RE: Worms, Air Gaps and Responsibility

["Mark Gumennik" <mgumennik () mitre org>]

What happened to the freedom of speech (opinions?). Personal humiliation is
a very nice way to suppress the opponent, so now I have to write this email
instead of painting my garage door (nice weather here). I have to restrict
myself only to answering your (mostly personal) questions and promise not to
reply to any more remarks on the subject. 

Gwendolynn ferch Elydyr:
* Uhhhh. Too much coffee? Sugar?
-----Sorry, I am doing Atkins at the moment, no coffee or sugar

* That's quite a leap of logic you're making.  You've basically gone:

        (1)     Put Linux on the desktop                        [statement]
        (2)     Install bells and whistles
[presumption]
        (3)     Linux is as vulnerable as Microsoft     [conclusion]
----All three of the above are statements: we are discussing Linux on a
desktop, bells and whistles is what users want (statement), and according to
bqtrack the third statement is true with an equal amount of services
installed
---Now if you, O' Great Teacher, want to watch my the logic (which I thought
was obvious), read the next paragraph. Sorry for disobedience.

* ...that you've left out NIS/NIS+, LDAP, Radius and Kerberos suggests to me
that you're not very familiar with what's availible for AAA under Linux.
-----I have done a good deal of administering firewalls, desktops, routers,
email, remote access (everything you mentioned plus TACACS and Ace), never
administered NIS, thanks GD. From http://www.linux-nis.org: "Linux machines
..can also act as full NIS+ clients, this support is in beta stage." Does
this look like mature technology? Is it scalable? Is it stable? Running LDAP
is mostly good for user lookup; Radius is a great tool for remote user
administration. You forgot to mention more user databases: e-mail, printers,
group permissions, share permissions, and more. Now you have half a dozen
different databases which need to have connectors between them (oh, btw you
have to customize some of the connectors and code the others, AND you have
to administer them, so you need much more administrators and programmers, go
IS!). You now have to enforce password policies on all of them. After that
you obviously suspect the users to change their 25 letter passwords every
month and on all (5) databases. The result: you end up with for-life
passwords for e-mail, LDAP, network shares, and secure intranets. The fact
that they are carried by Kerberos becomes almost irrelevant once they
compromised
So how do we synchronize the user names / passwords? X-500 (and X-400
connector) comes to mind (btw originated in Swiss, not US). The fact that
you did not mention such important topic suggests to me that you're not very
familiar with the process of user support and the X-500 technologies (sorry,
I'm using your methods / terminology). 
Hence: AD and NDS. They do scale, they are stable and they provide much more
than X-500 (statement) 
-----Years ago I developed a formula for successful network administration
(when I was actually doing it): The fact that you CAN do it does not mean
that you WILL do it. For example you can use a 300-line ACL on your internal
router, it will work just fine for security, but you will kill your backbone
(I do have some actual data from last year experimentation). Can you use
Linux on a desktop? - yes; will you? - need real numbers, not the ones that
come from rad Hat 

* That aside, if you're trying to suggest that government and corporate
sponsorship is somehow putting malicious code in Linux, you should also
suggest the same of Microsoft and Novell - and any number of other
entities.  While you're at it - do audit the windows source code.
-----I have no doubt that ALL of them put some kind of backdoors in the
software. The degree of responsibility is different (and the amount of
potential lawsuit money).

*I'm glad that the other folks that I know at Mitre aren't at your level
---- Thanks for measuring me. I have been measured against numerous
standards and usually my level is not very high with ass-kissers,
bureaucrats and demagogues.  The rest of the world is fine.
----on the subject: Mitre is here to develop, absorb and promote the best
technologies, sorry dunnow anybody at reptiles.org, nice to meet you

*Can't handle AAA on Linux
---Did I say it? - very convenient substitution again. I said it takes much
more effort to handle AAA in .nix environment on a desktop, that's why NDS
and AD. And they are not free even on Linux

*Are deeply suspicious of non-US governments
-----Yes I am. Especially as an immigrant who had seen other governments to
operate.  The main function of any government is to suppress the freedom by
definition; the difference is how they operate (source: Machiavelli,
Plutarch, Guy Platonic, George Orwell, etc. Did not see it in the net admin
guides)
   

Paul D. Robertson
* Now, the real point (since you obviously missed it) that everyone was
making in regards to your original argument about vulnerabilities is that
Linux only looks bad when you count all the silly things that nobody sane
would install on a corporate desktop.  Trying to turn that from "more
vulnerabilities on bugtrack (sic) to "equal" is disingenious when you're
trying to stand behind a point, since I already said "about equal." ..I
don't need to open RPC to anything other than loopback for Linux on the
desktop (and rarely even
there.)  In fact, I tend to turn *off* more things than I turn *on* for a
Linux machine when I'm configuring it from a default install.
Furthermore, I'm capable of running almost all services at a priv. level
less than local administrator- which doesn't make the vulns equivalent.

----Do you consider yourself an average user?
---Sorry to inform you that under MS environment if you only give your users
"User" rights instead of "local Admin" you don't need to bother about 99% of
vulnerabilities of the OS  since they (and a Joe Hacker) can not install any
new code. You can run your patches under "run as" identity starting with
w2k. I have done it during my consulting years and it worked even under NT.
Also you probably are missing the point that users today want reach desktop.
You can (and shall) take it away in a bank environment, but not in a general
office, like their ability to point and click on the network (vs. ftp from a
command line?).
----Slightly off topic but close: I've been watching RH to prepare an attack
on the free software community for a long time and finally one more evil
empire was born. Bow. Obey. Base your calculations on their "corporate"
prices. Good boy.

* Mitre never used to be so attention-starved- are you waiting on a
clearance?
---- I do not represent Mitre here.
-----I do have the clearance and am not due for review any time soon, will
probably be on SSI by that time considering my age :-).

*Since AD is based upon Kerberos for its default primary
authentication mechanism, I don't see how you come to the conclusion that
AD is any more "built-in FOR THE DESKTOPS" than Kerberos. Nice use of
caps - NOT! Lose the baggage and bring some facts, ok?
----fact: you need to administer Kerberos in .nix environment. fact: You
don't need to administer it in MS environment. Read the last statement
twice. 
To the list: A couple of years ago I tried to sniff the difference between
Kerb v.5 and MS and could not come up with meaningful data (did not have
time). Anybody has more info?


Ron DuFresne:
the German government now directs linux security?  you do have pointers to
this to backup such a claim?

-----"Sponsors" not "directs", and I said governments (plural) which you
somehow dropped. From today's Goggle:
http://www.heise.de/newsticker/meldung/6918
http://news.osdir.com/article149.html
http://www.linux-kongress.org/helpus.html
http://news.com.com/2104-1001_3-983204.html
http://www.linuxsecurity.com.br/sections.php?op=imprime&artid=2

Devdas Bhagat
With a Linux/Unix desktop running X and remote applications, the real
requirements come down from 100 desktops to ten beefier boxes 
----do you propose to give 10 boxes instead of 100 to 100 users? - back to
mainframe? - again confusing the issues of security devices (servers) OS (MS
is a no-no) and the desktop infrastructure. AAA at the perimeter is still
different from the AAA at the desktop.
-----

Cheers
Mark 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards