RE: Ten least secure programs

• Previous message: Devdas Bhagat: "Re: Oh Dear, Where to start?!"
• Maybe in reply to: Paul Kurczaba: "RE: Ten least secure programs"
• Next in thread: Tim Greer: "Re: Ten least secure programs"
• Reply: Tim Greer: "Re: Ten least secure programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 3 Jul 2003 21:25:38 -0400
To: <security-basics@securityfocus.com>

Your comments appeared to have a clear slant to them. They also were
contrary to the statistics.

Before you can fix something, do you not need to know what the problem
is first? I hope you are not claiming that you have identified and
corrected virtually all current and yet to be discovered security issues
with Linux. If that is your claim, why have you not released your
perfected OS to the masses?

Any OS requires proper configuration and management when used. Whether
it is recompiling a kernel to include the latest fixes or a service pack
to do the same thing. Whether it is disabling unneeded services or
creating accounts and user schema with strong security models or
properly monitoring the installed platforms. If an available system (or
OS) makes it complicated and time consuming to perform these common
sense steps, then it seems to lose its efficiency and can lead to missed
issues. While it might be an interesting study, it is not really of any
value in a fast paced and under resourced production environment. I
would assume this is why, and indeed that has been the observation of
statistics gatherers, that Linux was number one on the list for
compromises and security flaws.

On the third point, you are certainly free to think whatever you like.
However, the statistics are contrary to your statement. It is vitally
important in order for the security community to move forward, that
everyone learn to deal with just the facts and leave personal OS bias or
preferences out of the discussion. This is not a Windows vs. Linux
thing. Indeed IBM, HP, BSD and Mac (minus OS X) came out as the best in
the past year.

With that, I have no intention of engaging in a continuing back and
forth on it.

My suggestion to the original poster still stands. Identify what tools
are really needed and can be properly managed with available resources,
implement IDS and anti-virus, and ban everything else. If an employee
insists they need something not on the list, examine if their job
function is being limited by not having it, learn it, manage it and then
implement it or suggest an alternative.

As far as a sign on the IT door, simply stating, "Only IT authorized and
approved software may be used on company computers", seems more than
enough. If there is a legitimate reason to deny something, take the time
to briefly explain. It makes the IT professional's job a lot easier when
employees are an ally to the policy as opposed to someone always trying
to subvert the policy. Remember IT does not really stand for
Insufferable Tyrant. The employees are the customers of the IT people.
Provide them with solutions and answers to perform their jobs, not just
roadblocks. That's what I do, makes life nice.

Best Regards,

Dan Bartley

-----Original Message-----
From: Tim Greer [mailto:chatmaster@charter.net]
Sent: Thursday, July 03, 2003 20:25
To: Dan Bartley; security-basics@securityfocus.com
Subject: Re: Ten least secure programs

----- Original Message -----
From: "Dan Bartley" <bartleyd@corp.netcarrier.com>
To: <security-basics@securityfocus.com>
Sent: Thursday, July 03, 2003 12:39 PM
Subject: RE: Ten least secure programs

> You might want to study the statistics for the past year before making

> "my favorite OS" statements.

When exactly did I claim Linux was my favorite (kernel)? I was making
one example, comparing the ability to have control with Linux vs.
Windows. That is all.

> Linux actually came out on top of the pile for number of security
> holes, number left unfixed, number of actual compromises and slowness
> in dissemination of information and fixes.

And what is to stop you from fixing things if the vendor or community is
slow to?

> FreeBSD came out among the best, or near, I believe. Windows was in
> the middle.

I really do not think so, Windows has never compared as being more
secure, unless you are comparing unskilled system admins that go with
the default installs. Then, yes, Windows would likely be more secure.
You don't let a
3 year old drive a BMW on a racing source either, just to say that a
Yugo is a better car for racing.

--
Regards,
Tim Greer  chatmaster@charter.net
Server administration, security, programming, consulting.
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------

• Previous message: Devdas Bhagat: "Re: Oh Dear, Where to start?!"
• Maybe in reply to: Paul Kurczaba: "RE: Ten least secure programs"
• Next in thread: Tim Greer: "Re: Ten least secure programs"
• Reply: Tim Greer: "Re: Ten least secure programs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]