Re: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

["David F. Skoll" <dfs () roaringpenguin com>]

On Sun, 18 Jan 2004, Wes Noonan wrote:

> > (I know that someone recently released code to do a "user-space" exec,
> > so mounting /tmp noexec is not 100% foolproof, but it's pretty good
> > protection.)

> Well then, IMO you might want to invest in virus protection.

Why?  Name one virus for Linux that AV software would have protected
against, that a noexec /tmp wouldn't have.

(It's hard enough to name a Linux virus; it's impossible to name a virus
that meets the latter conditions.)

> I'm curious, why is your solution which is not 100% foolproof "pretty good
> protection", but installing virus protection which is not 100% foolproof is
> a sham?

Because mounting /tmp noexec costs me nothing, whereas buying AV software
costs money.

> Really, it seems to me that a number of the "anti-virus scan" positions (and
> indeed most of the anti-microsoft, ant-personal firewall, etc positions)
> seem to have little substance beyond "I don't want to spend money".

That's a good enough reason for me. :-) I'm a tried-and-true
capitalist, and anything legal that decreases the cost of production
is something that will help my business, and something I'll embrace.
We're a 7-person shop with a budget of $0 for software.  I'd love to
see a Microsoft shop with a similar software budget.

Why should I spend money, time and energy trying to secure a basically
un-securable system, when I can not spend money, spend a whole lot
less time and energy, and have a more secure system?

One of the reasons Microsoft has such a terrible security record is
that it's a monopoly.  All the people who have posted "ah, yes, but
it's impractical to switch" are perpetuating insecure software.
Securing software costs a lot of money; if Microsoft knows it won't
lose market share even if it doesn't bother securing its software,
what possible motivation would it have to secure the software?  (As a
tried-and-true capitalist, *I* certainly wouldn't spend money securing
software in that situation.)

So unless you investigate alternative systems seriously, you're just
ensuring a monopoly situation, which guarantees bad software.
Complacency and defeatism have no place in the fight to secure our
computers.

--
David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html