----- Original Message -----
From: "Dan Bartley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 03, 2003 6:25 PM
Subject: RE: Ten least secure programs
> Your comments appeared to have a clear slant to them. They also were
> contrary to the statistics.
No, only someone that's hard up to bash Linux users would assume this.
Nothing was contrary to what _you_ claim. This is getting nowhere.
> Before you can fix something, do you not need to know what the problem
> is first?
Yes, I'd imagine so... and what's your point?
> I hope you are not claiming that you have identified and
> corrected virtually all current and yet to be discovered security issues
> with Linux.
Did I say this? No. Why are you jabbering on like this? Are you this
offended and dumbfounded because I said that with the source code, you have
the ability to fix and locate problems? Why does this offend you so?
> If that is your claim, why have you not released your
> perfected OS to the masses?
It wasn't my claim, why do you keep trying to make accusations to try and
make points to oppose the facts?
> Any OS requires proper configuration and management when used.
Duh.
> Whether
> it is recompiling a kernel to include the latest fixes or a service pack
> to do the same thing.
Correct, you win a prize. Why are you going on like this? Did you know
that that (fill in obvious information everyone knows and make it seem as if
it's interesting).
> Whether it is disabling unneeded services or
> creating accounts and user schema with strong security models or
> properly monitoring the installed platforms.
Yes... that is some of it.
> If an available system (or
> OS) makes it complicated and time consuming to perform these common
> sense steps, then it seems to lose its efficiency and can lead to missed
> issues.
Yes, it could be. But we can compare anything in the wrong hands as
equating to a bad thing, simply because it allows for more control. People
*used* to get educated and obtain the skills to do things, we can't judge
things based on how lazy people are or their lack of comprehension. After
all, someone like that will have an insecure system no matter what software
or OS, or kernel that they use. Surely you must agere with that, so what's
your point to saying any of this?
> While it might be an interesting study, it is not really of any
> value in a fast paced and under resourced production environment.
Why do you assume it's so difficult or such a huge task? There's thousands
of contributors to most of these open source projects to review, discover
and fix problems.
> I
> would assume this is why, and indeed that has been the observation of
> statistics gatherers, that Linux was number one on the list for
> compromises and security flaws.
You claim this, that doesn't mean anything to me. I'd not use Linux as a
first choice, but it's not the number one insecure set up you can run. And,
you're basically comparing this in the hands of an amatuer. I even agreed
that an unskilled person is better off using something that has a more
secured default install. However, that doesn't mean anything or that it's
an insecure choice because people that have no business running it, are
doing a poor job of it.
> On the third point, you are certainly free to think whatever you like.
Oh, thanks for giving me permission... I'll do that.
> However, the statistics are contrary to your statement.
No, they aren't. And you've provided no statistics to illistrate that Linux
is the least secure set up to run. What dist? What kernel? Who is running
it? I bet I can break any FreeBSD or OpenBSD or Windows system and make it
real insecure.
> It is vitally
> important in order for the security community to move forward, that
> everyone learn to deal with just the facts and leave personal OS bias or
> preferences out of the discussion.
I agree, and you should stop it.
> This is not a Windows vs. Linux
> thing.
Who said it was? I saw some examples of it, I responded and mentioned them
in that context or gave examples myself.
> Indeed IBM, HP, BSD and Mac (minus OS X) came out as the best in
> the past year.
Huh? IBM, etc. are OS'es/kernels now?
> With that, I have no intention of engaging in a continuing back and
> forth on it.
I'm 50 feet tall, I don't need to backup what I say. I see no reason to
debate about what I claim...
> My suggestion to the original poster still stands. Identify what tools
> are really needed and can be properly managed with available resources,
> implement IDS and anti-virus, and ban everything else.
How about, instead, deducing what out of those is needed, the impact it will
have, the benefits, costs (if any), time (if any) and if it's really needed,
in what capicty, etc. After all, why waste time and resource on something
they don't even need. Throwing silly things like Anti-virus at a problem
doesn't make it go away. Explain exactly why these people need an
anti-virus or an IDS. What are they running? In what capacity? Do you
know? None of us know, this is all hypothetical anyway and yet you are
content to throw software on software to provide a solution. Provided they
don't run an insecure set up or email client, email viruses are not an issue
and anyone that would open an executable and run it without knowing what it
is, gets what they deserve and there's no hope for them anyway (they are
bound to fall down a well). IDS, why? What do you assume they are running
to need this? Is this just for the heck of it? No mention of firewalls,
NAT's, wrappers, jailing services, etc.? At least those would make more
sense.
> If an employee
> insists they need something not on the list, examine if their job
> function is being limited by not having it, learn it, manage it and then
> implement it or suggest an alternative.
Yes, this is obvious.
> As far as a sign on the IT door, simply stating, "Only IT authorized and
> approved software may be used on company computers", seems more than
> enough.
Maybe, physical access, unless you limit what they can do, will always be a
problem--though a skilled, determined employee could still cause problems
(though, unless they have ill intent, shouldn't actually pose a problem,
usually).
> If there is a legitimate reason to deny something, take the time
> to briefly explain. It makes the IT professional's job a lot easier when
> employees are an ally to the policy as opposed to someone always trying
> to subvert the policy. Remember IT does not really stand for
> Insufferable Tyrant. The employees are the customers of the IT people.
> Provide them with solutions and answers to perform their jobs, not just
> roadblocks. That's what I do, makes life nice.
Part of making your life as a sys admin, network admin, etc. easier, is to
make good choices about the set ups, software and configurations you will
run. This will lessen or remove the need for support, dealing with bugs and
security issues--which is what this topic was about (at some point).
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
-----Original Message-----
From: Tim Greer [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 03, 2003 20:25
To: Dan Bartley; [EMAIL PROTECTED]
Subject: Re: Ten least secure programs
----- Original Message -----
From: "Dan Bartley" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 03, 2003 12:39 PM
Subject: RE: Ten least secure programs
> You might want to study the statistics for the past year before making
> "my favorite OS" statements.
When exactly did I claim Linux was my favorite (kernel)? I was making
one example, comparing the ability to have control with Linux vs.
Windows. That is all.
> Linux actually came out on top of the pile for number of security
> holes, number left unfixed, number of actual compromises and slowness
> in dissemination of information and fixes.
And what is to stop you from fixing things if the vendor or community is
slow to?
> FreeBSD came out among the best, or near, I believe. Windows was in
> the middle.
I really do not think so, Windows has never compared as being more
secure, unless you are comparing unskilled system admins that go with
the default installs. Then, yes, Windows would likely be more secure.
You don't let a
3 year old drive a BMW on a racing source either, just to say that a
Yugo is a better car for racing.
--
Regards,
Tim Greer [EMAIL PROTECTED]
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
