lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200401190326.i0J3QYmE012389@ms-smtp-01-eri0.texas.rr.com>
From: mailinglists at wjnconsulting.com (Wes Noonan)
Subject: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

> I never said that.  I said if you're running on Windows, you are insecure.
> :-)
> If you are running something else, you may or may not be insecure.

This, while you are entitled to your opinion, has no basis in fact. You can
most certainly be secure running Windows. Security isn't a uniquely Linux
scenario.
 
> rp-pppoe is an old, stable product that hasn't changed in 2+ years and
> is shipped by all major Linux distributions.  People wanting support can
> obtain it from their Linux distro vendor.  (Unlike Microsoft:  When
> Microsoft end-of-lifes a product, you're out of luck.)

I always get a kick out of this. MS (and everyone else) EOL's stuff because
better and in many cases more secure solutions are out there. Rather than
moving to them though, people complain first about how wrong it is to expect
them to move then second about how insecure the product is (though the order
sometimes changes).
 
> Yeah, I know.  Funny who the sponsor of those studies is, really...

Sure, no real difference from the ones pushing Linux as lower cost though
now, is it?
 
> I can assure you that "Joe the admin" won't hack the Linux kernel. :-)
> I've
> met lots of sysadmins, and they have enough to do without modifying Linux.

And yet to effectively harden Linux in many cases that is exactly what Joe
the admin has to do (modify Linux). 
 
> The point is badly-taken, because administrators don't modify the source
> to production systems (any more than a Windows admin would patch the
> Windows
> kernel with binary patches of his own.)

Really? I know plenty of Linux admins that do that (recompile) to customize
the product. In fact, many of them point to this as a reason for choosing
Linux over Windows. 
 
> Microsoft is less complacent in about the last 6-9 months, because
> they are finally seeing a threat to their monopoly.  When governments
> can negotiate large discounts by threatening to use Linux, it means MS
> sees it as a serious threat.  It could be that the governments were
> bluffing (they probably were, in many cases), but MS evidently didn't
> want to take the chance.

Sorry, they have been less complacent about it for at least the past 4
years, not 6-9 months... unless of course you honestly believe that W2K3 was
developed in 6-9 months. This all started long before Linux was any kind of
real threat.
 
> > > Assumption 4: If Microsoft does *not* make Windows more secure, it
> > > will not lose revenue.  This assumption is based on personal
> > > experience, recent court decisions stating that Microsoft has a
> > > monopoly, plus postings on this list.
> 
> > This assumption can not be supported. Microsoft is making windows more
> > secure. This is a fact, not an opinion.
> 
> Read the assumption again:  If Microsoft does *not* make Windows more
> secure,
> would it lose market share?

That isn't the assumption. The assumption is " If Microsoft does *not* make
Windows more secure, it will not lose revenue". The answer is "yes, they
very well might".
 
> Let's suppose that Microsoft didn't make Windows any more secure.  Would
> you recommend to your clients to look at alternative systems?  Would you
> think seriously about switching yourself?  If yes: Congratulations!  If
> no: you're like most of the other respondents on this list, and (sadly)
> like
> most people I encounter.

Once again, you are looking at it solely from the security perspective.
While that is fine and dandy, there are other perspectives that factor into
the decision. That is probably why most of the other respondents on this
list and most people you encounter think that way. That is why everyone I
have run across does.
 
> Furthermore, the free software we give away is a terrific marketing
> tool for our commercial software.  Our software is installed on the
> e-mail gateways of huge multinationals; there's no way we could have
> penetrated those markets with traditional commercial software.
> However, once our free software is in, people start taking our
> commercial software (which is based on the free software) a lot more
> seriously.

Oddly, this sounds an awful lot like Microsoft's Internet Explorer policy
and Office policy before that. Of course, that couldn't be because Microsoft
is an evil monopoly ;-)

 
> > Um, this already happens. There are and have always been alternatives to
> > Microsoft. Microsoft wasn't born with 90+% market share, they took it.
> 
> The methods they used to take it are what raise such passion and ire in
> some quarters.  For example, do you think that Microsoft used legitimate
> business tactics to take the browser market from Netscape?

Yes, I happen to think they did. I'm sure at this point you will tell me how
wrong I am though.
 
> > Then I submit that you are looking at it entirely too cynical.
> 
> I'm very cynical, I admit.  But I believe history will show me to be
> right.  There will absolutely be huge, costly Windows virus outbreaks
> in 2004.  And 2005.  And 2006.  And 2007.  And 2008.

And likewise as/if Linux ever matures to more than a specialized operating
system, it will join Windows in that dubious distinction - having more and
more costly exploits and viruses. Like every other product ever made that
became used more and more by the masses.
 
> I contend that in today's climate, security is (or should be) the first
> priority of most businesses.

Really? I would wager that profit should be the first priority, but that's
just me... and most of the business community. The goal isn't to be secure.
The goal is to make money. Everything else is a secondary effect. Slowly,
technology professionals are starting to learn that business acumen though. 

Wes Noonan
mailinglists@...consulting.com
http://www.wjnconsulting.com 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ