RE: Religion... was RE: Re: January 15 is Personal Firewall Day, help the cause

["Wes Noonan" <mailinglists () wjnconsulting com>]

> > Security isn't about protecting against old threats; it's about
> protecting
> > against new threats.
>
> Exactly.  A/V software can only protect against *old* threats, because a
> virus has to be in the signature database.  Mounting /tmp noexec can
> protect against a wide class of threats (those threats that rely on
> writing
> a file to the file system and then executing it.)

Actually, A/V software protects against both. The most obvious example is
heuristics. Another example is through the extensibility of the virus
signatures. While mounting /tmp noexec may protect against a wide class of
threats, if a new threat comes out that it doesn't address, but that A/V
software does, you are effectively screwed. Personally, I wouldn't bet my
enterprise on that. Personally, I would do both.
 
> > If running virus protection has the potential to
> > protect against new threats,
>
> But it doesn't.

Actually, it does. New threats come out, new signatures come out. Now if you
want to take the position of "yeah, but at that point they are old" fine,
I'll give you that. I've addressed it in more detail above however.
 
> > than it is worth running.
>
> Therefore it isn't.

Again, I disagree. Especially on Windows systems. 
 
> > If an IDS/IPS has the
> > potential to protect against new threats, than it is worth running.
>
> IDS itself cannot protect against anything; it can only detect unusual
> activity.  (That doesn't make it worthless, of course.)  IPS systems
> may be worthwhile depending on how many false-positives they issue.

Anything that tells me what is going on with my network is protecting
against things, even if it is simply notifying me so that I can take action.
 
> I agree.  But a particular product or application *can* lead to
> insecurity.

Sure, but I think that your apparent belief that running A/V software leads
to insecurity is false.

> Obviously, right now, I can't.  But there are plenty of large
> organizations
> using free software; HP claims to have made $2.5 billion in Linux-related
> sales.

Well then, it sounds like Linux isn't free anymore doesn't it?
 
> It will happen.  The economics dictate it.  Companies that save money
> because of lower licensing costs, lower license enforcement costs,
> and (especially) lower costs to maintain secure networks, will succeed
> where companies that have higher costs fail.

No it won't, not necessarily at least. Not trying to get personal here, but
let's look at your company and some of its products. You release them free
with no support what so ever. So does that mean that a company saves money
by using them? Not necessarily. That lack of support means that the company
must be able to support the software themselves. This is generally going to
result in a cost in manpower and/or expertise to support the product. This
could also result in downtime costs while the "experts" try to figure out
what is going on while they attempt to check various open source communities
hoping to find relevant information. An alternative of course is to go to
your company and pay for support, something that many open source models use
as a revenue model.

Simply put, open source is not a simple lower cost solution. There are more
factors than just the price on the shrinkwrap.
 
> > You have to think about things like "what if David, who is the
> > only person who really knows our systems, leaves. Where does that leave
> us"?
>
> That might have been true a couple of years ago, but there are plenty of
> Linux experts now, as you noted.

Ah, but it is more than just being a Linux expert. It is being an expert in
what this company is doing with Linux. Someone can know Linux quite well,
but if they don't know how David modified it, what he did with it, what he
didn't do with it - to the code level in many cases, then they are SOL. 
 
> > Microsoft is only un-securable for those who don't know how to secure it
>
> No.  The fundamental problem with Windows is the problem that lead to
> the creation of the anti-virus industry: Encoding of metadata in
> filenames.
> The fact that ".exe" on Windows means the same thing as turning on the
> execute bit in UNIX has cost the world economy billions.  And it's
> impossible
> to change this without fundamentally changing Windows.  (Even this flaw
> isn't a Microsoft innovation; it was first revealed in 1987 in the
> infamous
> CHRISTMA EXEC worm at IBM on the VM/370 system.)

Well, I'm no developer so frankly I will leave this particular discussion to
others. I do know that Microsoft products can be easily and effectively
secured (easily IMO of course), even with this "design flaw".
 
> This flaw, the readiness of a Windows system to enable execute permission
> depending on the filename, makes every single Windows box a ticking
> time bomb.  Someone just has to be clever enough to deposit an .exe on
> a system and trick someone into running it.

But this can be prevented. You have group policy as one option. You have
third party solutions as other options.

Also, this "flaw" is largely a function of usability requests IMO.
 
> The social engineering required to do the same on Linux is an
> insurmountable
> hurdle; not only do you have to deposit the file, but you have to convince
> someone to turn on the execute bit, which no Linux mail clients currently
> do, and which the average office worker is unlikely to even know how
> to do.  (That's why I have a warm feeling when our sales people use Linux;
> they don't know enough to be dangerous. :-))

I would disagree. Send them an RPM on redhat and have them run it. With
increased user requests for functionality and usability (i.e. why can't I
run this attachment), Linux and the relevant email clients will continue to
be tugged in directions other than security.

Besides, for email clients as others have pointed out, Outlook 2003 has
completely removed this functionality by default to my experience and
understanding.
 
> No; it is related to the fundamental design flaw I mentioned above.

Again, Windows can most assuredly be hardened.

> > Someone else pointed out that no OS is bug free, which is a truism. The
> > ability to harden a system, if one knows what they are doing, is also a
> > truism.
>
> Are you claiming that all OS's have the same inherent security, and
> that all can be hardened to the same extent?  If yes, then you're out
> of touch with reality.  If no, then some OS's must be better than
> others, and I claim that Linux, out of the box, is more secure than
> Windows, out of the box, and furthermore, I claim that Linux is
> possible to secure to a greater extent than Windows (especially with
> the NSA work now merged into Kernel 2.6.)

No, I am claiming that all OS's can be hardened. Each system requires
different hardening steps. I would also contend, and have contended, that
there is more to software than merely security. It has to be usable. That is
really the race in OS software right now. Can Microsoft secure Windows
faster than Linux can become usable. The jury is still out, though both are
making their respective strides.
 
> It's easy to glibly dismiss my argument, but you don't address the facts.
> Unless Microsoft has an economic incentive to improve security, it won't.

And yet, they are? I'm not glibly dismissing your argument. I'm dismissing
it because it seems to me to have little substance beyond the old "<james
hetfield> Microsoft bad, linux good</james hetfield>" arguments.

> And the only economic incentive it could have is the potential loss of
> market share.  And that can't happen without competition.  And
> competition,
> in the consumer OS market place, cannot happen unless people are willing
> to look at alternatives to Windows.

OK, so this is just another "use Linux" or "Microsoft is an evil monopoly"
rant? I'll go back to my statement that a lot of the argument seems to be
nothing more than "don't use Microsoft cause it is sucky". 
 
> > Protestants, Catholics. Muslims, Jews. Penguinistas and
> > Microsofties. It isn't about securing our computers, it's about not
> using
> > Microsoft. It's an old, tired, pointless argument. :shrug:
>
> You fail to refute it, because you cannot.

Yes, in the same way that folks can neither prove or refute the existence of
God. Because it is a religious belief that has more to do with faith than
fact. Hell, I'll submit your mistaken statements regarding the ability to
harden windows as evidence of that, and honestly I don't have much of a
desire to be involved in just another religious pissing contest. :-)

For me, neither Windows or Linux are "better". They both do good things and
bad things, and as long as they meet my requirements they both get used when
appropriate.

Wes Noonan
mailinglists () wjnconsulting com
http://www.wjnconsulting.com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html