RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

["David F. Skoll" <dfs () roaringpenguin com>]

On Sun, 18 Jan 2004, Wes Noonan wrote:

[...]

> Actually, A/V software protects against both. The most obvious example is
> heuristics.

I have a very powerful heuristic on my mail server:  I discard anything
with an .exe attachment.

A/V software that does any less is simply dangerous.  There is no need for
signatures or complex heuristics, when *any* executable arriving by e-mail
should be treated as dynamite and disposed of safely.

> Another example is through the extensibility of the virus
> signatures. While mounting /tmp noexec may protect against a wide class of
> threats, if a new threat comes out that it doesn't address, but that A/V
> software does, you are effectively screwed. Personally, I wouldn't bet my
> enterprise on that. Personally, I would do both.

As I've written before, there is no A/V software for Linux that protects
against Linux viruses.  I know dozens, and know of hundreds, of people who
run Linux, and I don't know a single one who runs such A/V software.
Of course, many of them do run A/V software, but it's to protect Windows
machines that are attached to the Linux ones.

> Actually, it does. New threats come out, new signatures come out.

Dropping anything that could possibly be an executable takes care of that
on the Windows side (plus not running software susceptible to macro viruses,
though those are all but extinct.)

[...]

> > I agree.  But a particular product or application *can* lead to
> > insecurity.

> Sure, but I think that your apparent belief that running A/V software leads
> to insecurity is false.

I never said that.  What I mean is that running Windows is likely to lead
to insecurity.  The A/V industry is simply a lucrative business built to
wrap band-aids around Windows' deficiencies.

> > Obviously, right now, I can't.  But there are plenty of large
> > organizations
> > using free software; HP claims to have made $2.5 billion in Linux-related
> > sales.

> Well then, it sounds like Linux isn't free anymore doesn't it?

I suspect that most of that is from hardware.

> No it won't, not necessarily at least. Not trying to get personal here, but
> let's look at your company and some of its products. You release them free
> with no support what so ever.

That is untrue.  I offer fanatical support for my products; just check
the MIMEDefang mailing list archives to see what people think of our level
of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/)

Not all of our products are free (I'm not a free software zealot), and we
offer excellent commercial support for our commercial products.

> Simply put, open source is not a simple lower cost solution. There are more
> factors than just the price on the shrinkwrap.

Absolutely.  And those additional factors (better security, generally
better support, and no worries about BSA enforcement) only add to
Linux's cost advantage over Windows.

[...]

> Ah, but it is more than just being a Linux expert. It is being an expert in
> what this company is doing with Linux. Someone can know Linux quite well,
> but if they don't know how David modified it, what he did with it, what he
> didn't do with it - to the code level in many cases, then they are SOL.

I run bog-standard distros; I'm not a kernel hacker.  Just because I could
fool with the source code to Linux doesn't mean I want to.

> > No.  The fundamental problem with Windows is the problem that lead to
> > the creation of the anti-virus industry: Encoding of metadata in
> > filenames.
> > The fact that ".exe" on Windows means the same thing as turning on the
> > execute bit in UNIX has cost the world economy billions.  And it's
> > impossible
> > to change this without fundamentally changing Windows.  (Even this flaw
> > isn't a Microsoft innovation; it was first revealed in 1987 in the
> > infamous
> > CHRISTMA EXEC worm at IBM on the VM/370 system.)

> Well, I'm no developer so frankly I will leave this particular discussion to
> others.

No-one else wants to discuss it with me; they all seem to change the subject
when I bring it up. :-)

[...]

> I would disagree. Send them an RPM on redhat and have them run it. With
> increased user requests for functionality and usability (i.e. why can't I
> run this attachment), Linux and the relevant email clients will continue to
> be tugged in directions other than security.

Unfortunately, you may be right.  However, I think Linux developers are lucky
in that the system hasn't become popular until recently, when the dangers
of the Internet were readily apparent.  I'm optimistic, therefore, that
they won't repeat the same mistakes of Microsoft (which to be charitable,
was operating in a very different environment when it made its design
decisions.)

[...]

> No, I am claiming that all OS's can be hardened.

That is a tautology that is unhelpful in deciding which OS to choose.

> Each system requires
> different hardening steps. I would also contend, and have contended, that
> there is more to software than merely security.

In today's environment, software *must* be secure first, with usability added
on top of a secure base.  Microsoft systems take the opposite approach,
with dismal security consequences.

> Can Microsoft secure Windows
> faster than Linux can become usable. The jury is still out, though both are
> making their respective strides.

Unfortunately for Microsoft, it's cheaper and easier to make secure software
usable than insecure software secure.

[...]

> OK, so this is just another "use Linux" or "Microsoft is an evil monopoly"
> rant?

Not at all.  It's a simple statement that monopolies can afford to be
complacent, because they are monopolies.  The most effective way to
get Microsoft to secure its software is to provide a credible threat that
if it doesn't, it will lose its monopoly.  This is simple
economics, not childish name-calling.

> > You fail to refute it, because you cannot.

> Yes, in the same way that folks can neither prove or refute the existence of
> God.

Here's my argument in a nutshell:

Assumption 1: Within the bounds of legality, corporations should
maximize their profit.  (I agree with this; I'm a capitalist.)

Assumption 2: Within the bounds of legality, corporations should not
take actions that decrease their profit.

Assumption 3: It will cost Microsoft $X dollars to make Windows more
secure.

Assumption 4: If Microsoft does *not* make Windows more secure, it
will not lose revenue.  This assumption is based on personal
experience, recent court decisions stating that Microsoft has a
monopoly, plus postings on this list.

Conclusion: It is irrational for Microsoft to make Windows more secure.

Where's the hole?  If you agree with my assumptions (which I believe
are entirely reasonable), then the conclusion must follow.  The only
ways to break the cycle are:

1: Forcing software producers to secure their products through
legislation, regulation or liability lawsuits.

2: Paying for Microsoft to secure its software so it doesn't cost Microsoft
anything.

3: Making it clear that Microsoft will lose market share (and hence some
of its profit) unless it secures its products.

I don't know about you, but I certainly prefer (3) to (1) or (2).  Bruce
Schneier has floated (1), but I can't see it working with the state of
software engineering today.

> For me, neither Windows or Linux are "better". They both do good things and
> bad things, and as long as they meet my requirements they both get used when
> appropriate.

This kind of relativism is OK in most cases, but not on a security mailing
list.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html