[brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ...
Dustin Puryear
dpuryear at usa.net
Tue Jul 3 16:17:24 CDT 2001
John Hebert wrote:
<em>> Just because you don't see it as a Microsoft thing
<em>> doesn't mean that it isn't.
<p>What? Are you implying that I could be wrong? Never! ;-)
<p><em>> It is a M$ thing because M$ is not as proactively
<em>> secure as the Linux community of developers and users.
<p>I thought we were talking about vendors and not the community at large.
I think Linux vendors, taken as a whole, have done a poor job in this
regard. Not that Microsoft has done better of course.
<p><em>> Shall we start comparing the records of Linux vs M$
<em>> security patches and time taken to announce them?
<p>I have to wonder if the scale isn't tipped in large part because of
where the hacking community's attention is currently focused?
<p><em>> Should we even consider the large disparity of the
<em>> number of viruses created for each OS? And then let's
<p>No argument here.
<p><em>> compare how easy/difficult it would be for an average
<em>> user to secure a RH box vs a M$ box. Any body can make
<em>> a tool that turns off services and closes ports on a
<em>> Linux box due to its open nature. The same ain't as
<em>> easy for a M$ box.
<p>Actually, it is pretty darn simple to secure an NT box. In fact, it
works just like it does under UNIX: turn off unnecessary services, apply
patches, fix file permissions. As far as Windows 9x users, assuming they
don't run a trojan they are pretty safe out of the box. The problem here
is that, damnit, they keep running trojans.
<p><em>> And RH ain't Linux. Sure, RH should be held
<em>> responsible for stupid default configs by Gibson, but
<em>> not all Linux or Unix vendors.
<p>I didn't say they were. I was merely giving examples.
<p><em>> The reason I'm taking Gibson's side (partially) is
<em>> that M$ has a larger responsibility for the network
<em>> security of its users since it has the majority of
<em>> unknowledgeble home users. IMHO, M$ could be doing a
<p>So you are agreeing that it is the vendors responsibility to ship a
reasonably secure product to the user and not the end-users
responsibility to ensure the vendor did their job? Jerald?
<p><em>> lot more to make its OSs secure, but it chooses not to
<em>> do so in order to keep market share (ex: .vbs in
<em>> Outlook). This is irresponsible, and this kind of
<em>> thinking lead to a temporary spate of DDOS attacks.
<p>You are right--it is irresponsible. Microsoft software has huge
problems. No argument. But the original argument was that out-of-the-box
Windows is no more a target than UNIX and Linux systems. The difference
here is that there are a lot of Windows boxes out there, but does that
make Microsoft any more culpable for these attacks that Red Hat or
Caldera? Does the number of boxes sold make you more responsible than
vendors who ship equally insecure systems but have less sales?
Regards, Dustin
<p><em>>
<em>> But again, I say let M$ do as it pleases. I see it
<em>> digging its own grave.
<em>>
<em>> John
<em>>
<em>> --- Dustin Puryear <dpuryear at usa.net> wrote:
<em>>
<em>>>Well, I don't see this as a Microsoft-thing. Like I
<em>>>said earlier, raw
<em>>>sockets have been available for a long time just
<em>>>about everywhere. And
<em>>>there is little doubt that, ignoring trojans, a base
<em>>>RH 6.2 or even RH 7
<em>>>install is much more hackable than a base Windows NT
<em>>>or definately a
<em>>>Windows 9x box. So can't it be said that UNIX and
<em>>>Linux vendors should
<em>>>be held just as responsible?
<em>>>
<em>>>Regards, Dustin
<em>>>
<em>>>John Hebert wrote:
<em>>>
<em>>>
<em>>>>Dustin,
<em>>>>
<em>>>>IMHO, this is exactly why Steve Gibson is in a
<em>>>>
<em>>>huff.
<em>>>
<em>>>>He's basically saying that M$ irresponsibility
<em>>>>concerning security in XP is going to cause a huge
<em>>>>increase in DDOS attacks.
<em>>>>
<em>>>>This is going to be seen as another point of
<em>>>>competition between OSs, because your typical home
<em>>>>user will be pretty upset when they find out their
<em>>>>machine has been hacked. This is not an
<em>>>>
<em>>>apocalyptic
<em>>>
<em>>>>scenario, it will instead cause some good changes,
<em>>>>
<em>>>in
<em>>>
<em>>>>that lots of people will start to learn about
<em>>>>
<em>>>security
<em>>>
<em>>>>for the first time. I'm looking forward to seeing
<em>>>>
<em>>>the
<em>>>
<em>>>>M$ propaganda campaign to convince the user it is
<em>>>>
<em>>>his
<em>>>
<em>>>>fault.
<em>>>>
<em>>>>I say let M$ innovate. When the Internet starts to
<em>>>>come to a crawl, we will either make hackers into
<em>>>>terrorists or blame Microsoft. Either one is
<em>>>>interesting with far reaching implications.
<em>>>>
<em>>>>John
<em>>>>
<em>>>>
<em>>>>--- Dustin Puryear <dpuryear at usa.net> wrote:
<em>>>>
<em>>>>
<em>>>>>john beamon wrote:
<em>>>>>
<em>>>>>
<em>>>>>
<em>>>>>>I don't look to make Linux any "easier" for new
<em>>>>>>
<em>>>>>>
<em>>>>>users. I look for new
<em>>>>>
<em>>>>>
<em>>>>>>users who will at least recognize problems and
<em>>>>>>
<em>>>>>>
<em>>>>>devote a few minutes a
<em>>>>>
<em>>>>>
<em>>>>>>week to staying on top of their updates.
<em>>>>>>
<em>>>>>>
<em>>>>>Well, here is a fundamental difference in opinion
<em>>>>>
<em>>>on
<em>>>
<em>>>>>what users should
<em>>>>>and should not need to do. I don't feel a computer
<em>>>>>should be like a car
<em>>>>>where users need extensive training to use them.
<em>>>>>Rather, a computer
<em>>>>>should be like a TV where it can be turned on and
<em>>>>>just work.
<em>>>>>
<em>>>>>Users will not "devote a few minutes a week" to
<em>>>>>installing updates.
<em>>>>>Hell, who has the time? Users should just do their
<em>>>>>jobs and use
<em>>>>>computers like they use any other work-related
<em>>>>>
<em>>>tool.
<em>>>
<em>>>>>Vendors and
<em>>>>>administrators have the responsibility of properly
<em>>>>>configuring and
<em>>>>>maintaining systems.
<em>>>>>
<em>>>>>As far as home users, vendors should properly
<em>>>>>configure their products
<em>>>>>with reasonable security. Home users may be
<em>>>>>
<em>>>required
<em>>>
<em>>>>>to do more
<em>>>>>maintenance work than a business user, but only a
<em>>>>>little more. It should
<em>>>>>not be a daily or weekly task to check a vendor's
<em>>>>>website, download
<em>>>>>patches, backup system, install patches, check
<em>>>>>patches, ad nauseum.
<em>>>>>
<em>>>>>Regards, Dustin
<em>>>>>
<em>>>>>
<em>>>>>
<em>>>>>
<em>>>>>>-j
<em>>>>>>
<em>>>>>>On Tue, 3 Jul 2001, Ricky Salmon wrote:
<em>>>>>>
<em>>>>>>
<em>>>>>>
<em>>>>>>
<em>>>>>>>Date: Tue, 3 Jul 2001 09:31:33 -0500
<em>>>>>>>From: Ricky Salmon <ricky at delriotech.com>
<em>>>>>>>Reply-To: brluglist at brlug.net
<em>>>>>>>To: brluglist at brlug.net
<em>>>>>>>Subject: RE: [brluglist] Fw: Steve Gibson's
<em>>>>>>>
<em>>>>>>>
<em>>>>>July/2001 News from GRC.COM
<em>>>>>
<em>>>>>
<em>>>>>>> ...
<em>>>>>>>
<em>>>>>>>Well, to give M$ a little credit (duck), XP is
<em>>>>>>>
<em>>>>>>>
<em>>>>>supposed to have a fair
<em>>>>>
<em>>>>>
<em>>>>>>>amount of security by default.
<em>>>>>>>
<em>>>>>>>But, there's always that relationship between
<em>>>>>>>
<em>>>>>>>
<em>>>>>Security and Usability (is
<em>>>>>
<em>>>>>
<em>>>>>>>that a word?). I'm sure some
<em>>>>>>>developers/admins will love the fact that they
<em>>>>>>>
<em>>>>>>>
<em>>>>>finally get to use Raw
<em>>>>>
<em>>>>>
<em>>>>>>>Sockets, but that in turn decreases
<em>>>>>>>some amount of security. As people continue to
<em>>>>>>>
<em>>>>>>>
<em>>>>>add these new features, you
<em>>>>>
<em>>>>>
<em>>>>>>>can't always an "Idiot Proofing" mechanism that
<em>>>>>>>
<em>>>>>>>
<em>>>>>works well... It's a nice
<em>>>>>
<em>>>>>
<em>>>>>>>double edged sword...
<em>>>>>>>
<em>>>>>>>As for current windows machines, a million and
<em>>>>>>>
<em>>>one
<em>>>
<em>>>>>trojans already exist.
<em>>>>>
<em>>>>>
<em>>>>>>>So my question is, is it the responsibly of the
<em>>>>>>>
<em>>>>>>>
<em>>>>>Vendor to make sure the
<em>>>>>
<em>>>>>
<em>>>>>>>users know how to use a computer, or is it the
<em>>>>>>>
<em>>>>>>>
<em>>>>>responsibility of the user to
<em>>>>>
<em>>>>>
<em>>>>>>>know how to use a computer?
<em>>>>>>>
<em>>>>>>>As much as I love that certain vendor (sarcasm),
<em>>>>>>>
<em>>>>>>>
<em>>>>>their main focus is to put
<em>>>>>
<em>>>>>
<em>>>>>>>out more productive products with a fair amount
<em>>>>>>>
<em>>>of
<em>>>
<em>>>>>security. There aren't
<em>>>>>
<em>>>>>
<em>>>>>>>enough resources in the world to make sure that
<em>>>>>>>
<em>>>>>>>
<em>>>>>every Joe Blow isn't leaving
<em>>>>>
<em>>>>>
<em>>>>>>>themselves open...
<em>>>>>>>
<em>>>>>>>My 2 cents...
<em>>>>>>>
<em>>>>>>>Ricky
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>-----Original Message-----
<em>>>>>>>From: owner-brluglist at brlug.net
<em>>>>>>>
<em>>>>>>>
<em>>>>>[mailto:owner-brluglist at brlug.net]On
<em>>>>>
<em>>>>>
<em>>>>>>>Behalf Of John Hebert
<em>>>>>>>Sent: Tuesday, July 03, 2001 9:02 AM
<em>>>>>>>To: brluglist at brlug.net
<em>>>>>>>Subject: Re: [brluglist] Fw: Steve Gibson's
<em>>>>>>>
<em>>>>>>>
<em>>>>>July/2001 News from GRC.COM
<em>>>>>
<em>>>>>
<em>>>>>>>...
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>--- Dustin Puryear <dpuryear at usa.net> wrote:
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>
<em>>>>>>>>Hmm. Is this about the raw socket deal with
<em>>>>>>>>
<em>>>>>>>>
<em>>>>>Windows
<em>>>>>
<em>>>>>
<em>> === message truncated ===
<em>>
<em>>
<em>> __________________________________________________
<em>> Do You Yahoo!?
<em>> Get personalized email addresses from Yahoo! Mail
<em>> http://personal.mail.yahoo.com/
<em>> ================================================
<em>> BRLUG - The Baton Rouge Linux User Group
<em>> Visit http://www.brlug.net for more information.
<em>> Send email to majordomo at brlug.net to change
<em>> your subscription information.
<em>> ================================================
<em>>
<em>>
<em>>
<p>
--
Dustin Puryear <dpuryear at usa.net>
http://members.telocity.com/~dpuryear
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams
================================================
BRLUG - The Baton Rouge Linux User Group
Visit http://www.brlug.net for more information.
Send email to majordomo at brlug.net to change
your subscription information.
================================================
<!-- body="end" -->
<hr noshade>
<ul>
<li><strong>Next message:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Previous message:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>In reply to:</strong> John Hebert: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Next in thread:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Reply:</strong> Jerald Sheets: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Reply:</strong> John Hebert: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Messages sorted by:</strong>
[ date ]
[ thread ]
[ subject ]
[ author ]
[ attachment ]
</ul>
<hr noshade>
<small>
<em>
This archive was generated by hypermail 2.1.2
: <em>Thu Sep 06 2001 - 11:10:54 CDT</em>
</em>
</small>
</body>
</html>
More information about the General
mailing list