RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

From: David F. Skoll (dfs_at_roaringpenguin.com)
Date: 01/19/04

  • Next message: Marc Schoenefeld: "[Full-Disclosure] Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB" 
    To: Wes Noonan <mailinglists@wjnconsulting.com>
Date: Sun, 18 Jan 2004 19:12:03 -0500 (EST)

    On Sun, 18 Jan 2004, Wes Noonan wrote:

    > > On Sun, 18 Jan 2004, Wes Noonan wrote:
    > > Why? Name one virus for Linux that AV software would have protected
    > > against, that a noexec /tmp wouldn't have.

    > Security isn't about protecting against old threats; it's about protecting
    > against new threats.

    Exactly. A/V software can only protect against *old* threats, because a
    virus has to be in the signature database. Mounting /tmp noexec can
    protect against a wide class of threats (those threats that rely on writing
    a file to the file system and then executing it.)

    > If running virus protection has the potential to
    > protect against new threats,

    But it doesn't.

    > than it is worth running.

    Therefore it isn't.

    > If an IDS/IPS has the
    > potential to protect against new threats, than it is worth running.

    IDS itself cannot protect against anything; it can only detect unusual
    activity. (That doesn't make it worthless, of course.) IPS systems
    may be worthwhile depending on how many false-positives they issue.

    > Security is about a total process, not a specific product
    > or application.

    I agree. But a particular product or application *can* lead to insecurity.

    > > We're a 7-person shop with a budget of $0 for software. I'd love to
    > > see a Microsoft shop with a similar software budget.

    > I'd love you to show me a 700, 7000 or 70000 person shop that can say that.

    Wait a few years and get back to Roaring Penguin. :-)

    Obviously, right now, I can't. But there are plenty of large organizations
    using free software; HP claims to have made $2.5 billion in Linux-related
    sales.

    It will happen. The economics dictate it. Companies that save money
    because of lower licensing costs, lower license enforcement costs,
    and (especially) lower costs to maintain secure networks, will succeed
    where companies that have higher costs fail.

    > You have to think about things like "what if David, who is the
    > only person who really knows our systems, leaves. Where does that leave us"?

    That might have been true a couple of years ago, but there are plenty of
    Linux experts now, as you noted.

    > Microsoft is only un-securable for those who don't know how to secure it

    No. The fundamental problem with Windows is the problem that lead to
    the creation of the anti-virus industry: Encoding of metadata in filenames.
    The fact that ".exe" on Windows means the same thing as turning on the
    execute bit in UNIX has cost the world economy billions. And it's impossible
    to change this without fundamentally changing Windows. (Even this flaw
    isn't a Microsoft innovation; it was first revealed in 1987 in the infamous
    CHRISTMA EXEC worm at IBM on the VM/370 system.)

    This flaw, the readiness of a Windows system to enable execute permission
    depending on the filename, makes every single Windows box a ticking
    time bomb. Someone just has to be clever enough to deposit an .exe on
    a system and trick someone into running it.

    The social engineering required to do the same on Linux is an insurmountable
    hurdle; not only do you have to deposit the file, but you have to convince
    someone to turn on the execute bit, which no Linux mail clients currently
    do, and which the average office worker is unlikely to even know how
    to do. (That's why I have a warm feeling when our sales people use Linux;
    they don't know enough to be dangerous. :-))

    > You claim, repeatedly, that Linux is so much easier to secure. I believe
    > that this is directly related to your level of expertise on Linux. Similarly
    > you claim, repeatedly, that Microsoft is impossible to secure. I believe,
    > similarly, that this claim is directly related to your level of expertise on
    > Microsoft.

    No; it is related to the fundamental design flaw I mentioned above.

    [...]

    > Someone else pointed out that no OS is bug free, which is a truism. The
    > ability to harden a system, if one knows what they are doing, is also a
    > truism.

    Are you claiming that all OS's have the same inherent security, and
    that all can be hardened to the same extent? If yes, then you're out
    of touch with reality. If no, then some OS's must be better than
    others, and I claim that Linux, out of the box, is more secure than
    Windows, out of the box, and furthermore, I claim that Linux is
    possible to secure to a greater extent than Windows (especially with
    the NSA work now merged into Kernel 2.6.)

    > The more and more you post, the more things like this you write, the more
    > clear it becomes that your position has little more than a religious passion
    > for Linux and a religious dislike of Microsoft backing it with little other
    > real substance.

    It's easy to glibly dismiss my argument, but you don't address the facts.
    Unless Microsoft has an economic incentive to improve security, it won't.
    And the only economic incentive it could have is the potential loss of
    market share. And that can't happen without competition. And competition,
    in the consumer OS market place, cannot happen unless people are willing
    to look at alternatives to Windows.

    > Protestants, Catholics. Muslims, Jews. Penguinistas and
    > Microsofties. It isn't about securing our computers, it's about not using
    > Microsoft. It's an old, tired, pointless argument. :shrug:

    You fail to refute it, because you cannot.

    Regards,

    David.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Marc Schoenefeld: "[Full-Disclosure] Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB"

    Relevant Pages

    • RE: Religion... was RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
      ... >> against new threats. ... > protect against a wide class of threats (those threats that rely on ... Especially on Windows systems. ... it sounds like Linux isn't free anymore doesn't it? ...
      (Full-Disclosure)
    • Re: Block Inbound Traffic
      ... And before you made your lame comment about linux, ... >> been posted that it will be used on windows. ... > You want a free firewall that runs under windows to protect or provide some ...
      (comp.security.firewalls)
    • Re: [opensuse] antivirus
      ... old time linux language that doe drive users away. ... and so the whole system was designed to protect users from ... What cave have you been hiding in for the last 15 years? ... They're for the purpose of protecting Windows clients ...
      (SuSE)
    • Re: [SLE] SUSE Firewall not like ZoneAlarm...
      ... THe default setup should protect ... you 10 times better than what you are protected on your Windows box. ... The fact that Linux ... Take the whole virus thing for instance. ...
      (SuSE)
    • RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, he lp the cause
      ... Windows can be much more secure. ... Did you really just propose that a viable solution is to remove network ... susceptible to all the Novell threats... ... now you have folks saying "yeah, well run Linux and you won't be susceptible ...
      (Full-Disclosure)