lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.58.0401182152070.3063@shishi.roaringpenguin.com>
From: dfs at roaringpenguin.com (David F. Skoll)
Subject: Religion... was RE: Re: January 15 is Personal
 Firewall Day, help the cause

On Sun, 18 Jan 2004, Wes Noonan wrote:

[...]
> It seems that you have shifted focus to email filtering only. There's
> nothing wrong with this of course, but I think it shifts the discussion
> some.

That was my original topic.

[...]
> So is running any operating system. If you don't believe that, then you are
> believing in the myth that solely by running something other than Windows
> you are secure.

I never said that.  I said if you're running on Windows, you are insecure. :-)
If you are running something else, you may or may not be insecure.

[...]
> Sorry. I read "rp-pppoe is free software; it comes without warranty or
> support. We regret that we cannot offer e-mail or telephone support for
> rp-pppoe." and it seemed to me to illustrate my point quite well.

rp-pppoe is an old, stable product that hasn't changed in 2+ years and
is shipped by all major Linux distributions.  People wanting support can
obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
Microsoft end-of-lifes a product, you're out of luck.)

> > Absolutely.  And those additional factors (better security, generally
> > better support, and no worries about BSA enforcement) only add to
> > Linux's cost advantage over Windows.

> Well, there are plenty of TCO studies that don't quite come to that some
> conclusion.

Yeah, I know.  Funny who the sponsor of those studies is, really...

> > I run bog-standard distros; I'm not a kernel hacker.  Just because I could
> > fool with the source code to Linux doesn't mean I want to.

> Sure, you don't. But that doesn't mean that Joe the admin didn't.

I can assure you that "Joe the admin" won't hack the Linux kernel. :-)  I've
met lots of sysadmins, and they have enough to do without modifying Linux.

> And now you have to figure it out. I'm not trying to just argue
> specific examples though. I'm trying to illustrate the point with
> the examples.

The point is badly-taken, because administrators don't modify the source
to production systems (any more than a Windows admin would patch the Windows
kernel with binary patches of his own.)

> And I would challenge you to prove that Microsoft has been complacent. Not
> that they have made mistakes, but that they have been and continue to be
> complacent. I'm not seeing that.

Microsoft is less complacent in about the last 6-9 months, because
they are finally seeing a threat to their monopoly.  When governments
can negotiate large discounts by threatening to use Linux, it means MS
sees it as a serious threat.  It could be that the governments were
bluffing (they probably were, in many cases), but MS evidently didn't
want to take the chance.

> > Assumption 4: If Microsoft does *not* make Windows more secure, it
> > will not lose revenue.  This assumption is based on personal
> > experience, recent court decisions stating that Microsoft has a
> > monopoly, plus postings on this list.

> This assumption can not be supported. Microsoft is making windows more
> secure. This is a fact, not an opinion.

Read the assumption again:  If Microsoft does *not* make Windows more secure,
would it lose market share?

Let's suppose that Microsoft didn't make Windows any more secure.  Would
you recommend to your clients to look at alternative systems?  Would you
think seriously about switching yourself?  If yes: Congratulations!  If
no: you're like most of the other respondents on this list, and (sadly) like
most people I encounter.

> Producers will always pass the cost of development to the end users, or in
> the case of open source will pass the cost of support or maintenance. Heck,
> look at your own software. You sell software to support not only that
> development, but the development of software that you give away. Must have
> one hell of a margin to be successful doing that. ;-)

Yes, indeed.  Our commercial software is based largely on open-source software
(though not GPL'd software.)  By leveraging that base, we can undercut
out competitors.

Furthermore, the free software we give away is a terrific marketing
tool for our commercial software.  Our software is installed on the
e-mail gateways of huge multinationals; there's no way we could have
penetrated those markets with traditional commercial software.
However, once our free software is in, people start taking our
commercial software (which is based on the free software) a lot more
seriously.

> Um, this already happens. There are and have always been alternatives to
> Microsoft. Microsoft wasn't born with 90+% market share, they took it.

The methods they used to take it are what raise such passion and ire in
some quarters.  For example, do you think that Microsoft used legitimate
business tactics to take the browser market from Netscape?

> Then I submit that you are looking at it entirely too cynical.

I'm very cynical, I admit.  But I believe history will show me to be
right.  There will absolutely be huge, costly Windows virus outbreaks
in 2004.  And 2005.  And 2006.  And 2007.  And 2008.

> Far too many security "professionals" seem to miss that point. It's
> not all about the security. It's all about the business and security
> is just another component sometimes more and sometimes less
> important than the other components.

I contend that in today's climate, security is (or should be) the first
priority of most businesses.

Regards,

David.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ