lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0207150735370.1152-100000@shishi.roaringpenguin.com>
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Counseling not to use Windows (was Re: Anonymous
 surfing my ass\!)

On Mon, 15 Jul 2002, hellNbak wrote:

> So many of my clients would fire you on the spot for reccomending that
> they just stop running MS products.

Fine; that's their choice.

> If you truly are a security
> professional -- you would know better.

I think this is a very bad attitude.  Trying to secure Windows on the
desktop is fundamentally impossible because of design flaws.

Sure, UNIX boxes can be owned, no question about it.  They can be
owned because of bugs such as buffer overflows, tempfile races, etc.
which are implementation problems.

Windows boxes are fundamentally insecure because of bad design, not only
because of programming errors.  Encoding metadata such as "executableness"
in a filename, for example, is a fundamental design flaw, and one that's
impossible to correct without changing Windows' design.

So no, I don't refuse to deal with clients who use Outlook.  But yes,
I recommend they switch anyway, because to do less is an abdication
of my responsibility.

--
David.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ