RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause
From: Tobias Weisserth (tobias_at_weisserth.de)
Date: 01/16/04
- Previous message: Exibar: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- In reply to: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause"
- Next in thread: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- Reply: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 16 Jan 2004 20:17:06 +0100
Hi Wes,
Am Fre, den 16.01.2004 schrieb Wes Noonan um 18:32:
> Did you really just propose that a viable solution is to remove network
> access?
For some systems: plain and simple yes. If the supplier of a software
fails to deliver it in a "secure by default" state and even cuts the
supply of patches (Windows NT4/95/98) these systems should go offline
immediately. There is no compromise.
This "Personal Firewall Day", aimed at the end consumer, may actually
plant the idea in people's head that their unpatched and non-supported
Windows 98 might be safe for the future as soon as they install a
personal firewall. Well, this is just plain BS.
> Basically turn off everything that allows corporate uses to share
> information and collaborate and you have security panacea. Granted, you
> can't do a damned thing, but let's not forget that technology doesn't exist
> to facilitate companies in making a profit and sharing of information, it
> exists for some other geek reason.
Security is always a trade-off. ;-)
> This is in addition to "well, if you don't run popular software you aren't
> as susceptible to threats".
This is how people with exactly those "popular" systems perceive the
message that they should switch to a more _secure_ system.
> Yeah, back in 94 if you ran NT you weren't as
> susceptible to all the Novell threats... then NT became the big player and
> now you have folks saying "yeah, well run Linux and you won't be susceptible
> to all those Windows threats".
This is not the same. Novell has been a propriety system and Windows NT
has been a propriety system. They both suffered from the closed
development and security assessment process. This is how Linux and other
open OS differ.
Linux isn't safer than Windows because it is less popular. It is safer
because it doesn't have all doors open by default and vendors can define
the level of security they want for their distribution. Linux doesn't
come with obvious flaws in system design. It doesn't come with an open
RPC port and most important: There is no Linux heterogamy. There are so
many different Linux systems, with different kernels, different
modifications, different file locations, different file systems and so
on that it is very hard to produce a widely usable exploit in the way
you can do with Windows.
Linux is far from being perfect. Being near perfect I'd raise my vote
for OpenBSD yet something even slips past them. But MS Windows is just
the plain opposite of OpenBSD yet Microsoft has the potential to do
better!
The designers of the latest worm attack waves damn well relied on the
simple fact that almost every Windows system in the hand of home users
had an open RPC port. How convenient, isn't it?
The sin is that Microsoft's solution to this problem isn't closing
unnecessary services BY DEFAULT but promoting additional third party
software to put in between Windows and the Internet which the end user
has to pay, deploy and operate. This is pathetic.
> And if Linux ever goes mainstream and if
> Linux ever surpasses Windows in market share, then 5-10 years down the road
> people will be saying "yeah, but if you run ziggledorf, then you won't be
> susceptible to all those Linux threats".
There already is a high level of Linux threats. But the efforts into
securing Linux are much less tedious than securing a Windows machine.
That's the difference. There are no secrets with Linux security.
> This security through obscurity mantra is laughable.
Changing topics... not so fast! What happened to the old one ;-)
Linux is following (or should be) a strict open source philosophy. How
is that to be "security by obscurity"?
Don't you rather mean companies like Microsoft? Take the sender of this
nice ad mail, alerting us to this "oh glorious" Personal Firewall Day.
Thor Larholm
Senior Security Researcher
PivX Solutions
That's the same guy who offered a neat list of unpatched security holes
on his company's website. Full-Disclosure.
What happened?
He took the list off his site. He went into cooperation with Microsoft.
(Is there a coincidence yet?!).
And now he posts ad mails for companies like Zone Labs and Microsoft.
(Now this is a coincident!).
Sorry, Ladies and Gentlemen. This is NOT Full-Disclosure. THIS is
"security by obscurity". And a very bad thing to build trust upon.
> The top dogs always get the most exploits.
No. The most lousy systems get the most exploits. Face it.
Take the market for webservers.
Apache virtually owns the market with more than 60%. How come that
Microsoft IIS gets the most exploits? When I look into my Snort logs I
don't get any Code Reds from Apache installations trying to sneak into
my net. Funny, isn't it? Why isn't there a Code Red with the level of
spreading for Apache as there is for IIS yet Apache is deployed on more
than 60% of webservers?
It's the same with water. It flows using the path with lowest
resistance. Crackers do the same. Predators always look for the weakest
animal in the flock.
> Accept the reality. When everyone
> else starts using Firebird, Thunderbird or whatever other obscure program
> you want to mention as your own personal bestest solution, then it will get
> hacked and exploited beyond belief. History proves this.
In fact, "history" or better reality has proven you wrong. Or is the
Apache case just an exception?! I don't think so. It only differs from
the Linux-Windows comparison as Apache _already has_ an advantage in
market share.
> Disconnecting from the network or disabling all those services that provide
> network access is an unrealistic expectation.
Why is delivering a system with all doors shut an unrealistic
expectation? Why is delivering Windows XP Home with a closed RPC port an
unrealistic expectation?
> Next thing you know, you will
> be proposing only using carbon paper to share documents (though surely
> someone on this list will then point out the inherent security flaws in what
> to do with the used carbons).
Did you see that Bruce Willis movie? Mercury puzzle or something like
that...
> And people wonder why users don't understand, but certainly fear, a good
> chunk of computer security...
Because they are told they have bought a secure operating system and
some time later they are told to buy a virus scanner, a personal
firewall, keep track of updating the OS, the virus scanner, the personal
firewall, ...
> Wes Noonan
> mailinglists@wjnconsulting.com
> http://www.wjnconsulting.com
Now, of course this is from someone who is listing Microsoft operating systems and applications in second place for vendors...
cheers,
Tobias W.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Exibar: "Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- In reply to: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause"
- Next in thread: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- Reply: Wes Noonan: "RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
