lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030927060914.GA13562@netpublishing.com>
From: ggilliss at netpublishing.com (Gregory A. Gilliss)
Subject: CyberInsecurity: The cost of Monopoly

I suspect we are starting a game of telephone ...

It appears to me (and I'm going to be nice and *not* include the
entire thread in the message ;-) that this started out with the
citation of the CCIA paper regarding Dan Geer getting shown the door.
The response (which was posted by Jon on behalf of Fabio) ends with
the statement "These guys have done a GREAT WORK!" which appears to
refer to the paper (Geer et al). Unfortunately that post was preceded
by some rant and ramble that did not clearly support the final thought
(namely "huzzah for Geer et al"). 

Taken individually, Fabio's points include:

- Removing Microsoft's monopoly somehow also will remove AV companies
- Microsoft doesn't give a rat's a** about security
- Vulnerabilities can only be fixed before they become a business
- Open source software has not been targeted by viruses
- Open source rulez
- Geer et al wrote a great report

FWIW, my replies to the assertions (as I have enumerated them above):

- false assertion
- true assertion
- ?
- true (exploits, OTOH...)
- agree
- strongly agree

With apologies to Fabio, I suspect that this may be an example of a
non-native English speaker's post being misinterpreted. I truly doubt
that the intent was to incite a discussion of Microsoft and/or virus
writing. That was actually (and if Fabio reads this and disagrees I hope 
that he will correct me) just fodder for the final show of support for
the report by Geer et al.

For the record, I am withholding comment on Geer's separation and @Stake's
position until and unless more facts come to light. I suspect several of
the @Stake guys can read this and that they are free to participate in the
discussion (...or maybe not). I stand by my prior post - the report
stands on its own merits.

G

On or about 2003.09.26 23:07:14 +0000, Rick Kingslan (rkingsla@....net) said:

> Wow.  Is this just troll bait (and I succumbed) or have you been watching
> too many re-runs of the "X-Files"?
> 
> I'll not argue that the Windows operating systems are the target of the
> majority of virus', but that's typically what happens when a system is used
> by a known large group of people that might not be qualified to run a
> computer, much less secure it.
> 
> And, regardless of what MS does - I doubt that they can force Mom and Dad to
> not screw up the security settings (though, the default out of the box sucks
> anyway).
> 
> Do you think that virus writers will stop IF Windows ceases to be a target?
> Or, what seems to be your argument - if the Anti-Virus companies are
> eliminated, the virus writers are going to just go away, too?  "Well,
> they're not trying to stop us anymore - I guess we should quit trying to
> wreak havoc and go back to being productive citizens again.  Virus writing
> isn't fun anymore."
> 
> Yeah - that's going to happen.
> 
> As a response to open source, bravo.  My hat is off to what has been
> accomplished.  But, I'd like to see the same level of success as a secure
> platform (which, in the hands of someone with no clue how to run it - Linux
> is insecure, regardless of the out of the box config) when it commands a
> majority of the desktops.  And, I don't care what the platform or OS -
> nothing is completely secure.  Humans write code, humans make mistakes, ergo
> code has mistakes.  Same goes for configuration settings.
> 
> The 'bad guys' and 'bored kids' are going to target the largest base - and
> there will always be holes to compromise and exploit.  Viruses have never
> been a threat to Open Source because the target is not yet juicy enough.
> 
> And, just because I'm really curious, can you provide documentation and
> detail on the cited 'Microsoft Virus Support(TM)'?  I've not heard of this -
> well, except through your posts.  But, I'm open to be educated.

-- 
Gregory A. Gilliss, CISSP                             Telephone: 1 650 872 2420
Computer Engineering                                   E-mail: greg@...liss.com
Computer Security                                                ICQ: 123710561
Software Development                          WWW: http://www.gilliss.com/greg/
PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ