Re: Viva le Same! Linux

Subject: Re: Viva le Same! Linux
From: Andrew Plato <gilliankitty -at- yahoo -dot- com>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Tue, 1 Oct 2002 17:11:41 -0700 (PDT)


--- David Neeley <dbneeley -at- yahoo -dot- com> wrote:

> There are *many* examples of Microsoft's present
> quandry--how to build a secure system when your
> architecture is so complex that many changes create
> unfortunate interactions with other parts of the
> system.

That is axiomatically accurate.

> Furthermore, their record of fixing security problems
> is execrable. For example, in the SSL vulnerability
> discovered several months ago, it was found that
> Apache and Windows both had the vulnerability. The
> Apache Foundation issued a bug fix in 24
> hours--typical of most open source bug fixes--while
> the *first* Windows patch took about five weeks, and
> patches for several still-supported versions of
> Windows were still not completed as of last
> week...nearly two months so far.

Apache has ONE product to deal with and it can leave compilation to end users. MS
has to deal with thousands of products and millions of platforms.

Hence you're expectations that MS respond the same as a group that monitors a
SINGLE product is ludacrious.

> I am quite familiar with your Microsoft-centric view
> of the world, but it *would* help if you got your
> "facts" from somewhere other than Microsoft's PR
> program.

I am not "Microsoft-centric" I am just not subject to the holy war mentality of
many open-source folks. I don't care about the OS, I just want it to work. And
this attitude is shared by many business people. They aren't interested in
emotional attachments to computers.

> It is *not* true that Windows boxes can be "easily"
> secured. For example, anyone who wants to see an
> architecturally-based vulnerability can simply go to
> Google and follow the links under the search terms
> "shatter attack Windows".

Here is my beef with this statement. NONE of the people here have actually had
the job of actually securing systems. Well, that IS my job. I get paid to secure
systems. UNIX, Mac, Windows, Linux, etc.

Most of the people who write articles that say "Windows can't be secured" have
also never actually sat down with a Windows box, read the relevant data, and done
the work.

So, to be perfectly honest, I am not very interested in speculative propaganda
about operating systems. And the truth is, a lot of business folks - people with
money who make decisions that affect companies - share my sentiment. They could
care less about speculation. They want fact. And the fact is, Windows systems can
be secured. They can be used in a secure manner. And they can provide a high
degree of protection. But they have to be implemented, installed, managed, and
used in a secure manner.

The example I like to give is that of a car. A car is a very useful tool. And it
can provide exceptional capability when used in a secure manner. But if you get
drunk and drive like a maniac - guess what - you will crash and burn. Computers
are the same. If you pop them out of the box and do nothing to secure them, they
will be subject to numerous attacks. And that is true of ALL operating systems.


> A primary reason that UNIX and Linux systems can be
> secured with a higher level of confidence than Windows
> systems is that they were designed from the ground up
> as multi-user and multi-tasking systems.

So is the Windows NT kernel. Next issue.

> Generally,
> these systems consist of many small pieces designed to
> do one thing very well. Thus, this modular approach
> allows much easier understanding of everything that
> interacts with each piece. When something is found to
> be insecure, a fix that does not compromise other
> parts of the system is much easier to develop and
> distribute.

Exactly like the Windows NT/2000/XP platform. Next issue.

> I have rarely seen Microsoft "service packs" issued
> that did not break new sections of code while
> attempting to address others.

Exactly like numerous code releases from a wide array of open-source providers
who failed to test the code adequately.

> There are also security holes in Windows by design.
> For example, the Windows 2000 Service Pack 3 is only
> accessible if a user agrees to a unilateral
> modification of his original license agreement,
> allowing Microsoft to enter the system without further
> notice to the user, ostensibly to check for unlicensed
> software. That they can do this implies strongly that
> Microsoft has a "back door" to the system--and *that*
> is a gaping security hole!

Whooooooooooooooooooooooooooooa there bud, you're going into a new area there.
Now you are addressing licensing issues. A license is NOT a technical security
hole. And more over there is NOTHING in the MS license that says they can reach
down into your PC and report illegal software. Presumably if you install their
new automated patching system, it will contact MS and download the newest
patches. But sorry, dude, they cannot reach into your machine and look at
anything.

Moreover, I challenge you to point me to the EXACT wording that would prove your
point.

> I will leave to your fertile imagination the ethical
> implications of forcing a license change upon users if
> they wish to apply patches for original software bugs!

If you don't like the license, don't buy the product. Go download Linux and be
happy. Nobody is putting a gun to your head and saying "DOWNLOAD THIS DAMN
SERVICE PACK NOW OR I'LL BLOW YOUR HEAD OFF!"

> Andrew, I am glad you and thousands of others are able
> to stay profitably busy securing Windows systems.
> After all, it is their architecture that creates many
> of these opportunities. I am sorry, though, that you
> continue to apply specious logic to your comparisons
> of Windows to other systems.

I regret that people have become saturated with the paranoia and misinformation
of open-source community. Its sad because many open-source products are very
good. But like a religious cult that makes great honey, you have to listen to the
incessant preaching of the supporters to get the damn honey.

The fact is, MS is big and we as a culture like to pick on big things. When IBM
was big, they were evil. When AOL got big, they were evil. Heck, there is even an
anti-RedHat community among open-source folks. Why - RedHat is too big. The
SE-Linux community got their asses kicked recently when the US government said
no-way to open-source:
http://www.worldtechtribune.com/worldtechtribune/asparticles/buzz/bza08162002.asp

Salient line:

"Now, only a year after the release of SE Linux, the NSA has dropped its support
for any future cyber security products based on the open source method. NSA
officials say their cyber security enhancements made for SE Linux have not only
benefited the NSA, but because of the terms of the GPL have also strengthened the
security architecture of computers used by malicious cyber terrorists around the
world.

"We didn?t fully understand the consequences of releasing software under the
GPL," said Dick Schafer, deputy director of the NSA. ?We received a lot of loud
complaints regarding our efforts with SE Linux.? "

The feds realized that if the source code to their systems was freely available
on the Internet, it is freely available to Osama Bin Laden and the ilk. That
means the people they want to keep out have "the keys to the kingdom" so to
speak. Thats dangerous.

Maybe to Joe Average who wants to answer email and play Quake - Linux is Kewl.
But when the big shit is online - you don't give away the keys. You hold it real
close to your chest.

Again, I think you want to cast me as the "anti-open source" guy. I am not at all
AGAINST open source. I just don't fall for anti-Microsoft rhetoric. I am not
going to just nod my head and say "yeah, openess is cool man." It isn't! Its a
frickin' nightmare sometimes. User communities are rife with the same
self-preservation dogma as any large company. And therefore they lash out with
equal ick and furvor when they feel cornered.

Honestly - most open source nuts are a lot like Bill Gates - obsessed.

Incidentally, I ran into Gates today. I was in downtown Bellevue, WA and he
pulled up next to me in a Porsche. Cooooool.

Andrew Plato

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Buy ComponentOne Doc-To-Help 6.0, the most powerful SINGLE SOURCE HELP
AUTHORINGTOOL for MS Word. SAVE $100 on the full version and $50 on upgrades.
Offer ends Oct 31, 02 (code: DTH102250). http://www.componentone.com/d2hlist1002

All-new RoboHelp X3 is now shipping! Get single sourcing, print-quality
documentation, conditional text and much more, in the most monumental
release ever. Save $100! Order online at http://www.ehelp.com/techwr-l

---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit
http://www.raycomm.com/techwhirl/ for more resources and info.



Follow-Ups:

References:
Re: Viva le Same! Linux: From: David Neeley

Previous by Author: Re: Viva le Same! Linux
Next by Author: Re: Viva le Same! Linux
Previous by Thread: Re: Viva le Same! Linux
Next by Thread: Re: Viva le Same! Linux


What this post helpful? Share it with friends and colleagues:


Sponsored Ads