lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: mailinglists at wjnconsulting.com (Wes Noonan)
Subject: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

> On Sun, 18 Jan 2004, Wes Noonan wrote:
> Why?  Name one virus for Linux that AV software would have protected
> against, that a noexec /tmp wouldn't have.

Security isn't about protecting against old threats; it's about protecting
against new threats. If running virus protection has the potential to
protect against new threats, than it is worth running. If an IDS/IPS has the
potential to protect against new threats, than it is worth running. If a
personal firewall has the potential to protect against new threats, than it
is worth running. Security is about a total process, not a specific product
or application.
 
> We're a 7-person shop with a budget of $0 for software.  I'd love to
> see a Microsoft shop with a similar software budget.

I'd love you to show me a 700, 7000 or 70000 person shop that can say that.
Frankly, you just illustrated a point here, whether you intended to or not.
When you are a small shop that has the expertise, you can do anything you
want. When you are a large shop, you no longer have that ability. You have
to think big. You have to think about things like "what if David, who is the
only person who really knows our systems, leaves. Where does that leave us"?
This is especially true in cases where you have free software being offered
with no support. Microsoft, whether you want to admit it or not, learned
that long ago. They learned that the need was there for OSes and
applications that are tremendously portable between people. They learned
that not everyone in IT is a developer or has the skills or capabilities to
write and compile custom code to suit there every need, and frankly not
everyone needs to. They learned that companies want support and they don't
want to have to rely on "Joe the admin" who is the only one who can recode
and recompile the application if there is a problem. Some Linux companies
are learning these lessons as well. You can see that in the tremendous leaps
and bounds of usability and functionality that they have made.
 
> Why should I spend money, time and energy trying to secure a basically
> un-securable system, when I can not spend money, spend a whole lot
> less time and energy, and have a more secure system?

Microsoft is only un-securable for those who don't know how to secure it
(the same can be said of Linux of course). Clearly, you seem to know Linux.
Equally clearly, to me at least, you don't seem to know Microsoft very well.
You claim, repeatedly, that Linux is so much easier to secure. I believe
that this is directly related to your level of expertise on Linux. Similarly
you claim, repeatedly, that Microsoft is impossible to secure. I believe,
similarly, that this claim is directly related to your level of expertise on
Microsoft. While to you it may take less time and energy to harden a Linux
system compared to Microsoft, I would point out that there are a lot of
other folks who would probably be able to argue and prove the opposite -
that it is much easier and takes less time and energy to harden Microsoft
than Linux. Heck, I can guarantee you that I can harden a Microsoft system
infinitely better than I could a similar Linux system.

Someone else pointed out that no OS is bug free, which is a truism. The
ability to harden a system, if one knows what they are doing, is also a
truism.
 
> So unless you investigate alternative systems seriously, you're just
> ensuring a monopoly situation, which guarantees bad software.
> Complacency and defeatism have no place in the fight to secure our
> computers.

The more and more you post, the more things like this you write, the more
clear it becomes that your position has little more than a religious passion
for Linux and a religious dislike of Microsoft backing it with little other
real substance. Protestants, Catholics. Muslims, Jews. Penguinistas and
Microsofties. It isn't about securing our computers, it's about not using
Microsoft. It's an old, tired, pointless argument. :shrug:

Wes Noonan
mailinglists@...consulting.com
http://www.wjnconsulting.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ