[Full-Disclosure] Counseling not to use Windows (was Re: Anonymous surfing my ass\!)

From: David F. Skoll (full-disclosure@lists.netsys.com)
Date: 07/15/02


From: full-disclosure@lists.netsys.com (David F. Skoll)
Date: Mon, 15 Jul 2002 07:38:30 -0400 (EDT)

On Mon, 15 Jul 2002, hellNbak wrote:

> So many of my clients would fire you on the spot for reccomending that
> they just stop running MS products.

Fine; that's their choice.

> If you truly are a security
> professional -- you would know better.

I think this is a very bad attitude. Trying to secure Windows on the
desktop is fundamentally impossible because of design flaws.

Sure, UNIX boxes can be owned, no question about it. They can be
owned because of bugs such as buffer overflows, tempfile races, etc.
which are implementation problems.

Windows boxes are fundamentally insecure because of bad design, not only
because of programming errors. Encoding metadata such as "executableness"
in a filename, for example, is a fundamental design flaw, and one that's
impossible to correct without changing Windows' design.

So no, I don't refuse to deal with clients who use Outlook. But yes,
I recommend they switch anyway, because to do less is an abdication
of my responsibility.

--
David.