| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dfs at roaringpenguin.com (David F. Skoll) Subject: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause On Sun, 18 Jan 2004, Wes Noonan wrote: [...] > Actually, A/V software protects against both. The most obvious example is > heuristics. I have a very powerful heuristic on my mail server: I discard anything with an .exe attachment. A/V software that does any less is simply dangerous. There is no need for signatures or complex heuristics, when *any* executable arriving by e-mail should be treated as dynamite and disposed of safely. > Another example is through the extensibility of the virus > signatures. While mounting /tmp noexec may protect against a wide class of > threats, if a new threat comes out that it doesn't address, but that A/V > software does, you are effectively screwed. Personally, I wouldn't bet my > enterprise on that. Personally, I would do both. As I've written before, there is no A/V software for Linux that protects against Linux viruses. I know dozens, and know of hundreds, of people who run Linux, and I don't know a single one who runs such A/V software. Of course, many of them do run A/V software, but it's to protect Windows machines that are attached to the Linux ones. > Actually, it does. New threats come out, new signatures come out. Dropping anything that could possibly be an executable takes care of that on the Windows side (plus not running software susceptible to macro viruses, though those are all but extinct.) [...] > > I agree. But a particular product or application *can* lead to > > insecurity. > Sure, but I think that your apparent belief that running A/V software leads > to insecurity is false. I never said that. What I mean is that running Windows is likely to lead to insecurity. The A/V industry is simply a lucrative business built to wrap band-aids around Windows' deficiencies. > > Obviously, right now, I can't. But there are plenty of large > > organizations > > using free software; HP claims to have made $2.5 billion in Linux-related > > sales. > Well then, it sounds like Linux isn't free anymore doesn't it? I suspect that most of that is from hardware. > No it won't, not necessarily at least. Not trying to get personal here, but > let's look at your company and some of its products. You release them free > with no support what so ever. That is untrue. I offer fanatical support for my products; just check the MIMEDefang mailing list archives to see what people think of our level of support. (http://lists.roaringpenguin.com/pipermail/mimedefang/) Not all of our products are free (I'm not a free software zealot), and we offer excellent commercial support for our commercial products. > Simply put, open source is not a simple lower cost solution. There are more > factors than just the price on the shrinkwrap. Absolutely. And those additional factors (better security, generally better support, and no worries about BSA enforcement) only add to Linux's cost advantage over Windows. [...] > Ah, but it is more than just being a Linux expert. It is being an expert in > what this company is doing with Linux. Someone can know Linux quite well, > but if they don't know how David modified it, what he did with it, what he > didn't do with it - to the code level in many cases, then they are SOL. I run bog-standard distros; I'm not a kernel hacker. Just because I could fool with the source code to Linux doesn't mean I want to. > > No. The fundamental problem with Windows is the problem that lead to > > the creation of the anti-virus industry: Encoding of metadata in > > filenames. > > The fact that ".exe" on Windows means the same thing as turning on the > > execute bit in UNIX has cost the world economy billions. And it's > > impossible > > to change this without fundamentally changing Windows. (Even this flaw > > isn't a Microsoft innovation; it was first revealed in 1987 in the > > infamous > > CHRISTMA EXEC worm at IBM on the VM/370 system.) > Well, I'm no developer so frankly I will leave this particular discussion to > others. No-one else wants to discuss it with me; they all seem to change the subject when I bring it up. :-) [...] > I would disagree. Send them an RPM on redhat and have them run it. With > increased user requests for functionality and usability (i.e. why can't I > run this attachment), Linux and the relevant email clients will continue to > be tugged in directions other than security. Unfortunately, you may be right. However, I think Linux developers are lucky in that the system hasn't become popular until recently, when the dangers of the Internet were readily apparent. I'm optimistic, therefore, that they won't repeat the same mistakes of Microsoft (which to be charitable, was operating in a very different environment when it made its design decisions.) [...] > No, I am claiming that all OS's can be hardened. That is a tautology that is unhelpful in deciding which OS to choose. > Each system requires > different hardening steps. I would also contend, and have contended, that > there is more to software than merely security. In today's environment, software *must* be secure first, with usability added on top of a secure base. Microsoft systems take the opposite approach, with dismal security consequences. > Can Microsoft secure Windows > faster than Linux can become usable. The jury is still out, though both are > making their respective strides. Unfortunately for Microsoft, it's cheaper and easier to make secure software usable than insecure software secure. [...] > OK, so this is just another "use Linux" or "Microsoft is an evil monopoly" > rant? Not at all. It's a simple statement that monopolies can afford to be complacent, because they are monopolies. The most effective way to get Microsoft to secure its software is to provide a credible threat that if it doesn't, it will lose its monopoly. This is simple economics, not childish name-calling. > > You fail to refute it, because you cannot. > Yes, in the same way that folks can neither prove or refute the existence of > God. Here's my argument in a nutshell: Assumption 1: Within the bounds of legality, corporations should maximize their profit. (I agree with this; I'm a capitalist.) Assumption 2: Within the bounds of legality, corporations should not take actions that decrease their profit. Assumption 3: It will cost Microsoft $X dollars to make Windows more secure. Assumption 4: If Microsoft does *not* make Windows more secure, it will not lose revenue. This assumption is based on personal experience, recent court decisions stating that Microsoft has a monopoly, plus postings on this list. Conclusion: It is irrational for Microsoft to make Windows more secure. Where's the hole? If you agree with my assumptions (which I believe are entirely reasonable), then the conclusion must follow. The only ways to break the cycle are: 1: Forcing software producers to secure their products through legislation, regulation or liability lawsuits. 2: Paying for Microsoft to secure its software so it doesn't cost Microsoft anything. 3: Making it clear that Microsoft will lose market share (and hence some of its profit) unless it secures its products. I don't know about you, but I certainly prefer (3) to (1) or (2). Bruce Schneier has floated (1), but I can't see it working with the state of software engineering today. > For me, neither Windows or Linux are "better". They both do good things and > bad things, and as long as they meet my requirements they both get used when > appropriate. This kind of relativism is OK in most cases, but not on a security mailing list. Regards, David.
Powered by blists - more mailing lists