RE: [fw-wiz] You'll never get fired for recommending IBM - sorry - Microsoft

Date: 12/16/03

  • Next message: Eric Vyncke: "Re: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall"
    Date: Tue, 16 Dec 2003 10:56:12 -0500


    an unpatched MS machine with a firewall that had been purposely configured
    to open 135 for legitimate reasons would have been infected by MSblast.

    Therefore, your firewall is NOT "under the hood". Since Microsoft keeps huge
    sections of their code to themselves, no firewall or any other product is
    able to protect against all these vulnerabilities unless you shut down every
    port. Yes, such products exist that shut down all ports but you are
    effectively removing the fuel injection from the car along with the powered
    windows and the air conditioning all because you know thiefs can break into
    cars when those features are in use. So, in the same way, a computer with
    all its ports shut down is a useless computer. A computer with some ports
    shut is a hobbled computer.

    If it were not for firewalls Microsoft would be out of business! (And quite
    a few others too!)

    Now, that's OK that Microsoft doesn't release their code. I have no problem
    with that. But when that fact is combined with the enormous head count of
    Microsoft OS running computers, now the concept of monoculture has some

    It really has nothing to do with Microsoft. It has more to do with the
    circumstances we now face in this particular situation.

    i) explosive high speed Internet access growth
    ii) little to no foreseeable regulation of Internet use
    iii) extraordinarily large homogenous OS use
    iv) huge amount of unpublished code in that single OS
    v) increasingly sophisticated worm and virus authors
    vi) worm and virus authors increasingly incented by monetary rewards

    All these factors and more make OS diversification a serious consideration
    in the security stance of any organization or individual.

    Mike H

    -----Original Message-----
    From: Breno Jacinto []
    Sent: Tuesday, December 16, 2003 11:35 AM
    To: Hawkins, Michael
    Subject: Re: [fw-wiz] You'll never get fired for recommending IBM -
    sorry - Microsoft

    * MHawkins@TULLIB.COM (MHawkins@TULLIB.COM) wrote:
    > Hi Marcus,
    > Regarding monoculture, let me use a common analogy. My car is no more or
    > less secure than any other car because it's a car among several
    > manufacturers, with hundreds of car alarm manufacturers and products,
    > services. Imagine a world for car thiefs where 99% of the cars are made by
    > one manufacturer and car alarm manfacturers are only allowed to stick
    > alarms in the passenger compartment. No security device is allowed under
    > hood. There'd be more stolen cars per day than the public would be willing
    > to accept. Things would change. The monopoly would be broken up.

       I used to think like this. But notice the sentence: 'No security device
    is allowed under the
    hood.'. If we go to computers, this is false. You can run the firewall
    of your choice, as well as AV, and implement the security policy you want.
    And thats the point where monoculture doesnt matter.

       Yes, M$ is lousy when it comes to security. They spent more money on
       cosmetics than on security. But imagine that Apple had the monopoly,
       and MacOS X was run by 99% of the world, wouldn't it be the same
       thing? If people dont care about security, ANY system will be
       insecure, even the paranoid OpenBSD.

       The point for Blaster being such a success wasnt for Windows
       Monoculture. It was because people werent running any firewall to
       simply block 135 or worse, wasnt even *AWARE* port 135 was open in
       his computer. This is what has to be changed! Security is not tied to
       an specific OS, its tied to a decent policy and user education and
       proper use of security technologies.

    > Should we accept the same in the computer industry?
    > Can anyone think of a monopoly of a manufacturer good like Microsoft has
    > today?

      No this is no good. But it is exageration to say that because of this
      the Internet is insecure. It's bad 'coz M$ manipulates people, forcing
      an endless (free software is changing it) dependency game. But this is
      too off-topic :).

    > Mike H


    // Breno Jacinto
    // Key fingerprint = A5C3 3B22 140D C973 6AC6 2D62 2318 B8FA 15F9 D3FC
    // Never be afraid to try something new. Remember, amateurs built the
    // ark; professionals built the Titanic. -- Anonymous
    firewall-wizards mailing list

  • Next message: Eric Vyncke: "Re: [fw-wiz] MTU issue routing traffic via Cisco GRE tunnel to Nokia/Check Point firewall"

    Relevant Pages

    • Re: System Restore Keeping Only One Restore Point
      ... but I am not a security expert and never claimed to be ... firewall isn't a good firewall you also misunderstood my view of the ... customers have asked Microsoft for a method, ... Not all customers want all of their applications to be ...
    • RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
      ... In a world that only security mattered, ... that last point is a major reason for running any firewall. ... Does this mean that Microsoft doesn't need ... > Apache virtually owns the market with more than 60%. ...
    • Re: Security and the User experience
      ... Why should we trust Verisign, ... Microsoft should be placed square in the resource funding for starting this ... Trimming the firewall down or pumping it up is still ... having to deal with security. ...
    • RE: Microsoft Cant Win.
      ... Subject: Microsoft Can't Win. ... vulnerabilities in anything ... ... an application-level firewall can also help protect the ... > reading through the email (security related mailing lists mostly) when I ...
    • Re: How to Maintain an IIS Server?
      ... >>> I looked at the Microsoft Security Website. ... >> before a firewall and antivirus have been installed]. ... >> new patches that are missing, ...