Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Microsoft Security, baby steps ?
From: Ron DuFresne <dufresne () winternet com>
Date: Wed, 17 Mar 2004 09:43:43 -0600 (CST)


This is not meant as an attempt to diminish BSD strenght.
I also have an OpenBSD box on the internet, and it is awesome.
The choice of shipping LESS software by default is a very wise one (and
many linux distros in this regard are copying windows too much, enabling
everything by default to facilitate the user - and the cracker).
With 'smaller market penetration' I don't want to say that that code is
less  looked at (most likely it is indeed better code), but mainly that
the crackers go usually after QUANTITY: they search to compromise AS MANY
boxes as possible.... so they go after the most used OSes. IMHO, of
course.This has been shown in the increase of linux compromises, anyway....
Why should they bother having a hard time trying to compromise a
super-hardened BSD box which belongs to a savvy admin (who's most likely
going to spot them soon if they succeed), rather then just trying to shoot
their exploits against everything, and hope to get as many as possible ?

That's an admin/installer issue, tooo many folks on too many OS'es tend to
install the kitchen sink on systems that don't need all the toys trinkets
and tools that a desktop developer might need in specific circumstances.

While redhat has become the linux version of M$ in all the neato desktop
trinkets it has available, the admin doing the install needs to have
enough whits about them to know how to trim the fat and lock the box for
the purpose it is being  comisioned for.  Too many web servers exposed to
the public have too many desktop trinkets and X window managers that are
not required for the purpose at hand.


Ron DuFresne
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]