Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Counseling not to use Windows (was Re:Anonymoussurfing my ass\!)
From: full-disclosure () lists netsys com (David F. Skoll)
Date: Mon, 15 Jul 2002 18:39:27 -0400 (EDT)

On Mon, 15 Jul 2002, Schmehl, Paul L wrote:

Well, that's very good.  How about .exe?
If they're attachments, they bounce at the mail gateway.

Me, too.  But that's a band-aid fix.  Miserable design decisions on
Microsoft's part have made e-mail responsible for spreading malicious
executable content.  In 1980, e-mail was plain text and totally safe.
There is simply *no excuse* for having to scan e-mail at gateways -- it
should *never* have been a problem in the first place.

Yes, it is.  How much work is it to set all this up?
Very easy.  A few points and clicks in the admin's interface deploys the
policy to the whole domain.

OK.  Didn't know that.

[snip]
I think you're taking anecdotal evidence to condemn Windows
unnecessarily.

Please see http://www.roaringpenguin.com/graphs.php3

Cracked Windows boxes are so much of a problem that they've become
background noise on the Internet.

Just because Code Red ran around the world in short
order doesn't *necessarily* mean the OS is flawed.  It could mean the
*philosophy* is flawed or the training is flawed or the admins are
flawed.  Remember, Unix admins have 30 years of experience under their
belts telling them what is good security practice and what is not.
Windows admins have 10? Maybe?

That's not really an excuse.  UNIX was never really designed with
security in mind, and in fact until recently, UNIX boxes were
pretty insecure.  (And many commercial UNIXes still are.)

The difference is that most UNIX faults were implementation errors
which could be fixed without radically altering the OS (at least
from the user's perspective.)  Many Windows problems can't be fixed
without changing the fundamental nature of the system.

[snip]

You have to remember that, for a business to switch from MS to *nix
takes not only a huge shift in thinking on the part of management and
users but also *wholesale* changes in the IT staff.

Or wholesale retraining.  It's not easy.  That's why it's a long-term
strategic goal and not a short-term answer to security problems.

--
David.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]