| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.58.0401181056270.2431@shishi.roaringpenguin.com> From: dfs at roaringpenguin.com (David F. Skoll) Subject: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause On Sun, 18 Jan 2004, Wes Noonan wrote: > > (I know that someone recently released code to do a "user-space" exec, > > so mounting /tmp noexec is not 100% foolproof, but it's pretty good > > protection.) > Well then, IMO you might want to invest in virus protection. Why? Name one virus for Linux that AV software would have protected against, that a noexec /tmp wouldn't have. (It's hard enough to name a Linux virus; it's impossible to name a virus that meets the latter conditions.) > I'm curious, why is your solution which is not 100% foolproof "pretty good > protection", but installing virus protection which is not 100% foolproof is > a sham? Because mounting /tmp noexec costs me nothing, whereas buying AV software costs money. > Really, it seems to me that a number of the "anti-virus scan" positions (and > indeed most of the anti-microsoft, ant-personal firewall, etc positions) > seem to have little substance beyond "I don't want to spend money". That's a good enough reason for me. :-) I'm a tried-and-true capitalist, and anything legal that decreases the cost of production is something that will help my business, and something I'll embrace. We're a 7-person shop with a budget of $0 for software. I'd love to see a Microsoft shop with a similar software budget. Why should I spend money, time and energy trying to secure a basically un-securable system, when I can not spend money, spend a whole lot less time and energy, and have a more secure system? One of the reasons Microsoft has such a terrible security record is that it's a monopoly. All the people who have posted "ah, yes, but it's impractical to switch" are perpetuating insecure software. Securing software costs a lot of money; if Microsoft knows it won't lose market share even if it doesn't bother securing its software, what possible motivation would it have to secure the software? (As a tried-and-true capitalist, *I* certainly wouldn't spend money securing software in that situation.) So unless you investigate alternative systems seriously, you're just ensuring a monopoly situation, which guarantees bad software. Complacency and defeatism have no place in the fight to secure our computers. -- David.
Powered by blists - more mailing lists