have historically been in the future tense.
"Windows 3.0 will make the Mac look hard to use."
"Windows 94 will be modern and stable and make the Mac look hard to use."
"Windows 97 will be modern and stable and integrate the Internet, and it will be as easy to use as a Mac."
"NT will be stable and crashless."
"NT 3 will be stable and crashless."
"NT 5 will be stable, secure, and crashless, and will be as easy to use as a Mac."
"XP will be stable, secure, and as easy to use as a Mac."
Every time I hear "but this time, Microsoft will get X right," the consensus after it comes out that Microsoft got X about 50% or not at all, and there are really serious drawbacks.
It's not like Linux ("KDE/Gnome/Eazel's new release will be as easy to use as Windows" or "the new Debian/Red Hat/Mandrake will be as easy to install as Windows") or Apple ("Mac OS X will be a gamer's dream platform" or "Copland will be modern, stable, and crashless, and will actually ship" or "Security update 05-24-2004 fixes the URL vulnerability") are immune, but they do get to point out areas where they excel currently rather than continually point at the next release.
It may be that this time, Microsoft will Get It about security. But you'll forgive the rest of us if we don't get too excited until we actually see the things in operation.
Re:Am I the only one this bothers? (Score:3, Informative)
so long as the option still exists (Score:2, Interesting)
and i seriously doubt microsoft would be able to figure out how to make it so that no third party encryption works with their database, nor would they want to, as their primary agenda right now is clearly security.
Explain (Score:2)
The point I was making is that many companies will believe that the MS encryption is all they need, and that will likely leave many systems open for attack, when the next round of security holes are uncovered.
That, and the point that you can't apply the same logic for closed source and ope
Re:Explain (Score:2, Interesting)
Come to think about it, how are they going to get around the law prohibiting the export of encryption out of the states? I suppose they'll need to ship a copy without encryption to overseas customers. In which case, international corporations may have compatibility issues...
Re:Am I the only one this bothers? (Score:2)
Conway's law: "Organizations which design systems are constrained to produce designs which are copies of the communication structures of these organizations."
Where does security fit within MS SQL's organization chart? How is security evaluated on performance reviews? Who determines the organization's structure?
With a mix of skills and interests, people generally like to do what they are good at, and people generally are good at w
Re:Am I the only one this bothers? (Score:2)
Should have known something was up (Score:3, Insightful)
Today I went to look up something and have found that the MSDN has turned into a giant advertisement for SQL server 2005 and if the useful information is still there it's buried.
It's really sad that today I looked up some syntax on the mySQL site and prayed it was the same on MSSQL.
I can completely understand why my customers don't like it when we change the layout of screens now.
Re:Should have known something was up (Score:4, Insightful)
Re:Should have known something was up (Score:2)
So then... (Score:4, Funny)
Re:So then... (Score:3, Funny)
In Related News... (Score:5, Funny)
sa/password (Score:5, Informative)
There is no default sa password...
onu! (Score:4, Funny)
Misleading (Score:5, Informative)
In SQL Server 2000 you would have to explicitly request "sa" to have a blank password, there is no way you can do this by accident. It even warns you in the installer that it is not recommended to leave "sa" with a blank password.
BTW, this behavior is present from version 1.0, it is not the result of a service pack or last minute security update.
Re:Misleading (Score:5, Informative)
The ones who didnt lost their jobs to india and have nothing to do but post on slashdot about how great mysql's security and encryption model is (actually, does it even have one?)
A DBA at one of my sites proudly called to tell me I can access the server over the internet. I thought he finally set up a VPN. Nope, a fixed internet IP on the database server. No sa password. Sheesh. He's unemployed, and deservedly so.
An SSL tunnel on port 1423 (maybe the wrong port I'm tired) has served me well when people dont want plain data being sniffed on the wire.
Authentication in a 2k+ domain is already more than solid enough for my liking (Kerberos + LDAP = better than any out of the box PAM setup I've ever seen). But oh yeah, microsoft sucks only open source is secure! Mod me up doubleplus groupthink.
Re:Misleading (Score:2)
No developer should ever install mission-critical servers or services. The company I work for has about 80 people (not counting the thousands employed by our owners, with whom we're busily merging), and we have two full-time DBAs. We (programmers) don't even get logins on the db boxes, or on the staging and live web servers. (W
Re:Misleading (Score:2)
Re:Misleading (Score:2)
BioInfo is fine, Bill and Karen had a baby:7.5 pounds, 21 inches, was born last week. Karen and the boy are doing fine.
Re:Misleading (Score:2)
Security by obscurity is a myth, making user tools harder to use is totally counterproductive and does not add to your security. A harder to use tool only means less people will use and that defeats the purpose.
sa account (Score:5, Informative)
While it was long over due, SQL Server 2000 already complains quite heavily if you try to set a blank password for sa. It allows it, but there are (unfortunately) applications that have been written with a hard coded connectionstring of sa with a blank password.
Re:sa account (Score:2)
Expect it to be gone completely eventually, once people have had time to change existing apps. In the same way, I also expect XP's asinine "all accounts are admin and passwordless by default" behaviour to change,
Hope they do a better job (Score:5, Insightful)
Encryption algorithms are hard to design well, but if you've got a good algorithm and understand the conditions for using it, you can use almost anybody's code for it, and most people these days understand that you need to use academically vetted stuff and not just roll your own snake oil. But encryption protocols and other forms of packaging for algorithms can be just as hard, and something as pervasive as Microsoft database programs will be very widely used by people who don't Read The Free Manual, which means that even if they design it very very well there'll still be people who use it for things it wasn't designed to do securely, because they're trying to do a much broader range of things.
This is a harder problem than basic SSL-for-Credit-Card-Numbers, which is trying to let the client enter some bits on an unprotected Windows box hanging off the Internet, pack them in an armored box, and ship them to a usually-almost-as-badly-protected server on a well-advertised Internet connection, and optionally do some validation on whether one or both ends are really the machines Verisign thinks they are. That's a pretty well-solved problem, though it took a while to iron out the design issues early on an iron out all the bugs in the code, but general-purpose solutions to "database security" are pretty hard.
Re:Hope they do a better job (Score:4, Informative)
There's still some minor issues, but unless you're protecting something that multiple, highly technical government spies with uber elite access are trying to get at, PPTP is good enough. Hell, if someone were that determined, I doubt they would choose PPTP as their point of attack. The odds that everything else is more secure are pretty freaking slim.
I disagree that Microsoft can't implement encryption techniques these days. I'm confident that since Microsoft first coded their implementation of PPTP, they've learned to pay more attention to security related features. Back then, vulnerabilities weren't nearly as big of an issue as they are today. Windows Server 2003 is proof that they're making a sincere effort now that the desire for "Secure out of the box" is high on the average customer's list of features. And what about L2TP (Another VPN protocol introduced with Windows 2000)? Know of any weaknesses in it? I can't find any articles with complaints about it and it's been around for several years.
How would you like it if you made a mistake 9 years ago, fixed it, and people still referenced it when arguing why you suck today?
-Lucas
Re:Hope they do a better job (Score:2)
Sorry, 8 years ago.
-Lucas
Re:Hope they do a better job (Score:2)
Dangerously close to spaf:
"Using encryption on the Internet is the equivalent of arranging an a
Re:Hope they do a better job (Score:2)
Re:Hope they do a better job (Score:2)
Read The Free Manual
It's "Read The Fucking Manual". I know you probably know that and are just trying to be politically correct, but I (and I suspect quite a few other people around here as well) actually find it more offensive if you patronize me like that. If you don't like the acronym, just don't use it...
Demos don't usually show security (Score:2)
A much harder thing to demonstrate is showing that there isn't either a big gaping
Reminds me of.... (Score:2, Interesting)
Oh great..... (Score:2, Interesting)
But seriously, can anyone guess if on-the-fly encryption will seriously impact a MS SQL 2K box? Do people see an impact on their MySQL boxes? I know it's not a very valid comparsion but I'm just trying to get an idea for future server scaling.
I give it four weeks... (Score:3, Funny)
db encryption == pointless (usually) (Score:5, Insightful)
If your web app needs to read credit cards out of the database, the account it runs under sees them in the clear, even if your db did super fancy encryption. If you don't want other users to see that data...GIVE THEM SEPARATE ACCOUNTS AND USE ACLS!!!!! Db encryption sounds good but is pointless in most scenarios.
Re:db encryption == pointless (usually) (Score:2)
Where are your offsite backups stored? Who has access to them? How are they transferred? I know of several companies whose database backups are physically taken to the bank by junior sysadmin staff - what if they were mugged, or their car was stolen while the backups were in transit? If you use an electronic solution to transfer your backups to a datawarehouse facility, who has access to your backup images on disk?
If someon
Re:db encryption == pointless (usually) (Score:2)
Then there's Lotus Notes, where binary images of a subset of each database are replicated to the user, allowing for offline database use, for example on a laptop. Of course the local user has admin access to all local data (Which makes sense, I guess; physic
ODBC (Score:4, Interesting)
How about FIPS ?? (Score:2, Interesting)
MS SQL Server 2005 Adds Security Features (Score:2, Funny)
Re:Interesting (Score:2)
pgp on top of sql server (Score:4, Informative)
What's the threat model, and other questions (Score:5, Insightful)
The obvious questions are:
- Are they trying to protect against a bad guy who has hacked the database server, and has disk level access to that box, but who has no application level credentials to accessing the data via the database?
- Or, are they trying to protect against a bad guy who has hacked an application server? In which case, said BadGuy presumably has a valid userid/password to retrieve data using boring but powerful queries such as "SELECT * FROM CUST-TABLE".
- Or, are they doing some nifty code signing thingy so that, unless the query is executed from a previously signed application, the query won't return plain text data.
Of course, there are other interesting questions here. Do they propose to encrypt the data on a row-by-row basis, in which case multi-row operations become exceedingly "interesting"? Do they propose to simply encrypt an entire table? How many keys will there be? Will you be able to rotate keys? If you can rotate keys, what happens to data encrypted under the old keys?So many questions, so few answers!
Embrace.. extend.. (Score:4, Informative)
CPU and scalability (Score:3, Informative)
The application tier, in contrast, is much more scalable. Clustering application components is tantamount to creating lots of digital workers. You can punch out a theoretical unlimitted number of workers, but your bottleneck are the resources used as inputs and outputs in your process... the data. You need one computer to hold the "master copy", or authority, of any piece of data.
It's very likely that since SQL Server doesn't run on the mainframe, and isn't easily scaled in most production environments today, that businesses will use this only for very essential requirements, such as social security, credit card numbers and passwords. In its logical progression, some sort of hardware acceleration option will be required to ensure this can be used on a larger scale without impacting the performance of the database server to do its basic tasks.
No need for SQL to be exposed to the web (Score:3, Informative)
Customers (Score:3, Insightful)
Having the whole thing encrypted stops competitors taking your 'business logic' (in your stored procedures) home for bedtime reading. If you keep some stuff unavailable until they buy licenses for it, you can stop them seeing how to 'switch it on' , too.
Rik
A-yuk A-yuk (Score:2)
That was MSDE not SQL Server.
Can we mod the story submitter -5 troll?
In my experience... (Score:3, Interesting)
If you are going to deploy the encrypted data into an untrusted location then you have a huge problem. If the data needs to be there in the first place then it must be unencrypted in order to be acted upon and then it is vulnerable anyway.
If you are going to deploy the encrypted data to a trudted location via an untrusted channel then a better solution is to encrypt the channel.
If you are going to store data from third parties in a central location and encrypt it to prevent unauthorised access then just let the third party submit encrypted data, however the RDBMS cannot use its RDBness on the data since it is encrypted.
If you are going to store third party data and act upon it then you have to decrpyt it, therefor have the keys, therefore the database itself is trusted, therefore just use access control rather than encryption. Encryption is 100% overhead.
I think this kind of proposal is 100% buzword compliance with no benefit whatsoever. The occasion where we encrypted rows in a table, we found the performance of the system was slaughtered and we were completely memory resident and used caching to ensure that we minimised the encryptions during a given transaction. Secondly we found that in the circumstances where we had some sensitive data that was needed on the client side to do calculations that are expensive, we had to reveal some aspect of the data in order to make it work and I am sure this will be true in any case. If you need to use the data, you need to decrypt it. We even thought about building an API that would implement a bunch of accessors that would return results based on the hidden data, but it was then that we had to reveal the common attributes of individual instances of the data. So instead we had to do it in the trusted environment.
What do all these experiences show? That if the client isn't trusted then there is no point encrypting. Which perhaps reveals Microsofts motive... to provide another lockout for those who do not subscribe to their trusted computing initiative!
Open Source has this already (Score:3, Interesting)
If you used such a kernel module to give you an encrypted file system, and used that fs type to mount your
If you want encryption between client and server, you can use OpenSSL. Of course, if you are accessing the database through a web-based app, then just use an SSL-aware version of Apache. It'll be unencrypted on the client-end PC, but presumably that's inside a locked office building.
Re:MS SQL Server 2005 Adds Security Features. (Score:5, Insightful)
Re:MS SQL Server 2005 Adds Security Features. (Score:2)
That's hardly MS's fault; blame the "admins" that set the webserver up, and the "programmers" who wrote the application.
Re:MS SQL Server 2005 Adds Security Features. (Score:2)
The chances are that you aren't going to be talking to MySQL directly through the command line client; instead, you will have some bit of a script or compiled programme for that. And therefore, there's really no need for MySQL to be able to overlap that much functionality with the scripting. Al
Re:MS is ahead of Open Source on encryption (Score:5, Informative)
Linux has supported encrypted filesystems for some time now; I've been using them for about a year. You can even encrypt your swapspace if you like.
Both MySQL and PostgreSQL can support encryption; it takes extra work, but so does any secure system.
Linux doesn't yet support encrypted binaries, true, but this is probably due to an overall lack-of-need rather than a lack-of-capability; Windows needs signed binaries because it tends to let anybody run software on a system, thanks to security holes. But then again, the source is there, so if you don't like the situation, write a patch. Or pay someone to write a patch. I'll wager that it'd be cheaper than a SQL server license.
Linux does support encrypted authentication; ever heard of 'Kerberos'? It's the same system that Windows 2000 started using a few years back, and Unix has had it for decades. IPsec on linux is a bit of a pain to set up with FreeS/WAN, yes, but 2.6 uses Kame, which is easier, and the Linux implementations have much better debugging features.
Linux does have its faults, don't get me wrong; the FS encryption could be better, and I wouldn't mind seeing encrypted binaries myself. But it's still far better than anything Microsoft has to offer.
Linux
Re:MS is ahead of Open Source on encryption (Score:5, Interesting)
The Open Source movement loves to talk about encryption and security, but it's all talk. Is there an open source email encryption protocol, which is implemented under a license which allows it to be linked in to all kinds of software? No, there's gpg, which is under GPL, which means it can only be used in other GPL software. Anyway, the author, Werner Koch, is so confused about security that he thinks that making it as a linkable library would somehow compromise security. D'ohh! Do any of the standard Linux filesystems (ext2, ext3, ReiserFS) support encryption? No. There are clunky loopback kludges you can wrap over them, but they have the drawback of being clunky kludge wrappers. If you want encryption, it needs to be done at the application layer. Given that this thread is about databases, how do Postgres and MySQL fare in that department? Can either of them produce PGP-signed database results? No (that gpg again). Can either Postgres or MySQL store data in encrypted formats? No again, unless it is implemented at the application layer.
1. Loopbacks can be "clunky" but they allow seperation of the encryption and the filesystem. I don't care about encrypting my discs, but that doesn't make it so encryption is unavailable for others to use. Plus, there is no way a new encrypted filesystem should get into the main Linux trunk any time soon. Why? Filesystems are critical to system stability. If the filesystem gets corrupted, the system is gone. Any new filesystem, encrypted or not, should have much testing done before it gets including in the main trunk.
2. MySQL support AES for table encryption and SSL for link encryption. This is far more than good enough for a database, considering that encryption isn't security (google for SQL insertion attacks). Besides, table data signing should belong at the application layer.
Ok, how about encryption on the network? Here we have some things to look up to. We have OpenSSL which is perfectly integrated into the Apache 2 server and a bunch of other places. That's good. We have OpenSSH which is effective, but somewhat brain-dead in that it provides a tunnel mechanism, but only so long as you keep a console open! D'ohh! Mercifully, Linux does have good ipsec support for tunneling.
OpenSSL is BSD, so your previous GPL argument goes out the window. It serves us well. Also, SSH for tunneling should be used for just that. There are many ways to make this work (look at the -N option) and there are a few applications where it is stupid or overkill to use SSH for tunneling. Use Stunnel [slashdot.org] instead (a generic SSL wrapper for TCP applications). Use the right tool for the job, silly.
Now let's look at other features in the Linux kernel. It has modes for running signed or encrypted ELF files, right? Wrong! Plain old plain-text should be good enough! Did someone forget support for accessing encrypted files? Guess so.
Accessing encrypted files is at the filesystem layer (which we already visited). Encrypted executables make no sense. Signed ones do, though, and that seems like a cool feature. I do not know if Linux can do executable signing at runtime or not.
Ok, but we must be doing better at the authentication level, right? Wrong! You get your choice of plain old passwords, s/key or RSA keys, and that's it. Tokens? We don't need no stinking tokens apparently.
Last I checked, Linux has support for many authentication models. I believe the authentication application is called Pluggable Authentication Modules (PAM).
Re:MS is ahead of Open Source on encryption (Score:5, Informative)
BTW, here's a good LDAPv3+SASL+KerberosV HowTo [bayour.com]
My god you are a troll. Oh, and as others have pointed out, encryption does not instantly make something secure.
Re:MS is ahead of Open Source on encryption (Score:2)
On FreeBSD 5.x, GBDE does transparent filesystem encryption very nicely. Since it encrypts a partition, you can even use it with DB servers that access raw partitions directly.
Re:MS is ahead of Open Source on encryption (Score:3, Insightful)
Re:can't export encryption out of the states. (Score:2)
Is it prohibited again? Silly. You can get OpenSSL [openssl.org] all over the world. What's the point?
Re:Wow! This is +5 Insightful!! (Score:2, Flamebait)
Everyone will get hacked, be it MS or Debian.
BTW, Debian was hacked due to a local exploit and a sniffed password. MS was probably cracked remotely, unless you can actually log into their web servers remotely :)
So there. MS is insecure, Debian is insecure, OpenBSD is insecure (see CVS holes), OSX is insecure, etc...... Yeap, most software is crap. That's why Linux has things like grsecurity.net, second line of defence. I don't know such things even exist for M