RE: Re: January 15 is Personal Firewall Day, help the cause

["James Patterson Wicks" <pwicks () oxygen com>]

And we all know that there are no flaws in Linux security, right?

--------------------------------------------------------------------------------
Security group warns of hole in Linux kernel - http://www.infoworld.com/article/04/01/05/HNlinuxhole_1.html

Flaws raise red flag on Linux security - 
http://www.computerworld.co.nz/news.nsf/UNID/ECE4790310BB04F7CC256E1900083AC2?OpenDocument

Hackers Attack Debian Linux - 
http://enterprise-linux-it.newsfactor.com/story.xhtml?story_title=Hackers_Attack_Debian_Linux&story_id=22748&category=distributions

I could go on, but you all get the picture . . . .
--------------------------------------------------------------------------------

Is Linux by nature more secure than Windows?  Of course.
Are any operating systems totally secure and without flaws?  Of course not.
Can an average user set up and operate a Linux desktop easier than a Windows desktop?  Of course not.  The 
functionality that Windows desktops users are accustomed to is not easily duplicated in Linux desktops, especially when 
it comes to video editing software and games.

Many people jumping on their soapboxes calling Windows everything but a child of God have something in common - they 
are very good at using Linux and have found a way to function in the home and/or work environment without it.  It does 
not take a rocket scientist to use a Linux system, but it takes a lot longer to learn to use Linux effectively than it 
does Windows.  That is time that businesses and home users are not willing to commit to.  And yes, that unwillingness 
comes at a cost - security.

Bill Gates created an imperfect product, rushed it to market and dominated the market.  He continues to make a product 
that focuses on ease-of-use rather than security.  Does he suck for having suck a awful business focus?  Yes, but then 
again he's a billionaire and I'm begging the boss to pay for a better hotel at the Networker conference.

The reason Windows is so popular is that the average Joe can go to Walmart, buy a complete Windows XP PC for about $500 
and send out an e-mail in about an hour.  Is his system fully secure out of the box?  Heck no, no system is.  You have 
to work to secure any operating system, you just need more skill/training to secure a Linux system.

What does Joe have to do to make his Windows XP system somewhat secure?
        - Install a personal firewall (with basic IDS features)
        - Install an anti-virus program
        - Apply all of the critical updates
        - Install an anti-spyware application like Spybot or Ad-Aware 
        - Make sure that his computer, firewall, anti-spyware and anti-virus applications stay updated.

Now, does the average Windows user do this?  Of course not.
Since the average user fails to perform basic maintenance and software updates on a Windows-based system, just how in 
the heck do you expect him to learn Linux command-line syntax and how to compile an Linux operating system when new 
kernel flaws are found?  Can he use the web and an x-windows interface to secure his system?  Possibly, but to suggest 
that you can properly secure a Linux system without using the command-line interface is being coy and deceptive.

This whole "Linux is the answer for the average home user" is a fantasy.  If Grandma Bessie in the mountains of West 
Virginia has to take a couple if Linux classes at the local community college just to email her grandkids, then I think 
that she might just opt to just call them on Sundays. 

While I feel this whole "Personal Firewall Day" is just some marketing gimmick, I do feel there is still a need to 
educate Windows OS users on what basic home computer security is about.

And how to download the Mozilla browser . . . . 
;)




-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of David F.
Skoll
Sent: Thursday, January 15, 2004 3:37 PM
To: Exibar
Cc: tlarholm () pivx com; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Re: January 15 is Personal Firewall Day,
help the cause


On Thu, 15 Jan 2004, Exibar wrote:

>  But not 100% safe though...  there are Linux viruses,

Such as ... ?

> what about all those e-mails that
> try to steal my SS# and CC#'s?

Never had one of those, because our anti-spam system blocks them.

> Education is the key, not the OS that you run or don't run.

That's not entirely true; the OS makes a huge difference.

> > A default install of a modern Linux distro includes firewalling rules
> > by default, and is fairly safe.

> there aren't any holes in that Linux distro?

There are, but none are exploitable remotely on our systems.

> there sure are, pleanty of them.  Oh, so the Personal Firewall is
> protecting the user... interesting, aren't there Personal Firewalls
> for Windows OS's?  Tons of them....

Linux has them built-in, and on modern distributions, turned on by default.

> > Because it is impossible to use Windows safely; the very design of the
> > operating system is flawed.  This is not just my opinion; it's also that
> > of Bruce Schneier and many other people, some of whom lost their jobs

>   it IS possible to use Windows safely, with Education of the user.

It's probably also possible to weld safely while standing knee-deep in
gasoline.  You just have to be really careful.

Or you can start with a secure foundation and then add user-education.

> I don't buy that you block them ONLY to save disk space and stop
> annoying messages...  don't buy it at all....

I don't care what you buy or don't buy, but it's the truth.  We don't
run Windows, so we aren't susceptible to the viruses in the wild.

> > We have since 1999, and haven't had any problem.  If you don't use
> Windows, > you don't need anti-virus software.

>  Ignorance is bliss they say...  If you honestly and truely believe
> what you say, more power to you.  I honestly hope that nothing bad
> happens to your systems due to a virus outbreak that A/V software
> would have taken care of....

There is no A/V virus designed to protect Linux systems.  There is
A/V software that runs on Linux, but it's designed to catch Windows
viruses.

I've been in the computer security business for a while now; I think
I know what I'm doing.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


This e-mail is the property of Oxygen Media, LLC.  It is intended only for the person or entity to which it is 
addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. 
Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient 
is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to 
postmaster () oxygen com and destroy all electronic and paper copies of this e-mail.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html