lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0GZ9002ZKFCKBP@smtp1.clear.net.nz>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Counseling not to use Windows (was Re: Ano

"David F. Skoll" <dfs@...ringpenguin.com> wrote:

> > throwing out a blanket "don't use Windows" or "don't use
> > <pet peeve network client software>" is not a constructive response.
> 
> I disagree.  I consider myself a security professional, and I tell all
> of my clients not to use Microsoft Outlook.  I would consider it a
> dereliction of duty _not_ to tell them that.  I also tell them they
> should switch away from Windows to Linux or some other free UNIX, and
> again, I think it's my duty to tell them that.
> 
> They are free to take my advice or not, but they understand that if
> they do not take my advice with regards to Outlook, I am absolved of
> responsibility for any e-mail borne malware.
> 
> I think it's important for security professionals to tell people not
> to use Windows, if only to open their eyes to the risk they put
> themselves at, and also to the fact that there are alternatives out
> there.

I agree with all of the above.

My point was, on lists like this, if someone is using Windows or some
especially distasteful Windows network client software they are most
likely doing so either because, as in my case, they have chosen to
after weighing the various pros and cons of that decision or because
"they have to" (being under one of those aforementioned "stupid"
policy restrictions that requires all desktops to conform to a
limited sense of "corporate normality").  Telling such people to drop
their carefully chosen or enforced environment means you are more 
likely to be ignored as being "out of touch" or some such.

That does not mean it is necessarily a waste of breath to advise a 
paying customer, but doing it among a group of security aware 
professional peers is likely to make one look bigoted and thus more 
likely to get you ignored.

My comment about unprofessionalism was limited to a specific setting. 
Suggesting a "spot fix" that a nanosecond's consideration shows is 
likely to be policy violating in many corporate IT environments will 
have one branded "unthinking" at best and quite likely 
"unprofessional".  Making the same suggestion when asked for 
professional advice is not unprofessional (at least, so long as the 
rest of the "structural chenges" such as altering local security 
policies to accomodate the suggested changes, etc are also covered in 
that advice).


Regards,

Nick FitzGerald

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ