| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: tobias at weisserth.de (Tobias Weisserth) Subject: Anti-MS drivel Hi Mary, Am Di, den 20.01.2004 schrieb Mary Landesman um 20:13: > > not lose your keys on purpose > > Does anyone lose their keys on purpose? :-) If you've got a stupid insurance company... :-) I don't know? > As I stated originally, you can reduce the risk but you can never alleviate > it entirely. Windows can be broken, locks can be picked, heck, use a > chainsaw and you can slice right through pretty much any part of it. Of > course, it requires physical presence which raises the risk of being caught, > hence it's not very likely. Conversely, using the Internet to anonymously > launch exploits is pretty much risk-free - some might argue it's ideally > suited to the cowardly criminal. Sometimes smarts plays a part, but never > guts. We all agree that the people behind these attacks are the bad guys. But we can't change them, we can't eradicate them. We have to live with them. The one thing we can change though is accepting or not accepting the way vendors ship software. Opportunities make thieves. If you leave your door open you mustn't be surprised if that Van Gogh is gone when you're done with shopping. No insurance would cover the loss of that picture if you didn't lock the door. So in fact, although someone else has committed the crime, the loss of the Van Gogh is YOUR fault. YOU didn't lock the door. YOU created the opportunity. What I'm criticising here is the amount of senseless opportunities MS has created over the past years. Nothing else. > Now, MS has made bad decisions but they are not unique in this regard. That's not what I said. But they have a unique impact. Up to now they rule the consumer OS market with more than 90% market share. Any error they make regarding default settings in their OS affects 90% of all end consumers. It is impossible to require that many customers to adapt. Rather the vendor has to adapt. This is only logical. > They certainly have more at stake, given the numbers of users, thus their bad > decisions tend to be very high profile. Well seen. > I suspect that when and if they achieve their Trusted Computing goals, many of the same anti-MS folks will > shift their focus to complaining about the privacy and censorship issues it > brings to the table. You still haven't understood. Trusted Computing won't bring us security as long as basic philosophies like "secure by default" and "opt-out of security" haven't been accepted by MS. Having an open RPC port in a consumer OS that can be exploited ISN'T solved by putting a personal firewall in front of it. The flaw is still there, may it be hid by an additional layer of software (which itself can contain flaws). Trusted Computing will worsen matters actually. Not only from the privacy point of view, also from the security point of view. No matter what technical feature they will use to implement Trusted Computing it will be broken the minute it is on the market. Add the lack of basic security philosophies and you're stuck in the same bad situation with the added "bonus" of a lack of privacy and some more technical abstraction layers many more end users won't be able to understand. Take a look at the X-Box. The X-Box actually implements what MS had in mind as a predecessor for Trusted Computing. Has it been 6 months until people were able to run ANY code they wanted to with minor modifications to the X-Box? > Ironically, the very people who seek to publicly decry > and exploit every MS flaw are the ones who are helping to force TC into > reality. No, that's actually not the case. Technical innovations and new features are subject to market laws. If consumers ultimately decide to reject such technologies then it will fail. As soon as there is an opportunity for alternative vendors to promote hardware and software WITHOUT these unwanted features, competition will kick in and level market shares again. I'm pretty confident free markets will take care of "Trusted Computing". Look at the trouble the music industry has to establish "Trusted Computing" in audio goods. > For more on the implications, see > http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html This seems interesting though not new. I'll give it a "visit" ;-) cheers, Tobias W.
Powered by blists - more mailing lists