[fw-wiz] Re: firewall-wizards digest, Vol 1 #1095 - 2 msgs

From: Mike Hoskins (mike_at_adept.org)
Date: 09/29/03

  • Next message: Shivdasani, Meenoo: "RE: [fw-wiz] PIX 6.3.3 and UDP connections"
    To: firewall-wizards@honor.icsalabs.com
    Date: Sun, 28 Sep 2003 15:16:41 -0700 (PDT)

    > Subject: RE: [fw-wiz] @Stake CTO fired for Microsoft comments
    > From: "Claussen, Ken" <Ken@kccweb.com>
    > Mr. Ferris Wrote:
    > "we can blame ourselves and our great "capitalist nation" that
    > utimately discouraged entrepeneurship and innovation

    i won't comment in detail, since i didn't read the original post (only
    what you quoted, i'll have to skim back through my archives and find the
    original), but there is some truth to his words. i can't agree
    completely, but capitalism as it's currently instantiated certainly
    benefits the rich more than the poor. as such, large companies with
    billion dollar budgets have certain advantages in the market place
    less-funded efforts aren't always entitled to. i thought that'd be
    obvious though, in marketing terms alone. (M$' (in)famous "5 9's"
    campaign comes to mind. "haha.")

    > FUD. I agree with Paul's comments, security is more about diversity and
    > defense in depth than big words with little true meaning (referring to
    > above statements).

    if you agree with Paul, you disagree with M$. trust me, M$ isn't going to
    take steps to increase diversity -- unless they buy RH and start marketing

    > Snort can run on Windows as well as Linux
    <much snipped about opensource on Windoze>

    the question you should be asking is how much more software would be
    available on win32 if the obfuscated FUD (to use your terms ;) introduced
    by TPAM$ (The Powers At M$) was removed. have your ported opensource
    projects to M$? actually, i should say... "have you tried..." i'm
    working on one right now. it's not as easy as you may think. it could be
    easier, mostly if M$ simply followed well-published standards (like just
    about everyone else).

    > Operating system? And the cracks on Windows security have little to do
    > with the Operating system itself (there have been numerous Root level
    > compromises of other operating system) and more to do with the skill of
    > the administrator.

    that's very true. administrator training/knowledge goes a long way. i've
    had the honor of working with "M$ guys that know their shit" and also the
    extreme annoyance of working with "M$ guys that are shit". night and day
    -- and the same goes for any admins.

    that said, care to pick a year and plot advisories released for some
    opensource OS vs. M$? i've done it in the past, the results were always
    as expected. (of course you only really know about issues advisories are
    released for unless you have time for real auditing, and any camp could
    probably hide things.)

    > How many Windows Servers have you worked with in a
    > security context?

    speaking for myself here... not many, probably only 1-200 in my career.
    currently we have no more than 20-40 Win2k machines. (servers; desktops
    are another issue.) the point is -- enough to see truth in the report you
    haven't read. (maybe you should? FWIW, i don't see the things said in
    the "new" report any more inflamatory (at least to M$ fans) than what's
    in rfc2870... and that was last updated sometime around mid-2000.)

    > the rhetoric and get back to discussing security. I have seen people
    > fired for much less than outright bashing of the operating system your
    > company is contracted to audit.

    you've likely seen people fired for using company resources (time,
    machines, etc.) for such projects or for stating opinions that were
    misconstrued as being "from the company". none of that was true, from
    what i've heard, in this case. i think both sides are too quick to judge
    without having all the facts.

    go post a rant (or write an informed paper, along with 4-5 other highly
    esteemed members of our community) about everything you see wrong with
    BSD, Linux, etc. be sure to clearly state everything you write is your
    opinion alone, and do it at home and on your personal time... the
    difference is, you probably won't be fired. that's because there aren't
    opensource projects paying your employeer hundreds of thousands of dollars
    every year. it's really about money, and i think we know who has the

    > I prefer the Pix for firewalling due to
    > the OS being integrated into the security code.

    PIXOS has had many issues. ideally you'd pick at least one other vendor
    and make the traditional "firewall sandwich" -- diversity is always good.
    of course most of these "paranoid" approaches only hold water in a
    budgetary light if your site is high-profile enough to attract the
    infamous "determined attacker".

    > built operating system. Instead of writing a report (which I have not
    > read) criticizing Windows, would it not have been more productive to
    > write a report describing methods which can be used to properly secure
    > the OS in a language the average home computer user could understand?

    the latter's been done. (see numerous SANS checklists, as one example.)
    the prior does a bit more than "criticise windows". it's interpreted as
    such by loyal M$ fans because it's really just saying what we all know
    (don't we?) -- M$ is installed on the majority of systems out there, and
    that's a bad thing given the current state of M$' products. no more, no
    less. you can try to argue, but the bandwidth charges associated with
    backhauling Blaster, Welchia, and SOBIG.x alone will usually cause your
    arguments to fall on deaf ears (let's not even talk about CR).

    > Let's face it most of the backlash from these worms is caused by home
    > users who are not the technology zealots that frequent lists such as
    > this. A Security Guide for Dummies would make more sense than senseless
    > criticality and outright slander. Isn't it ironic that so many Open
    > Source proponents are so close minded? I actually use a combination of
    > Open Source and commercial software everyday.=20

    precisely. home users... which brings up an excellent point. even on
    the desktop, viable (non-M$) options are coming to light. (more every
    day.) the point is, even the home users could be using something better.
    realizing that everyone, desktop and server users alike, should have
    better options... well, if that's really "close minded" -- i'm proud to
    be just that.

    the truth is, any software has problems. it's made by people, and people
    have problems. the sooner we realize that, the better. paying homage to
    M$ who seems to miss glaring RPC holes just after much touted security
    audits is not "realizing that". it's sticking your head in the sand and
    believing they can actually make better software because their marketing
    people say so. they can't. at least on the opensource side we admit we
    have flaws -- that's why the OS is free. i have this sneaking suspicion
    that if M$ started giving their OS away, they'd get (just a little) less
    flack over future incidents. so everyone makes mistakes, but only one
    company gets rich off of doing it.


    From: "Spam Catcher" <spam-catcher@adept.org>
    To: spam-catcher@adept.org
    Do NOT send email to the address listed above or
    you will be added to a blacklist!
    firewall-wizards mailing list

  • Next message: Shivdasani, Meenoo: "RE: [fw-wiz] PIX 6.3.3 and UDP connections"