Re: Spaf did not receive your email (was Re: Job Descriptions)

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

At 17:57 -0500 2/26/03, Bruhn, Mark S. wrote:
> This is an age-old discussion and issue -- not whether security people
> should personally boycott MS products, which I suppose we could discuss
> as well, but whether we should (and in fact can, given alternatives)
> actively attempt to influence our communities to avoid MS products.

Let me be clear -- I am not advocating a boycott of MS products.

However, I do think it is incumbent on us to help discourage
dangerous behaviors.  We know that some software and configurations
are more dangerous than others.   Our user population may not know
that -- my own informal polling indicates most end-users believe all
software is equivalent in risk.

Think of it as being similar to banning smoking in the workplace, or
encouraging people who ride in your car to fasten the seatbelt.   Or
compare it to forcing users to use Kerberos or token cards instead of
passwords.  We know that they may resist at first, but it makes our
systems more secure and decreases the risk.   Why can't we do that
with applications too?

Some behaviors are much more dangerous than others.   Sending Word
documents is more dangerous than sending PDF or plain ASCII (and it
is also more wasteful of space).   Using Apache is generally safer
than running IIS.    Using Eudora or Mac Mail or elm or.... is
generally safer than using Outlook.

> I'm sure someone knows the statistics -- I would guess 65% of our
> community use Windows and MS products.  We can certainly grouse about
> that and strongly encourage them to use something else (What?  Someone
> could start by listing the suite of products that equate), but the
> reality is that they are not going to stop using that suite of
> applications, and we're going to have to spend time on helping them
> secure them.

Actually, users do switch.   They can be influenced.   The secret is
to show them how to do what they want with an alternative.   It needs
to be functional.  And if the time is spent up-front helping secure
the systems when installed, it won't need to be spent applying
hundreds of patches and recovering after worms, viruses, break-ins,
etc.

FYI, I am, as I type this, in an NSF workshop with people from around
the country who deal with information security issues and emergency
response (including your boss, Mark).   Half the laptops in the room
are Macs.  Of the rest, some non-zero percentage are *BSD or Linux.
This community is doing quite well with  other tools.  Avoiding risk
and getting work done are not incompatible!

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.