Full Disclosure mailing list archives
RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause
From: "Wes Noonan" <mailinglists () wjnconsulting com>
Date: Sun, 18 Jan 2004 19:59:49 -0600
A/V software that does any less is simply dangerous. There is no need for signatures or complex heuristics, when *any* executable arriving by e-mail should be treated as dynamite and disposed of safely.
It seems that you have shifted focus to email filtering only. There's nothing wrong with this of course, but I think it shifts the discussion some.
As I've written before, there is no A/V software for Linux that protects against Linux viruses. I know dozens, and know of hundreds, of people who run Linux, and I don't know a single one who runs such A/V software. Of course, many of them do run A/V software, but it's to protect Windows machines that are attached to the Linux ones.
Well, then it seems to me that the time is ripe for folks to start thinking of ways to exploit all of these systems. Like most things, I suspect that it is just a matter of time.
Dropping anything that could possibly be an executable takes care of that on the Windows side (plus not running software susceptible to macro viruses, though those are all but extinct.)
Again, I think you have shifted to email only now, which changes the discussion some. Sure, for email you can drop all .exes. There is more to A/V than simply running on email servers though.
I never said that. What I mean is that running Windows is likely to lead to insecurity. The A/V industry is simply a lucrative business built to wrap band-aids around Windows' deficiencies.
So is running any operating system. If you don't believe that, then you are believing in the myth that solely by running something other than Windows you are secure.
That is untrue. I offer fanatical support for my products; just check the MIMEDefang mailing list archives to see what people think of our level of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/) Not all of our products are free (I'm not a free software zealot), and we offer excellent commercial support for our commercial products.
Sorry. I read "rp-pppoe is free software; it comes without warranty or support. We regret that we cannot offer e-mail or telephone support for rp-pppoe." and it seemed to me to illustrate my point quite well.
Absolutely. And those additional factors (better security, generally better support, and no worries about BSA enforcement) only add to Linux's cost advantage over Windows.
Well, there are plenty of TCO studies that don't quite come to that some conclusion.
I run bog-standard distros; I'm not a kernel hacker. Just because I could fool with the source code to Linux doesn't mean I want to.
Sure, you don't. But that doesn't mean that Joe the admin didn't. And now you have to figure it out. I'm not trying to just argue specific examples though. I'm trying to illustrate the point with the examples.
No-one else wants to discuss it with me; they all seem to change the subject when I bring it up. :-)
There might be a reason for that ;-)
Unfortunately, you may be right. However, I think Linux developers are lucky in that the system hasn't become popular until recently, when the dangers of the Internet were readily apparent. I'm optimistic, therefore, that they won't repeat the same mistakes of Microsoft (which to be charitable, was operating in a very different environment when it made its design decisions.)
Hopefully not. As I mentioned, this is the race that I personally see in the market. Does Microsoft fix the security issues that plagued it faster than Linux fixes the usability issues that plagued it. Both are making pretty significant leaps in their respective situations. For example, it is my understanding that XP SP2 is supposed to enable the built in firewall by default. Windows 2003 made great leaps towards securing the out of the box installation (to the expense of usability IMO, but what the hell). On the other side, Linux is infinitely more easy to install. It is also much easier to install applications through the use of the various installer packages that are being created.
That is a tautology that is unhelpful in deciding which OS to choose.
No, I disagree. It is fundamental in deciding which OS to choose. It means you should consider whether you have the means to harden the OS as required by your environment.
In today's environment, software *must* be secure first, with usability added on top of a secure base. Microsoft systems take the opposite approach, with dismal security consequences.
That is because Microsoft's systems originally weren't designed in today's environment. The ones that have been however have slowly been making that turn.
Unfortunately for Microsoft, it's cheaper and easier to make secure software usable than insecure software secure.
That remains to be seen. So far the market doesn't seem to bear that one out.
Not at all. It's a simple statement that monopolies can afford to be complacent, because they are monopolies. The most effective way to get Microsoft to secure its software is to provide a credible threat that if it doesn't, it will lose its monopoly. This is simple economics, not childish name-calling.
And I would challenge you to prove that Microsoft has been complacent. Not that they have made mistakes, but that they have been and continue to be complacent. I'm not seeing that.
Here's my argument in a nutshell: Assumption 1: Within the bounds of legality, corporations should maximize their profit. (I agree with this; I'm a capitalist.)
Fine. Agreed.
Assumption 2: Within the bounds of legality, corporations should not take actions that decrease their profit.
Fine. Agreed.
Assumption 3: It will cost Microsoft $X dollars to make Windows more secure.
Yep. I'm with you.
Assumption 4: If Microsoft does *not* make Windows more secure, it will not lose revenue. This assumption is based on personal experience, recent court decisions stating that Microsoft has a monopoly, plus postings on this list.
This assumption can not be supported. Microsoft is making windows more secure. This is a fact, not an opinion.
Conclusion: It is irrational for Microsoft to make Windows more secure.
Without the support of assumption 4, your conclusion is flawed.
Where's the hole? If you agree with my assumptions (which I believe are entirely reasonable), then the conclusion must follow. The only ways to break the cycle are:
The hole is in the fourth assumption.
1: Forcing software producers to secure their products through legislation, regulation or liability lawsuits.
Which is happening in many cases.
2: Paying for Microsoft to secure its software so it doesn't cost Microsoft anything.
Which is the nature of capitalism. This has been and will always happen. Producers will always pass the cost of development to the end users, or in the case of open source will pass the cost of support or maintenance. Heck, look at your own software. You sell software to support not only that development, but the development of software that you give away. Must have one hell of a margin to be successful doing that. ;-)
3: Making it clear that Microsoft will lose market share (and hence some of its profit) unless it secures its products.
Um, this already happens. There are and have always been alternatives to Microsoft. Microsoft wasn't born with 90+% market share, they took it.
I don't know about you, but I certainly prefer (3) to (1) or (2). Bruce Schneier has floated (1), but I can't see it working with the state of software engineering today.
Then I submit that you are looking at it entirely too cynical. #3 is most certainly happening. Windows 2003 wasn't hardened out of the box because Microsoft was bored and felt like f**king with all the folks used to "next, next, finish" installs.
For me, neither Windows or Linux are "better". They both do good thingsandbad things, and as long as they meet my requirements they both get usedwhenappropriate.This kind of relativism is OK in most cases, but not on a security mailing list.
Actually it is, primarily because security doesn't exist in a bubble. It exists to support business and business is all about relativism. Far too many security "professionals" seem to miss that point. It's not all about the security. It's all about the business and security is just another component sometimes more and sometimes less important than the other components. Wes Noonan mailinglists () wjnconsulting com http://www.wjnconsulting.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Re: January 15 is Personal Firewall Day, help the cause, (continued)
- RE: Re: January 15 is Personal Firewall Day, help the cause Ron DuFresne (Jan 16)
- RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- Re: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- Re: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Jeremiah Cornelius (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Wes Noonan (Jan 18)
- Re: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Jim Race (Jan 18)
- Re: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause David F. Skoll (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Bill Royds (Jan 18)
- RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause Mike Marshall (Jan 18)
- Re: Symantec AntiVirus and AOL Joshua Levitsky (Jan 18)
- Re: Re: January 15 is Personal Firewall Day, help the cause Martin Mačok (Jan 19)