On 12/26/2005 10:00 AM Dave Hinz mumbled something about the following:
On Sat, 24 Dec 2005 09:05:48 -0500, Odinn wrote:
On 12/23/2005 11:22 AM Dave Hinz mumbled something about the following:

Of course you have support. And if you have a problem where your boss
encourages blamestorming rather than solving problems with the
appropriate solutions, you need to upgrade your boss.

Online banking is a lot different than something used by the mortgage
companies internally. Firewalls in front of the web server, firewalls
between the app server and the database with commuications via IPSec.
OSes hardened. I'm sure you don't want your account to be hacked by
someone else.

Of course not. It's interesting that at least one online bank has gone
to shipping Knoppix (Linux) Live CDs to their customers for use of their
banking site. "Here's a hardened OS for your PC, to connect to us
with". Yeah, I can dig up a cite if you want to be confrontational.

Doesn't matter to me. Connecting to the bank's web interface is
considerably different than the server running the apps.

On top of the banks themselves, we have about 5 or 6 different audits
due to some govt regulation (SOX, SEC, Some California thing, etc).

Yes, I'm familiar with those.

It's not my boss who encourages blaming, it's the banks who want
assurance. They won't allow us to use Linux unless we pay for support
on it, and only a small portion of the banks we host will even allow
Linux (we host over 2000 banks online presense).

We must work in very different financial industries. Which is odd since
the banks whose names are probably on cards in your wallet, don't care
what OS we're running anything on. Even the more annoying ones.

2 of the banks who's cards are in my wallet I KNOW won't allow us to run
the apps/database on Linux unless we have a software assurance agreement
in place (we have to have it for ANY OS we have for them). RedHat and
SuSE (the only 2 64bit Linux versions we have working) both cost well
over $1200 a year for their server licensing.

5 years ago we had a guy saying much the same thing you are. We made
the changes anyway, where appropriate, and the sky continued to not
fall, the customers (banks) continued not to stay away in droves, the
auditors (internal, government, and "sent by customers") just want to
see the vulnerabilities and what we've done about them; not what kernel
a piece of hardware is running.

It's not about the kernel, it's about having someone responsible for an
issue. Running Linux isn't the problem, it's running a version with no
support.

Maybe it's not your boss, who needs the upgrading.


I just go by what we are told. We were told we had to have licensed
software for those reasons I mentioned. I'm not the one paying for
them, it's ultimately the bank that pays for those licenses, so they
dictate what they want to pay for.

--
Odinn