lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0207151833410.12972-100000@shishi.roaringpenguin.com>
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Counseling not to use Windows (was
 Re:Anonymoussurfing my ass\!)

On Mon, 15 Jul 2002, Schmehl, Paul L wrote:

> > Well, that's very good.  How about .exe?
> If they're attachments, they bounce at the mail gateway.

Me, too.  But that's a band-aid fix.  Miserable design decisions on
Microsoft's part have made e-mail responsible for spreading malicious
executable content.  In 1980, e-mail was plain text and totally safe.
There is simply *no excuse* for having to scan e-mail at gateways -- it
should *never* have been a problem in the first place.

> > Yes, it is.  How much work is it to set all this up?
> Very easy.  A few points and clicks in the admin's interface deploys the
> policy to the whole domain.

OK.  Didn't know that.

[snip]
> I think you're taking anecdotal evidence to condemn Windows
> unnecessarily.

Please see http://www.roaringpenguin.com/graphs.php3

Cracked Windows boxes are so much of a problem that they've become
background noise on the Internet.

> Just because Code Red ran around the world in short
> order doesn't *necessarily* mean the OS is flawed.  It could mean the
> *philosophy* is flawed or the training is flawed or the admins are
> flawed.  Remember, Unix admins have 30 years of experience under their
> belts telling them what is good security practice and what is not.
> Windows admins have 10? Maybe?

That's not really an excuse.  UNIX was never really designed with
security in mind, and in fact until recently, UNIX boxes were
pretty insecure.  (And many commercial UNIXes still are.)

The difference is that most UNIX faults were implementation errors
which could be fixed without radically altering the OS (at least
from the user's perspective.)  Many Windows problems can't be fixed
without changing the fundamental nature of the system.

[snip]

> You have to remember that, for a business to switch from MS to *nix
> takes not only a huge shift in thinking on the part of management and
> users but also *wholesale* changes in the IT staff.

Or wholesale retraining.  It's not easy.  That's why it's a long-term
strategic goal and not a short-term answer to security problems.

--
David.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ