lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20020715133245.GA19805@unixzone.com>
From: cmason at unixzone.com (Chris L. Mason)
Subject: Counseling not to use Windows (was Re: Ano

On Mon, Jul 15, 2002 at 10:19:30AM +1200, Nick FitzGerald wrote:
...
> 
> I agree with all of the above.
> 
> My point was, on lists like this, if someone is using Windows or some
> especially distasteful Windows network client software they are most
> likely doing so either because, as in my case, they have chosen to
> after weighing the various pros and cons of that decision or because
> "they have to" (being under one of those aforementioned "stupid"
> policy restrictions that requires all desktops to conform to a
> limited sense of "corporate normality").  Telling such people to drop
> their carefully chosen or enforced environment means you are more 
> likely to be ignored as being "out of touch" or some such.
...
> 
> My comment about unprofessionalism was limited to a specific setting. 
> Suggesting a "spot fix" that a nanosecond's consideration shows is 
> likely to be policy violating in many corporate IT environments will 
> have one branded "unthinking" at best and quite likely 
> "unprofessional".  Making the same suggestion when asked for 
> professional advice is not unprofessional (at least, so long as the 
> rest of the "structural chenges" such as altering local security 
> policies to accomodate the suggested changes, etc are also covered in 
> that advice).
> 

Well, that's what I get for making such a short comment.  :)

Anyway, let me try to be more clear.  The many holes in clients such as
Internet Explorer and Outlook have been made clear over and over again for
many years now.  The insecurity of these products is not news.

Companies who were dependant on these programs, or who had policies
referring to them, have had years now to plan a migration away from them
to other tools, and to write new policies.  There should never have been
any need for a "spot fix."

However, there's no point in saying "I told you so" either.  So, while
it's unfortunate that these products are still so widely used, it not too
late.  Companies can still make the necessary decisions and more forward
to ensure a more secure and productive environment.

My post was intended as a simple reminder that even if you've been banging
your head against the wall for years, it's never too late to stop.  :)


Chris


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ