IP: more on microsoft dependence RE: Microsoft Breaks Netscape Rule In New Security Flaw

[David Farber <dave () farber net>]

> Date: Mon, 7 Jan 2002 11:55:25 -0800
> From: Brad Templeton <brad () templetons com>
> To: farber () cis upenn edu
> Cc: webert () bellatlantic net
>
>
> Tom, while your article is good to get out the basic message,
> the issues, as you may know, go deeper than you describe.
>
> > >BREAK THE MICROSOFT HABIT: How many times has my computer been threatented
> > >by a virus because holes in Microsoft Outlook made it easy for these
>
> While people often find security windows in Microsoft products, this is
> not always because of bad software engineering at Microsoft.  In may cases
> this is the result of software "monoculture."  When 90% of people run a
> particular system, it is really only worthwhile to find windows into it.
> Finding a window into a linux program only gets you a tiny fraction of
> machines, so it's not nearly as "productive."
>
> However, there are many advantages and economies of scale to software
> monoculture, so I'm not sure how much success calls against it will ever
> have.
>
> > >FIREWALLS FOR EVERYONE: If you've got a computer that's connected to the
> > >Internet, I can't imagine any reason why you wouldn't want a firewall 
> on it.
>
> Yes, that is the right advice today, but you might have wanted to note that
> many security experts believe it is not the most secure philosophy.  The
> firewall approach means that once somebody is past the firewall, they get
> access to everything.   If you can secure individual machines to the point
> that they don't need the firewall protection, you're going to have a much
> more secure environment.
>
> This is particularly important because no machine or firewall is fully
> secure, and firewalls just make a multi-breaking easier.  However, at the
> same time firewalls make local administration and use more convenient, because
> good security is inconvenient and we always make trade-offs between that
> security and convenience.
>
> Thus the question is, which type of security gives us the best trade-off?
> Making the machines themselves secure without any user intervention is
> obviously good, and that's not a firewall approach.  The people who design
> protocols and the programs that act as gateways into our machines for those
> protocols should have woken up by now, but there's a lot of old design out
> there too.
>
> Firewalls come with a cost of inconvenience, however.  For many, they are
> the barrier that stops innovative new applications from spreading on the
> net, like peer to peer apps, internet telephony etc.  Firewalls violate the
> end to end principle of network design, usually.
> > >
> > >DON'T SHIELD SHODDY PRODUCTS: Liability is another way of deterring the
>
> (Taken with another meaning, in fact, this would be an argument against
> firewalls.  :-)
>
> > >USE REGULATION, OR THREATEN TO: In the post-9/11 era, it's clear that
> > >governments have an interest in information security. Lawmakers and
> > >regulators should use 2002 to find innovative ways to encourage safer
> > >systems without stifling innovation.
>
> Hah.  Let me put on my EFF hat and say that in fact government regulation
> has been the biggest barrier to getting security deployed in the market.
> Some forces in the government are afriad of good security in computers, and
> so acted (with remarkable success) to regulate encryption and stop it from
> getting deployed in consumer products.
>
> For shortsighted "Freeh" thinkers at the DoJ, a truly secure civilian
> computer infrastructure was their nightmare, because they wouldn't be
> able to wiretap it.   And they got it.  And after the laws were (at least
> partially) struck down, things are getting deployed but slowly.

For archives see:
http://www.interesting-people.org/archives/interesting-people/