RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

["Wes Noonan" <mailinglists () wjnconsulting com>]

> A/V software that does any less is simply dangerous.  There is no need for
> signatures or complex heuristics, when *any* executable arriving by e-mail
> should be treated as dynamite and disposed of safely.

It seems that you have shifted focus to email filtering only. There's
nothing wrong with this of course, but I think it shifts the discussion
some.
 
> As I've written before, there is no A/V software for Linux that protects
> against Linux viruses.  I know dozens, and know of hundreds, of people who
> run Linux, and I don't know a single one who runs such A/V software.
> Of course, many of them do run A/V software, but it's to protect Windows
> machines that are attached to the Linux ones.

Well, then it seems to me that the time is ripe for folks to start thinking
of ways to exploit all of these systems. Like most things, I suspect that it
is just a matter of time.
 
> Dropping anything that could possibly be an executable takes care of that
> on the Windows side (plus not running software susceptible to macro
> viruses,
> though those are all but extinct.)

Again, I think you have shifted to email only now, which changes the
discussion some. Sure, for email you can drop all .exes. There is more to
A/V than simply running on email servers though.

> I never said that.  What I mean is that running Windows is likely to lead
> to insecurity.  The A/V industry is simply a lucrative business built to
> wrap band-aids around Windows' deficiencies.

So is running any operating system. If you don't believe that, then you are
believing in the myth that solely by running something other than Windows
you are secure.
 
> That is untrue.  I offer fanatical support for my products; just check
> the MIMEDefang mailing list archives to see what people think of our level
> of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/)
>
> Not all of our products are free (I'm not a free software zealot), and we
> offer excellent commercial support for our commercial products.

Sorry. I read "rp-pppoe is free software; it comes without warranty or
support. We regret that we cannot offer e-mail or telephone support for
rp-pppoe." and it seemed to me to illustrate my point quite well.
 
> Absolutely.  And those additional factors (better security, generally
> better support, and no worries about BSA enforcement) only add to
> Linux's cost advantage over Windows.

Well, there are plenty of TCO studies that don't quite come to that some
conclusion.

> I run bog-standard distros; I'm not a kernel hacker.  Just because I could
> fool with the source code to Linux doesn't mean I want to.

Sure, you don't. But that doesn't mean that Joe the admin didn't. And now
you have to figure it out. I'm not trying to just argue specific examples
though. I'm trying to illustrate the point with the examples.
 
> No-one else wants to discuss it with me; they all seem to change the
> subject
> when I bring it up. :-)

There might be a reason for that ;-)

> Unfortunately, you may be right.  However, I think Linux developers are
> lucky
> in that the system hasn't become popular until recently, when the dangers
> of the Internet were readily apparent.  I'm optimistic, therefore, that
> they won't repeat the same mistakes of Microsoft (which to be charitable,
> was operating in a very different environment when it made its design
> decisions.)

Hopefully not. As I mentioned, this is the race that I personally see in the
market. Does Microsoft fix the security issues that plagued it faster than
Linux fixes the usability issues that plagued it. Both are making pretty
significant leaps in their respective situations. For example, it is my
understanding that XP SP2 is supposed to enable the built in firewall by
default. Windows 2003 made great leaps towards securing the out of the box
installation (to the expense of usability IMO, but what the hell). On the
other side, Linux is infinitely more easy to install. It is also much easier
to install applications through the use of the various installer packages
that are being created.

> That is a tautology that is unhelpful in deciding which OS to choose.

No, I disagree. It is fundamental in deciding which OS to choose. It means
you should consider whether you have the means to harden the OS as required
by your environment.

> In today's environment, software *must* be secure first, with usability
> added
> on top of a secure base.  Microsoft systems take the opposite approach,
> with dismal security consequences.

That is because Microsoft's systems originally weren't designed in today's
environment. The ones that have been however have slowly been making that
turn.

> Unfortunately for Microsoft, it's cheaper and easier to make secure
> software
> usable than insecure software secure.

That remains to be seen. So far the market doesn't seem to bear that one
out.

> Not at all.  It's a simple statement that monopolies can afford to be
> complacent, because they are monopolies.  The most effective way to
> get Microsoft to secure its software is to provide a credible threat that
> if it doesn't, it will lose its monopoly.  This is simple
> economics, not childish name-calling.

And I would challenge you to prove that Microsoft has been complacent. Not
that they have made mistakes, but that they have been and continue to be
complacent. I'm not seeing that.

> Here's my argument in a nutshell:
>
> Assumption 1: Within the bounds of legality, corporations should
> maximize their profit.  (I agree with this; I'm a capitalist.)

Fine. Agreed.
 
> Assumption 2: Within the bounds of legality, corporations should not
> take actions that decrease their profit.

Fine. Agreed.

> Assumption 3: It will cost Microsoft $X dollars to make Windows more
> secure.

Yep. I'm with you.
 
> Assumption 4: If Microsoft does *not* make Windows more secure, it
> will not lose revenue.  This assumption is based on personal
> experience, recent court decisions stating that Microsoft has a
> monopoly, plus postings on this list.

This assumption can not be supported. Microsoft is making windows more
secure. This is a fact, not an opinion.

> Conclusion: It is irrational for Microsoft to make Windows more secure.

Without the support of assumption 4, your conclusion is flawed.
 
> Where's the hole?  If you agree with my assumptions (which I believe
> are entirely reasonable), then the conclusion must follow.  The only
> ways to break the cycle are:

The hole is in the fourth assumption.
 
> 1: Forcing software producers to secure their products through
> legislation, regulation or liability lawsuits.

Which is happening in many cases.
 
> 2: Paying for Microsoft to secure its software so it doesn't cost
> Microsoft
> anything.

Which is the nature of capitalism. This has been and will always happen.
Producers will always pass the cost of development to the end users, or in
the case of open source will pass the cost of support or maintenance. Heck,
look at your own software. You sell software to support not only that
development, but the development of software that you give away. Must have
one hell of a margin to be successful doing that. ;-)
 
> 3: Making it clear that Microsoft will lose market share (and hence some
> of its profit) unless it secures its products.

Um, this already happens. There are and have always been alternatives to
Microsoft. Microsoft wasn't born with 90+% market share, they took it.
 
> I don't know about you, but I certainly prefer (3) to (1) or (2).  Bruce
> Schneier has floated (1), but I can't see it working with the state of
> software engineering today.

Then I submit that you are looking at it entirely too cynical. #3 is most
certainly happening. Windows 2003 wasn't hardened out of the box because
Microsoft was bored and felt like f**king with all the folks used to "next,
next, finish" installs.
 
> > For me, neither Windows or Linux are "better". They both do good things
> and
> > bad things, and as long as they meet my requirements they both get used
> when
> > appropriate.
>
> This kind of relativism is OK in most cases, but not on a security mailing
> list.

Actually it is, primarily because security doesn't exist in a bubble. It
exists to support business and business is all about relativism. Far too
many security "professionals" seem to miss that point. It's not all about
the security. It's all about the business and security is just another
component sometimes more and sometimes less important than the other
components.

Wes Noonan
mailinglists () wjnconsulting com
http://www.wjnconsulting.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html