lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Religion... was RE: Re: January 15 is Personal
 Firewall Day, help the cause

On Sun, 18 Jan 2004, Wes Noonan wrote:

> > (I know that someone recently released code to do a "user-space" exec,
> > so mounting /tmp noexec is not 100% foolproof, but it's pretty good
> > protection.)

> Well then, IMO you might want to invest in virus protection.

Why?  Name one virus for Linux that AV software would have protected
against, that a noexec /tmp wouldn't have.

(It's hard enough to name a Linux virus; it's impossible to name a virus
that meets the latter conditions.)

> I'm curious, why is your solution which is not 100% foolproof "pretty good
> protection", but installing virus protection which is not 100% foolproof is
> a sham?

Because mounting /tmp noexec costs me nothing, whereas buying AV software
costs money.

> Really, it seems to me that a number of the "anti-virus scan" positions (and
> indeed most of the anti-microsoft, ant-personal firewall, etc positions)
> seem to have little substance beyond "I don't want to spend money".

That's a good enough reason for me. :-) I'm a tried-and-true
capitalist, and anything legal that decreases the cost of production
is something that will help my business, and something I'll embrace.
We're a 7-person shop with a budget of $0 for software.  I'd love to
see a Microsoft shop with a similar software budget.

Why should I spend money, time and energy trying to secure a basically
un-securable system, when I can not spend money, spend a whole lot
less time and energy, and have a more secure system?

One of the reasons Microsoft has such a terrible security record is
that it's a monopoly.  All the people who have posted "ah, yes, but
it's impractical to switch" are perpetuating insecure software.
Securing software costs a lot of money; if Microsoft knows it won't
lose market share even if it doesn't bother securing its software,
what possible motivation would it have to secure the software?  (As a
tried-and-true capitalist, *I* certainly wouldn't spend money securing
software in that situation.)

So unless you investigate alternative systems seriously, you're just
ensuring a monopoly situation, which guarantees bad software.
Complacency and defeatism have no place in the fight to secure our
computers.

--
David.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ