Your comments appeared to have a clear slant to them. They also were contrary to the statistics.
Before you can fix something, do you not need to know what the problem is first? I hope you are not claiming that you have identified and corrected virtually all current and yet to be discovered security issues with Linux. If that is your claim, why have you not released your perfected OS to the masses? Any OS requires proper configuration and management when used. Whether it is recompiling a kernel to include the latest fixes or a service pack to do the same thing. Whether it is disabling unneeded services or creating accounts and user schema with strong security models or properly monitoring the installed platforms. If an available system (or OS) makes it complicated and time consuming to perform these common sense steps, then it seems to lose its efficiency and can lead to missed issues. While it might be an interesting study, it is not really of any value in a fast paced and under resourced production environment. I would assume this is why, and indeed that has been the observation of statistics gatherers, that Linux was number one on the list for compromises and security flaws. On the third point, you are certainly free to think whatever you like. However, the statistics are contrary to your statement. It is vitally important in order for the security community to move forward, that everyone learn to deal with just the facts and leave personal OS bias or preferences out of the discussion. This is not a Windows vs. Linux thing. Indeed IBM, HP, BSD and Mac (minus OS X) came out as the best in the past year. With that, I have no intention of engaging in a continuing back and forth on it. My suggestion to the original poster still stands. Identify what tools are really needed and can be properly managed with available resources, implement IDS and anti-virus, and ban everything else. If an employee insists they need something not on the list, examine if their job function is being limited by not having it, learn it, manage it and then implement it or suggest an alternative. As far as a sign on the IT door, simply stating, "Only IT authorized and approved software may be used on company computers", seems more than enough. If there is a legitimate reason to deny something, take the time to briefly explain. It makes the IT professional's job a lot easier when employees are an ally to the policy as opposed to someone always trying to subvert the policy. Remember IT does not really stand for Insufferable Tyrant. The employees are the customers of the IT people. Provide them with solutions and answers to perform their jobs, not just roadblocks. That's what I do, makes life nice. Best Regards, Dan Bartley -----Original Message----- From: Tim Greer [mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 20:25 To: Dan Bartley; [EMAIL PROTECTED] Subject: Re: Ten least secure programs ----- Original Message ----- From: "Dan Bartley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 03, 2003 12:39 PM Subject: RE: Ten least secure programs > You might want to study the statistics for the past year before making > "my favorite OS" statements. When exactly did I claim Linux was my favorite (kernel)? I was making one example, comparing the ability to have control with Linux vs. Windows. That is all. > Linux actually came out on top of the pile for number of security > holes, number left unfixed, number of actual compromises and slowness > in dissemination of information and fixes. And what is to stop you from fixing things if the vendor or community is slow to? > FreeBSD came out among the best, or near, I believe. Windows was in > the middle. I really do not think so, Windows has never compared as being more secure, unless you are comparing unskilled system admins that go with the default installs. Then, yes, Windows would likely be more secure. You don't let a 3 year old drive a BMW on a racing source either, just to say that a Yugo is a better car for racing. -- Regards, Tim Greer [EMAIL PROTECTED] Server administration, security, programming, consulting. --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
