Re: firewall-wizards digest, Vol 1 #1095 - 2 msgs

[Mike Hoskins <mike () adept org>]

> Subject: RE: [fw-wiz] @Stake CTO fired for Microsoft comments
> From: "Claussen, Ken" <Ken () kccweb com>
> Mr. Ferris Wrote:
> "we can blame ourselves and our great "capitalist nation" that
> utimately discouraged entrepeneurship and innovation

i won't comment in detail, since i didn't read the original post (only
what you quoted, i'll have to skim back through my archives and find the
original), but there is some truth to his words.  i can't agree
completely, but capitalism as it's currently instantiated certainly
benefits the rich more than the poor.  as such, large companies with
billion dollar budgets have certain advantages in the market place
less-funded efforts aren't always entitled to.  i thought that'd be
obvious though, in marketing terms alone.  (M$' (in)famous "5 9's"
campaign comes to mind.  "haha.")

> FUD. I agree with Paul's comments, security is more about diversity and
> defense in depth than big words with little true meaning (referring to
> above statements).

if you agree with Paul, you disagree with M$.  trust me, M$ isn't going to
take steps to increase diversity -- unless they buy RH and start marketing
M$RHL.

> Snort can run on Windows as well as Linux
<much snipped about opensource on Windoze>

the question you should be asking is how much more software would be
available on win32 if the obfuscated FUD (to use your terms ;) introduced
by TPAM$ (The Powers At M$) was removed.  have your ported opensource
projects to M$?  actually, i should say...  "have you tried..."  i'm
working on one right now.  it's not as easy as you may think.  it could be
easier, mostly if M$ simply followed well-published standards (like just
about everyone else).

> Operating system? And the cracks on Windows security have little to do
> with the Operating system itself (there have been numerous Root level
> compromises of other operating system) and more to do with the skill of
> the administrator.

that's very true.  administrator training/knowledge goes a long way.  i've
had the honor of working with "M$ guys that know their shit" and also the
extreme annoyance of working with "M$ guys that are shit".  night and day
-- and the same goes for any admins.

that said, care to pick a year and plot advisories released for some
opensource OS vs. M$?  i've done it in the past, the results were always
as expected.  (of course you only really know about issues advisories are
released for unless you have time for real auditing, and any camp could
probably hide things.)

> How many Windows Servers have you worked with in a
> security context?

speaking for myself here...  not many, probably only 1-200 in my career.
currently we have no more than 20-40 Win2k machines.  (servers; desktops
are another issue.)  the point is -- enough to see truth in the report you
haven't read.  (maybe you should?  FWIW, i don't see the things said in
the "new" report any more inflamatory (at least to M$ fans) than what's
in rfc2870...  and that was last updated sometime around mid-2000.)

> the rhetoric and get back to discussing security. I have seen people
> fired for much less than outright bashing of the operating system your
> company is contracted to audit.

you've likely seen people fired for using company resources (time,
machines, etc.) for such projects or for stating opinions that were
misconstrued as being "from the company".  none of that was true, from
what i've heard, in this case.  i think both sides are too quick to judge
without having all the facts.

go post a rant (or write an informed paper, along with 4-5 other highly
esteemed members of our community) about everything you see wrong with
BSD, Linux, etc.  be sure to clearly state everything you write is your
opinion alone, and do it at home and on your personal time...  the
difference is, you probably won't be fired.  that's because there aren't
opensource projects paying your employeer hundreds of thousands of dollars
every year.  it's really about money, and i think we know who has the
most.

> I prefer the Pix for firewalling due to
> the OS being integrated into the security code.

PIXOS has had many issues.  ideally you'd pick at least one other vendor
and make the traditional "firewall sandwich" -- diversity is always good.
of course most of these "paranoid" approaches only hold water in a
budgetary light if your site is high-profile enough to attract the
infamous "determined attacker".

> built operating system. Instead of writing a report (which I have not
> read) criticizing Windows, would it not have been more productive to
> write a report describing methods which can be used to properly secure
> the OS in a language the average home computer user could understand?

the latter's been done.  (see numerous SANS checklists, as one example.)
the prior does a bit more than "criticise windows".  it's interpreted as
such by loyal M$ fans because it's really just saying what we all know
(don't we?) -- M$ is installed on the majority of systems out there, and
that's a bad thing given the current state of M$' products.  no more, no
less.  you can try to argue, but the bandwidth charges associated with
backhauling Blaster, Welchia, and SOBIG.x alone will usually cause your
arguments to fall on deaf ears (let's not even talk about CR).

> Let's face it most of the backlash from these worms is caused by home
> users who are not the technology zealots that frequent lists such as
> this. A Security Guide for Dummies would make more sense than senseless
> criticality and outright slander.  Isn't it ironic that so many Open
> Source proponents are so close minded? I actually use a combination of
> Open Source and commercial software everyday.=20

precisely.  home users...  which brings up an excellent point.  even on
the desktop, viable (non-M$) options are coming to light.  (more every
day.)  the point is, even the home users could be using something better.
realizing that everyone, desktop and server users alike, should have
better options...  well, if that's really "close minded" -- i'm proud to
be just that.

the truth is, any software has problems.  it's made by people, and people
have problems.  the sooner we realize that, the better.  paying homage to
M$ who seems to miss glaring RPC holes just after much touted security
audits is not "realizing that".  it's sticking your head in the sand and
believing they can actually make better software because their marketing
people say so.  they can't.  at least on the opensource side we admit we
have flaws -- that's why the OS is free.  i have this sneaking suspicion
that if M$ started giving their OS away, they'd get (just a little) less
flack over future incidents.  so everyone makes mistakes, but only one
company gets rich off of doing it.

-mrh

--
From: "Spam Catcher" <spam-catcher () adept org>
To: spam-catcher () adept org
Do NOT send email to the address listed above or
you will be added to a blacklist!
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards