RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

["David F. Skoll" <dfs () roaringpenguin com>]

On Sun, 18 Jan 2004, Wes Noonan wrote:

> > rp-pppoe is an old, stable product that hasn't changed in 2+ years and
> > is shipped by all major Linux distributions.  People wanting support can
> > obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
> > Microsoft end-of-lifes a product, you're out of luck.)

> I always get a kick out of this. MS (and everyone else) EOL's stuff because
> better and in many cases more secure solutions are out there. Rather than
> moving to them though, people complain first about how wrong it is to expect
> them to move then second about how insecure the product is (though the order
> sometimes changes).

rp-pppoe is EOL'd as far as support from me goes.  It's not EOL'd
for people to use.  It implements a dead-simple protocol using dead-simple
code; there's not really anything more that can (or should) be done with it.

> > Yeah, I know.  Funny who the sponsor of those studies is, really...

> Sure, no real difference from the ones pushing Linux as lower cost though
> now, is it?

I suppose.

> > I can assure you that "Joe the admin" won't hack the Linux kernel. :-)
> > I've
> > met lots of sysadmins, and they have enough to do without modifying Linux.

> And yet to effectively harden Linux in many cases that is exactly what Joe
> the admin has to do (modify Linux).

Uh, no.  Where do you get that from?

If you think editing configuration files and changing settings is "modifying
Linux", then I can equally claim you have to "modify Windows" to harden
it.

> > The point is badly-taken, because administrators don't modify the
> > source to production systems (any more than a Windows admin would
> > patch the Windows kernel with binary patches of his own.)

> Really? I know plenty of Linux admins that do that (recompile) to customize
> the product. In fact, many of them point to this as a reason for choosing
> Linux over Windows.

Recompiling is not modifying.

> > Let's suppose that Microsoft didn't make Windows any more secure.
> > Would you recommend to your clients to look at alternative
> > systems?  Would you think seriously about switching yourself?  If
> > yes: Congratulations!  If no: you're like most of the other
> > respondents on this list, and (sadly) like most people I
> > encounter.

> Once again, you are looking at it solely from the security perspective.
> While that is fine and dandy, there are other perspectives that factor into
> the decision. That is probably why most of the other respondents on this
> list and most people you encounter think that way. That is why everyone I
> have run across does.

So you're proving my point. ;-)  What possible incentive could Microsoft
have to improve its security, if you (and others) answer my question
the way you do?  (I'd actually appreciate a "Yes" or "No" answer rather
than a paragraph.)

> > Furthermore, the free software we give away is a terrific marketing
> > tool for our commercial software.  Our software is installed on the
> > e-mail gateways of huge multinationals; there's no way we could have
> > penetrated those markets with traditional commercial software.
> > However, once our free software is in, people start taking our
> > commercial software (which is based on the free software) a lot more
> > seriously.

> Oddly, this sounds an awful lot like Microsoft's Internet Explorer policy
> and Office policy before that. Of course, that couldn't be because Microsoft
> is an evil monopoly ;-)

Except we give out source code and permission to modify it and have it
audited for security (even for our commercial software.)

We also don't have the means to bundle software on PC's to kickstart our
market share.  We can only do that through high quality software.

> > The methods they used to take it are what raise such passion and ire in
> > some quarters.  For example, do you think that Microsoft used legitimate
> > business tactics to take the browser market from Netscape?

> Yes, I happen to think they did. I'm sure at this point you will tell me how
> wrong I am though.

Of course I think you're wrong.  They essentially dumped IE on the market
in order to kill Netscape.

But that's OK.  Linux is doing to MS what MS did to Netscape, except through
ethical means rather than dumping.

> Really? I would wager that profit should be the first priority, but that's
> just me... and most of the business community. The goal isn't to be secure.
> The goal is to make money. Everything else is a secondary effect. Slowly,
> technology professionals are starting to learn that business acumen though.

I'll rephrase it:  Today, insecurity is one of the most important threats
to a business's profit.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html