First, apologies to the list for the unintentional header forgery. My correct address is [EMAIL PROTECTED], not [EMAIL PROTECTED] It is my fault for configuring my SMTP forwarder in a hurry. A boneheaded mistake. What can I say, it's been a long week.
On Fri, Jun 18, 2004 at 01:08:08PM -0400, joe wrote: > Can users hook themselves up to the internet? [snip] Some can. It certainly takes less knowledge than sound system administration; someone who successfully played with the toy where one fits circular, rectangular, or triangular plastic blocks into holes of corresponding shapes has all the 'skills' s/he needs to plug coaxial and power cables into a cable modem, and RJ-45 from cable modem to PC. You will hear no argument from me when you assert that there are many, many braindead users, admins, and 'technicians' out there. > So what I am saying is, I think the ISPs need to share some of the > responsibility of hooking people up safely, don't just plug them in. [snip] This is a good idea, and some ISPs do make efforts to educate their customers about security, albeit in mostly passive ways. However, it seems odd to me that you feel the ISPs should be obliged to leap through many hoops to protect their customers, essentially before they take customers' money. Microsoft has been taking customers' money for years and years, and have given little or no real consideration to customers' protection. By Gates' own admission, (paraphrased) 'we have not done all that we can to protect our customers'. Which, judging by their track record, is still an understatement in the extreme. In your last post, you made it clear that you believe that it is primarily failings on the part of users that have allowed these security gaffes to have such dire effect. So, can you explain why you put such heavy responsibility on ISPs to protect customers, but seemingly relieve Microsoft of any such responsibility, blaming nearly everything on the user? My point remains the same: Microsoft has no control over what its end users do. It cannot force education, patches, or firewalls on users if they don't want them. It has complete control over the design, configuration, and quality of the software it sells. Which is easier for them to fix- their software, or the mind of every end user? > Alternatively, have the ISP block all but say ports 25,80, and 110 by [snip] Truly draconian. And exceptionally bad for business. I remember when Comcast had the nerve (sense) to block TCP 135 when Blaster hit. You should have seen all the screaming users, infuriated that their Windows File and Print Sharing didn't work. "I need this to connect to our corporate file server and update the Excel spreadsheet that has all our passwords in it, or my boss is gonna kill me!!" Oh, and even this "security-through-unplugging-cables" style of approach does absolutely nothing to protect people merrily browsing the net with Internet Explorer and receiving email with Outlook Express. Ever hear of phishing? How bout spyware? > Again however, MS is stepping up on this. Go look at XP SP2. It is a big > step in the direction to help users protect themselves. Of course of course, > they have always done bad things so they can't possibly do anything better > now. How thoughtless of me. Of course someone like yourself is so good at > coding you know that every piece of code you have ever written has been > perfect right off and no possible issues... Oh wait, you implying that means > you probably have never coded anything more complex than a basic tool if > that. Admittedly, no. I didn't claim to be. I am young and learning. But I think I have a good understanding of the concepts behind designing and implementing secure software and avoiding the programming errors that lead to easy exploits. And some things, like active scripting in mail clients (to pull one off the top of my head and recent full-disc history, that has inspired more than one well-justified rant by list regulars) are just dumb and should have never been considered in the first place, let alone turned on by default. It doesn't seem to me to be rocket science. Assume that software *will* be used and abused by Bad Guys; trust no input, and validate all of it; write software that uses the least privileges it needs to function, and no more; write small software; use techniques such as isolation to provide additional layers of security that increase the difficulty or nullify the risk of attacks; perpetually strive to educate oneself about new attacks and new classes of attacks, and learn to defend against them. The list continues; you get the idea. It can be tedious and difficult. But it's one of the things we have got to do, if we want to improve the status quo. If what you wrote above is some kind of thinly-veiled attempt to undermine my credibility (I don't have any yet, silly wabbit) by making insinuations about my programming skill, it has probably backfired on you. If what you want is to start a flame war, contact me off-list. Back to the topic at hand, XP SP2. Yes, I've seen it, and I'm not terribly impressed. Most of these things have been in free *nixes for a long time now. Comparing with Red Hat/Fedora (which is far from the panacea of secure OSes, mind you): Firewall on by default: Red Hat's had iptables setup as part of the installation for years now. Configuration involves clicking one of four radio buttons. Safer networking defaults: Red Hat turned off most if not all networked services in the default installation years ago, IIRC. I think it took them about 10 minutes. Long overdue for Microsoft. Memory protection: many distros, and I believe Fedora is one of these, compile packages with stack-smashing protection or provide versions of gcc with such features. More robust protection is freely available with tools like grsecurity. Safer email handling: safer than what? I can't think of a *nix mail client that's proven as unsafe as Outlook and Outlook Express have. Shoring up these programs is a 'duh', and also long overdue. Fedora offers a choice of no less than ten different mail clients. Pick one at random; I'll bet the cost of a Windows Server 2003 license that it will never be victim to the types of vulns that have plagued and continue to plague the Outlook series. Safer browsing: More safe defaults that are long overdue. My comments above on mail clients can be applied directly to browsers: you have lots of choices, pick one at random, it's almost guaranteed that you'll never suffer from the same types of stupid tricks that can be played successfully on IE. Automagic updates: trivially achieved with ANY *nix package management system, and cron. And yes, they've been around for years. Oh, and no one worries about whether updating Mozilla or Konqueror means their network connection gets hosed or their OS is rendered unbootable. This is a simplified overview, but I think I've addressed the major features MS is touting here, agree? > I agree that MS helped create the mass of inept users... However, I don't > see any OSes going out there creating knowledgeable users. Try sitting a new user in front of a freshly installed *BSD box, and see how far he gets without reading the manual. > In fact had MS > not done what it had done, I don't think we would be anywhere near where we > are right now for penetration of PCs in the home and lower costs associated > with that. Is that supposed to be a good thing? Personally, I'd like to see far fewer stupid people and sleazy corporations on the 'net. If that means I have to pay more for access, and perhaps have one computer in my home instead of half a dozen, so be it. > I am just guessing but irregardless of what OS you are on now, > you most likely were running an MS OS at some point. Yes, and I rue the day I ever let it sink its teeth into me. I have since freed myself of this unnecessary burden. Windows to me is now little more than a gaming system, slightly superior to PS2 (except in the respect that I never worry about my PS2 becoming the newest member of a botnet). > Not many people start > on Mainframes and UNIX machines and went straight to non-MS offerings. Why? > Not much else existed in the home for some time. Probably the few > (relatively speaking) that can say they haven't ever run an MS OS are those > that started using computers in University and never left so always lived in > the UNIX world or Apple folks. If you had a PC at home and it wasn't an > Apple, the chances are good it had MS on it. Again, is that supposed to be a good thing? Lots of people like double bacon cheeseburgers and Krispy Kremes. It doesn't mean it's a good idea to eat nothing but. > I look forward to BSD/Linux gathering steam and becoming better and better > and more and more accepted. For several reasons actually. First off, MS > always thrives when given good competition, it pushes itself to do better Microsoft is well-known for its decidedly monopolistic and *anti*-competitive behavior. Is this news? As outlined in the Report That Got Dan Geer Canned From @stake [1], this in and of itself is a danger to security. More generally, any ubiquitous, identical systems on a huge global network are inherently dangerous to the network itself, as the possibility exists that a single piece of malicious code can destroy the systems and/or the data contained on them and/or cripple the entire network. Diversity is a key risk management strategy, and it has proven parallels in fields like biology. I believe it also applies to security risk management. We've seen code that does this, and has the potential to do much worse, many times over again, for a long time now. Is it becoming clear why a simple 'step-up' from MS won't cut it? I don't want to see any one operating system or piece of software 'take over the world'. I would like to see some real competition resulting in better code and more diversity, so perhaps we can make some progress on overcoming the attacks of yesterday that continue today. > and better which is good for computing in general because they have serious > cash to put into the endevour, not many computing places now have > multi-billion dollar R&D budgets to make home computing better. It must be humbling for you to think that a bunch of rag-tag GNU hippies, young Finnish CS students, Berkeley grads, Canadians *gasp!*, and thousands of other hackers coding in their spare time often for free, have produced operating systems and software that rival or are outright superior to the products of the largest, richest software company in the world. > Second off, > the Linux world will have to clean up, right now it is a bit chaotic with > all of the various vendors duking it out over who is better and you having > to be really sure of what you have before you install things. It reminds me > of earlier MS days with Win9x and NT and having to figure out what you had > so you knew what you could install. It is a pain in the butt when consulting > for large companies when they are trying to figure it out because not only > is it a case of figure out if you want Linux or Windows, it is which flavor > of Linux do you want. Just dilutes the whole thing. Yes yes choice is good > blah blah blah. Sometimes though in the committee driven worlds of corporate > America, a multitude of choices can be a bad thing. Yes, there are a lot of Linux distros out there now, and yes, most of them are pretty useless, lame, and contrived. There are also some very good ones, and the skilled sysadmin can always build their own if they don't like anyone else's. Yes, for a corporation trying to 'pick one' it can be difficult, for those not used to actually having choices. Yes, trying to figure it out is difficult for companies, especially ones full of admins who are glued to the shiny friendly happy clicky GUI world to which they're accustomed, and don't know a whit about what's actually happening- on the system, on the network, anywhere. Who ever told these people it would be easy, ever? These are some of the most complex machines mankind has created. Who made them allergic to getting their hands dirty and spending some time understanding the systems they're supposed to be taking care of with competence? > You sound like a jilted lover here. Not someone looking for the computing > world to get better. Jilted lover isn't quite accurate; it's more like MS keeps trying to slip people roofies at the bar and date-rape them in the parking lot. I'll tell you why, and fundamentally I believe this is the reason for our differences of opinion. You still trust Microsoft. I don't. They had it for a time, and they have earned my distrust. It will take significant leaps and bounds forward in several areas for them to earn it back. Call me paranoid, pessimistic, jaded, what have you. I've been promised that they will step up with every new version and new product, just as you are offering promises that they are stepping up with SP2. Don't get me wrong; it will help, for those who are running XP (many aren't), are aware of its existence (the many who cannot even be bothered with patching now will likely be oblivious), and who won't remove or disable it after seeing that it makes life on the 'puter an iota more difficult than it had been before. It won't undo the disservice they have done to the industry and their customers by consistently failing to improve the security and quality of their software, nor will it undo the damage caused by making it so easy for users as zombie-like as their infected machines to play with it on high-speed wireless 'net connections. It's a baby step in the right direction, for a corporation that as I said, ought to be leading the industry. In any case, before our 'discussions' become any more verbose, flame-ish, religious, or off-topic (they're currently all four), we should do the good list members a favor and take it off list. [1] http://www.ccianet.org/papers/cyberinsecurity.pdf -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html