RE: [Full-Disclosure] Anti-MS drivel

2004-01-20 Thread Mike Marshall 
Finger-pointing is a trivial task, solving the M$ problem isn't.  M$ has
built one of the best UIs on the planet, but that doesn't give them a
license to ignore all of the security problems in their OS.  Check out Red
Hat 9.  We should exit and destroy our ivory towers; they have no useful
purpose anymore.  Smart and creative people succeed, regardless of the
era/technology/company/product.

Mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of yossarian
Sent: Tuesday, January 20, 2004 8:04 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Anti-MS drivel

Erich wrote:
 What MS actually does is leading customers into a trap. MS Products 
 look as if they were so easy to use that _every_ body colud work with 
 it, just like that - you don't need to know a thing. Intuitive User 
 interface etc.

So, basically, you are blaming the MS people for building a UI that can be
used by anyone. Duh. Let's give 'em a TSO interface. That'll scare them away
from the computer so they won't just click on any attachment. Better still,
they would be using typewriters. Yep, I still miss my Underwood, like others
miss the Unix prompt - not concealing the complexity of the beast, or worse.
At the same time we can withdraw to the ivory tower of the IT department,
where users are just a nuisance. Lets call it Data Central.

Don't forget users pay the bill. And to put it bluntly - your job would not
exist if it had not been for the PC revolution. Neither would mine. Without
MS's distributive powers and later - mid 90s - marketing power, grey haired
people probably would still be scribbling in COBOL and we would be
delivering the internal mail - by hand in those funny envelopes where you
strike out the name of the user before you.






___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

2004-01-18 Thread Mike Marshall 
Can we please just stop OS-based arguments?  And can we agree that all OSs
earn their places, rightfully?  Windows has earned very few security points
to date (and maybe none), but we can move toward securing this OS despite
its programming shortcomings.  Windows, and thankfully, linux isn't going
away any time soon.  Linux installs mostly secure by default, windows
installs insecure by default, but that doesn't mean people can't harden
either OS and make it more secure.

Personaly, I've run a large data center using both OSs (various versions)
securely for over 5 years.  I've developend and implemented windows and
linux hardening templates.  There are many ways to secure and harden both.
As many have pointed out, layers matter.

Mike

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David F. Skoll
Sent: Sunday, January 18, 2004 7:12 PM
To: Wes Noonan
Cc: [EMAIL PROTECTED]
Subject: RE: Religion... was RE: [Full-Disclosure] Re: January 15 is
Personal Firewall Day, help the cause

On Sun, 18 Jan 2004, Wes Noonan wrote:

  On Sun, 18 Jan 2004, Wes Noonan wrote:
  Why?  Name one virus for Linux that AV software would have protected 
  against, that a noexec /tmp wouldn't have.

 Security isn't about protecting against old threats; it's about 
 protecting against new threats.

Exactly.  A/V software can only protect against *old* threats, because a
virus has to be in the signature database.  Mounting /tmp noexec can protect
against a wide class of threats (those threats that rely on writing a file
to the file system and then executing it.)

 If running virus protection has the potential to protect against new 
 threats,

But it doesn't.

 than it is worth running.

Therefore it isn't.

 If an IDS/IPS has the
 potential to protect against new threats, than it is worth running.

IDS itself cannot protect against anything; it can only detect unusual
activity.  (That doesn't make it worthless, of course.)  IPS systems may be
worthwhile depending on how many false-positives they issue.

 Security is about a total process, not a specific product or 
 application.

I agree.  But a particular product or application *can* lead to insecurity.

  We're a 7-person shop with a budget of $0 for software.  I'd love to 
  see a Microsoft shop with a similar software budget.

 I'd love you to show me a 700, 7000 or 7 person shop that can say
that.

Wait a few years and get back to Roaring Penguin. :-)

Obviously, right now, I can't.  But there are plenty of large organizations
using free software; HP claims to have made $2.5 billion in Linux-related
sales.

It will happen.  The economics dictate it.  Companies that save money
because of lower licensing costs, lower license enforcement costs, and
(especially) lower costs to maintain secure networks, will succeed where
companies that have higher costs fail.

 You have to think about things like what if David, who is the only 
 person who really knows our systems, leaves. Where does that leave us?

That might have been true a couple of years ago, but there are plenty of
Linux experts now, as you noted.

 Microsoft is only un-securable for those who don't know how to secure 
 it

No.  The fundamental problem with Windows is the problem that lead to the
creation of the anti-virus industry: Encoding of metadata in filenames.
The fact that .exe on Windows means the same thing as turning on the
execute bit in UNIX has cost the world economy billions.  And it's
impossible to change this without fundamentally changing Windows.  (Even
this flaw isn't a Microsoft innovation; it was first revealed in 1987 in the
infamous CHRISTMA EXEC worm at IBM on the VM/370 system.)

This flaw, the readiness of a Windows system to enable execute permission
depending on the filename, makes every single Windows box a ticking time
bomb.  Someone just has to be clever enough to deposit an .exe on a system
and trick someone into running it.

The social engineering required to do the same on Linux is an insurmountable
hurdle; not only do you have to deposit the file, but you have to convince
someone to turn on the execute bit, which no Linux mail clients currently
do, and which the average office worker is unlikely to even know how to do.
(That's why I have a warm feeling when our sales people use Linux; they
don't know enough to be dangerous. :-))

 You claim, repeatedly, that Linux is so much easier to secure. I 
 believe that this is directly related to your level of expertise on 
 Linux. Similarly you claim, repeatedly, that Microsoft is impossible 
 to secure. I believe, similarly, that this claim is directly related 
 to your level of expertise on Microsoft.

No; it is related to the fundamental design flaw I mentioned above.

[...]

 Someone else pointed out that no OS is bug free, which is a truism. 
 The ability to harden a system, if one knows what they are doing, is 
 also a truism.

Are you claiming that all OS's have the same inherent security, and