Interesting People mailing list archives
IP: more on microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw
From: David Farber <dave () farber net>
Date: Mon, 07 Jan 2002 16:06:22 -0500
Date: Mon, 7 Jan 2002 11:55:25 -0800 From: Brad Templeton <brad () templetons com> To: farber () cis upenn edu Cc: webert () bellatlantic net Tom, while your article is good to get out the basic message, the issues, as you may know, go deeper than you describe. > >BREAK THE MICROSOFT HABIT: How many times has my computer been threatented > >by a virus because holes in Microsoft Outlook made it easy for these While people often find security windows in Microsoft products, this is not always because of bad software engineering at Microsoft. In may cases this is the result of software "monoculture." When 90% of people run a particular system, it is really only worthwhile to find windows into it. Finding a window into a linux program only gets you a tiny fraction of machines, so it's not nearly as "productive." However, there are many advantages and economies of scale to software monoculture, so I'm not sure how much success calls against it will ever have. > >FIREWALLS FOR EVERYONE: If you've got a computer that's connected to the> >Internet, I can't imagine any reason why you wouldn't want a firewall on it.Yes, that is the right advice today, but you might have wanted to note that many security experts believe it is not the most secure philosophy. The firewall approach means that once somebody is past the firewall, they get access to everything. If you can secure individual machines to the point that they don't need the firewall protection, you're going to have a much more secure environment. This is particularly important because no machine or firewall is fully secure, and firewalls just make a multi-breaking easier. However, at the same time firewalls make local administration and use more convenient, because good security is inconvenient and we always make trade-offs between that security and convenience. Thus the question is, which type of security gives us the best trade-off? Making the machines themselves secure without any user intervention is obviously good, and that's not a firewall approach. The people who design protocols and the programs that act as gateways into our machines for those protocols should have woken up by now, but there's a lot of old design out there too. Firewalls come with a cost of inconvenience, however. For many, they are the barrier that stops innovative new applications from spreading on the net, like peer to peer apps, internet telephony etc. Firewalls violate the end to end principle of network design, usually. > > > >DON'T SHIELD SHODDY PRODUCTS: Liability is another way of deterring the (Taken with another meaning, in fact, this would be an argument against firewalls. :-) > >USE REGULATION, OR THREATEN TO: In the post-9/11 era, it's clear that > >governments have an interest in information security. Lawmakers and > >regulators should use 2002 to find innovative ways to encourage safer > >systems without stifling innovation. Hah. Let me put on my EFF hat and say that in fact government regulation has been the biggest barrier to getting security deployed in the market. Some forces in the government are afriad of good security in computers, and so acted (with remarkable success) to regulate encryption and stop it from getting deployed in consumer products. For shortsighted "Freeh" thinkers at the DoJ, a truly secure civilian computer infrastructure was their nightmare, because they wouldn't be able to wiretap it. And they got it. And after the laws were (at least partially) struck down, things are getting deployed but slowly.
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: more on microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw David Farber (Jan 07)