On 05 Jul 2001 08:37:55 -0500, Dustin Puryear wrote: <em>> John Hebert wrote: <em>> <em>> >>I have to wonder if the scale isn't tipped in large <em>> >>part because of <em>> >>where the hacking community's attention is currently <em>> >>focused? <em>> <em>> > <em>> <em>> > The scale is tipped because the hackers are attacking <em>> > easy targets. Open source gets patched too quickly for <em>> > script kiddies to gain interest. <em>> <em>> <em>> No. Open source software that has active, qualified developers gets <em>> patched quickly. That is not the same as "Open source gets patched <em>> quickly." Of course, I happily concede that in most situations it is <em>> easier to fix problems in open source code than closed source code. <em>> <em>> <em>> >>Actually, it is pretty darn simple to secure an NT <em>> >>box. In fact, it <em>> >>works just like it does under UNIX: turn off <em>> >>unnecessary services, apply <em>> >>patches, fix file permissions. As far as Windows 9x <em>> >>users, assuming they <em>> >>don't run a trojan they are pretty safe out of the <em>> >>box. The problem here <em>> >>is that, damnit, they keep running trojans. <em>> >> <em>> > <em>> > You might as well say that the most secure box is one <em>> > that doesn't get used. <em>> <em>> <em>> Ok, now we are moving to another issue entirely. The original topic was <em>> shipping secure products and being able to maintain those systems in a <em>> secure state. <em>> <em>> <em>> > I disagree that they are safe by default, for the <em>> > reasons John B. and others have pointed out. Win9x <em>> > users are root by default, and they do stupid stuff <em>> > (like click the box that says to share files with <em>> > others on a broadband connection). I posit it was <em>> > easier for M$ to design a more secure OS than to teach <em>> > users not to do stupid stuff. Hence, NT, then 2000, <em>> > then XP. <em>> <em>> <em>> I think this has occurred in large part because users are becoming more <em>> sophisticated. In other words, there is a market need for a product that <em>> is both secure locally and over the network. We need to keep in mind <em>> that Windows 95 and 98 are consumer products first and foremost. Yes, we <em>> are now seeing that even consumers need better host security, but again, <em>> why aren't we arguing about Apple OS? It is just as vulnerable as <em>> Windows 95 and 98 to these problems. Apple and MS products are in the same boat, its just that Apple is a lot quieter topic. <p><em>> <em>> <em>> >>So you are agreeing that it is the vendors <em>> >>responsibility to ship a <em>> >>reasonably secure product to the user and not the <em>> >>end-users <em>> >>responsibility to ensure the vendor did their job? <em>> >> <em>> > <em>> > Of course I do, but the difference here is that a M$ <em>> > user can only go so far to ensure the vendor did their <em>> > job, whereas free software users (RH) can get right <em>> > down anal retentive about it. <em>> <em>> <em>> Some free software users. Most end-users could care less--they just want <em>> to get their jobs done. In this day and age, it's not safe to assume the vendor did anything to protect the consumer. That's why we have sysadmins and other support staff. Maybe in the future everyone will get it right, but as of now, MS is more interested in adding features than making a product safe. <p><em>> <em>> <em>> >>But the original argument was <em>> >>that out-of-the-box <em>> >>Windows is no more a target than UNIX and Linux <em>> >>systems. <em>> >> <em>> > <em>> > Wrong. Closed source is less secure than open. M$ <em>> > Windows and closed source UNIX OSs are a bigger target <em>> > than free software. <em>> <em>> <em>> I agree that closed source software is potentially less secure than open <em>> source software. However, just being open source does not a secure <em>> product make. Peer review is important, but I would bet that the vast <em>> majority of open source software is not peer reviewed. This means those <em>> products have the potential to be more secure, but they do not ever <em>> actually realize that benefit of being open source. The stuff that's included in a distribution like RedHat has been reasonably well combed-through. I mean, just look at all the packages that they patch on their own for some reason. Now, if you just go pull something off of sourceforge, that's different. But If you had a count of eyes who have looked at, say, the ftp server in IIS versus the one packaged with debian or RH, I'd bet money that the open source one has a higher number. <p><em>> <em>> > >The difference <em>> >>here is that there are a lot of Windows boxes out <em>> >>there, but does that <em>> >>make Microsoft any more culpable for these attacks <em>> >>that Red Hat or Caldera? <em>> > <em>> > It does if there is no peer review of source code. <em>> <em>> <em>> I disagree. A vendor is only liable if they ship an insecure product. <em>> This makes all parties equally responsible. <em>> Under current EULA laws, the vendor isn't liable for anything. At least the smaller companies have growing reputations to maintain. Microsoft as a company can survive any amount of backlash to insecure products. MS has willingly sacrificed security for usability and market control in their products, and will continue to do so. <p><em>> <em>> >>Does the number of boxes sold make you more <em>> >>responsible than <em>> >>vendors who ship equally insecure systems but have <em>> >>less sales? <em>> > <em>> > Yep. When it's closed source vs open. <em>> <em>> <em>> So as long as I ship an open source product I can make it as insecure as <em>> I want? I have no liability, or at least not as much as a closed source <em>> shop? You have a reputation. You have YOUR name and integrity on the code. You may not care, and ship trash anyway, but that will be noted and remembered in the community. Closed-source shops don't have that kind of mentality. Your name might get listed in an easter egg or something, but no one will know what you wrote. When a big closed-source shop writes bad code, there's nobody to blame it on. Heck, they blame it on poor integration between the programmers, or some other external factor. Nobody else can see it anyway, so what do they care? <em>> <p><p>Tim Fournet Systems Administrator Artisan Network, Inc. [EMAIL PROTECTED] ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================ <!-- body="end" --> <hr noshade> <ul> <li><strong>Next message:</strong> Tim Fournet: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Previous message:</strong> Jerald Sheets: "Re: [brluglist] Book" <li><strong>In reply to:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Next in thread:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Reply:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..." <li><strong>Messages sorted by:</strong> [ date ] [ thread ] [ subject ] [ author ] [ attachment ] </ul> <hr noshade>
<small> <em> This archive was generated by hypermail 2.1.2 : <em>Thu Sep 06 2001 - 11:10:54 CDT</em> </em> </small> </body> </html>
