| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Re: January 15 is Personal Firewall Day, he lp the cause Hi Wes, Am Fre, den 16.01.2004 schrieb Wes Noonan um 18:32: > Did you really just propose that a viable solution is to remove network > access? For some systems: plain and simple yes. If the supplier of a software fails to deliver it in a "secure by default" state and even cuts the supply of patches (Windows NT4/95/98) these systems should go offline immediately. There is no compromise. This "Personal Firewall Day", aimed at the end consumer, may actually plant the idea in people's head that their unpatched and non-supported Windows 98 might be safe for the future as soon as they install a personal firewall. Well, this is just plain BS. > Basically turn off everything that allows corporate uses to share > information and collaborate and you have security panacea. Granted, you > can't do a damned thing, but let's not forget that technology doesn't exist > to facilitate companies in making a profit and sharing of information, it > exists for some other geek reason. Security is always a trade-off. ;-) > This is in addition to "well, if you don't run popular software you aren't > as susceptible to threats". This is how people with exactly those "popular" systems perceive the message that they should switch to a more _secure_ system. > Yeah, back in 94 if you ran NT you weren't as > susceptible to all the Novell threats... then NT became the big player and > now you have folks saying "yeah, well run Linux and you won't be susceptible > to all those Windows threats". This is not the same. Novell has been a propriety system and Windows NT has been a propriety system. They both suffered from the closed development and security assessment process. This is how Linux and other open OS differ. Linux isn't safer than Windows because it is less popular. It is safer because it doesn't have all doors open by default and vendors can define the level of security they want for their distribution. Linux doesn't come with obvious flaws in system design. It doesn't come with an open RPC port and most important: There is no Linux heterogamy. There are so many different Linux systems, with different kernels, different modifications, different file locations, different file systems and so on that it is very hard to produce a widely usable exploit in the way you can do with Windows. Linux is far from being perfect. Being near perfect I'd raise my vote for OpenBSD yet something even slips past them. But MS Windows is just the plain opposite of OpenBSD yet Microsoft has the potential to do better! The designers of the latest worm attack waves damn well relied on the simple fact that almost every Windows system in the hand of home users had an open RPC port. How convenient, isn't it? The sin is that Microsoft's solution to this problem isn't closing unnecessary services BY DEFAULT but promoting additional third party software to put in between Windows and the Internet which the end user has to pay, deploy and operate. This is pathetic. > And if Linux ever goes mainstream and if > Linux ever surpasses Windows in market share, then 5-10 years down the road > people will be saying "yeah, but if you run ziggledorf, then you won't be > susceptible to all those Linux threats". There already is a high level of Linux threats. But the efforts into securing Linux are much less tedious than securing a Windows machine. That's the difference. There are no secrets with Linux security. > This security through obscurity mantra is laughable. Changing topics... not so fast! What happened to the old one ;-) Linux is following (or should be) a strict open source philosophy. How is that to be "security by obscurity"? Don't you rather mean companies like Microsoft? Take the sender of this nice ad mail, alerting us to this "oh glorious" Personal Firewall Day. Thor Larholm Senior Security Researcher PivX Solutions That's the same guy who offered a neat list of unpatched security holes on his company's website. Full-Disclosure. What happened? He took the list off his site. He went into cooperation with Microsoft. (Is there a coincidence yet?!). And now he posts ad mails for companies like Zone Labs and Microsoft. (Now this is a coincident!). Sorry, Ladies and Gentlemen. This is NOT Full-Disclosure. THIS is "security by obscurity". And a very bad thing to build trust upon. > The top dogs always get the most exploits. No. The most lousy systems get the most exploits. Face it. Take the market for webservers. Apache virtually owns the market with more than 60%. How come that Microsoft IIS gets the most exploits? When I look into my Snort logs I don't get any Code Reds from Apache installations trying to sneak into my net. Funny, isn't it? Why isn't there a Code Red with the level of spreading for Apache as there is for IIS yet Apache is deployed on more than 60% of webservers? It's the same with water. It flows using the path with lowest resistance. Crackers do the same. Predators always look for the weakest animal in the flock. > Accept the reality. When everyone > else starts using Firebird, Thunderbird or whatever other obscure program > you want to mention as your own personal bestest solution, then it will get > hacked and exploited beyond belief. History proves this. In fact, "history" or better reality has proven you wrong. Or is the Apache case just an exception?! I don't think so. It only differs from the Linux-Windows comparison as Apache _already has_ an advantage in market share. > Disconnecting from the network or disabling all those services that provide > network access is an unrealistic expectation. Why is delivering a system with all doors shut an unrealistic expectation? Why is delivering Windows XP Home with a closed RPC port an unrealistic expectation? > Next thing you know, you will > be proposing only using carbon paper to share documents (though surely > someone on this list will then point out the inherent security flaws in what > to do with the used carbons). Did you see that Bruce Willis movie? Mercury puzzle or something like that... > And people wonder why users don't understand, but certainly fear, a good > chunk of computer security... Because they are told they have bought a secure operating system and some time later they are told to buy a virus scanner, a personal firewall, keep track of updating the OS, the virus scanner, the personal firewall, ... > Wes Noonan > mailinglists@...consulting.com > http://www.wjnconsulting.com Now, of course this is from someone who is listing Microsoft operating systems and applications in second place for vendors... cheers, Tobias W.
Powered by blists - more mailing lists