Re: controversial paper

From: kurt wismer (kurtw_at_sympatico.ca)
Date: 09/27/03 

Date: Sat, 27 Sep 2003 10:56:17 -0400

Tom St Denis wrote:

> "kurt wismer" <kurtw@sympatico.ca> wrote in message
[snip]
>>the big issue seemed to be the "monoculture", where everyone has
>>exactly the same set of vulnerabilities installed as everyone else,
>>thereby making the potential collapse of our technological
>>infrastructure much more feasible...
>
>
> Perhaps. I stopped reading it a few pages in because of how ludicrous it
> is. Essentially smells of /.

so does this thread...

[snip]
>>i think you're missing the larger picture - vulnerabilities will always
>>be with us, individual platforms will always face these problems and
>>the people who use those platforms will always make mistakes... it's
>>far better, however, if the infrastructure as a whole has redundancies
>>that are diverse in their technological nature so that a single
>>vulnerability can't bring down everything...
>
>
> At what cost though? I mean by this logic an office of immigration workers
> should have to deal with what, 8 different OSes on 16 different types of
> computers just in case one gets a virus?

?? one office does not an infrastructure make... i'm talking about
infrastructure of the class that society at large would be concerned
with...

> Also if the paper was just about
> the deployment of Windows and not it's quality why would the dude have been
> fired?

did you see how many references it had to microsofts "near monopoly"?
@stake has a business relationship to maintain with microsoft - that's
not easy to do when their CTO is so obviously in opposition to
microsofts business goals...

> The thing is [what the paper misses] is not all window installations are the
> same.

and? they may not all be the same but they are all derived for
essentially the same codebase... microsoft, quite correctly from a
software development point of view, re-uses code... thus even though
the different flavours of windows are different, many of them share a
common pool of vulnerabilities...

the thing is (what you missed) is that the issue of security has *many*
facets and the paper only dealt with a handful... if they tried to deal
with all of them it would have been a book instead (and would have been
read by far fewer people in the process)...

> I installed my windows behind a firewall and did all of the updates
> before installing anything else. Many others I know don't even get as far
> as SP1 before browsing the web...So just because some poorly setup
> government shop gets rooted doesn't mean that's windows vast deployments
> fault.

that some particular office falls prey to a vulnerability from time to
time is probably unavoidable (minimizable, mind you, but not to a
probability of 0)... that particular shops have problems is still not
the big picture, though... it's the possibility of all (or most) having
problems at essentially the same time that's the worry...

> Though I agree that diversity is good I don't think the solution is jumping
> on windows. Quite a few problems can be fixed just by properly setting up
> computers before deploying them.

the *solution* depends entirely on the problem statement, security is a
multi-faceted problem... i think you've made it quite clear that you
didn't read the paper very carefully or take it very seriously
(personaly bias?) so consider the possibility you didn't 'get' the
problem that the paper was addressing...

you seem to have your own ideas about what the problem is but i think
the reality is there is no such thing as *the* problem, rather there
are many interconnected ones and other people aren't always going to be
talking about the ones that you want to talk about or think are
important...

regardless of that, you don't seem to take the issues raised in the
paper very seriously - so be it... i don't imagine it's all that
important that *everybody* takes it seriously, as long as enough people
do it will have it's intended effect... 

--
"hungry people don't stay hungry for long
  they get hope from fire and smoke as the weak grow strong
  hungry people don't stay hungry for long
  they get hope from fire and smoke as they reach for the dawn"

Relevant Pages

  • Re: controversial paper
    ... >>exactly the same set of vulnerabilities installed as everyone else, ... >>far better, however, if the infrastructure as a whole has redundancies ... did you see how many references it had to microsofts "near monopoly"? ... "hungry people don't stay hungry for long ...
    (sci.crypt)
  • Re: controversial paper
    ... > thereby making the potential collapse of our technological ... > i think you're missing the larger picture - vulnerabilities will always ... > far better, however, if the infrastructure as a whole has redundancies ... > "hungry people don't stay hungry for long ...
    (sci.crypt)
  • Re: controversial paper
    ... > thereby making the potential collapse of our technological ... > i think you're missing the larger picture - vulnerabilities will always ... > far better, however, if the infrastructure as a whole has redundancies ... > "hungry people don't stay hungry for long ...
    (sci.crypt)
  • Re: controversial paper
    ... i think you're missing the larger picture - vulnerabilities will always ... "hungry people don't stay hungry for long ... they get hope from fire and smoke as they reach for the dawn" ...
    (sci.crypt)
  • Re: controversial paper
    ... i think you're missing the larger picture - vulnerabilities will always ... "hungry people don't stay hungry for long ... they get hope from fire and smoke as they reach for the dawn" ...
    (sci.crypt)
Quantcast