This from the GNOME sysadmin team via Slashdot:

We've discovered evidence of an intrusion on the server hosting www.gnome.org and other gnome.org websites. At the present time, we think that the released gnome sources and the gnome source code repository are unaffected.

Wow.  In the last six months, Debian, Gentoo, and GNU (twice!) were compromised. Now GNOME... say what you will about the state of things with Windows servers - goodness knows it's not perfect.  Just how hard is it to harden a Linux server on the net, when the sysadmins of these übervisible websites can't get it right?

I first had my eyes opened wide to the threat of widespread security problems while I was working for MS PSS, on the IIS team, during that wonderful summer of Code Red, Code Blue, Code Red II, Nimda... there was more, but I've lost count.  Staying up until all hours of the night helping the world's sysadmins that had been caught with their pants around their ankles (so to speak) led me to make a promise to myself - that I was never going to work for a company that allowed security and patch management to be so slack.

When I joined my current company, in my first week I decided to get an idea of what the security situation was - it took me two days to get all the data, format it, and determine a good course of action.  As fate would have it, a new critical patch was released during those two days, rendering my work obsolete... that pissed me off like I'm sure all too many of you would understand.

In the pursuing 6 months, I took HFNetChk's XML output, built an app that would scan Active Directory for servers, use HFNetChk to scan them, wrap the XML up, ship it to a central webservice, and used ASP.Net to put together a decent looking (I'm no designer, but I thought it looked good) reporting website.  Now, we've got all 26 sites polling and submitting data for over 2000 servers worldwide, and we know exactly which servers need what as soon as Microsoft releases a patch.  SMS 2003 and Group Policy handle the workstations - not my jurisdiciton.  It's special, and I'm damn proud of it, but I'm sure a good percentage of the people reading this could do the same - but have you?  Have you decided to pick up NetIQ's Security Analyzer, or some other tool to do your patch management?  What's your story?

Microsoft's Security Summit is coming up, and there's actually a breakout session scheduled for Patch Management - I'll be there... in Raleigh, not the previously reported Charlotte - longish, boring story.  Are you planning on going?  Why?  Why not?  It is, after all, free.

- G