[brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ...
dpuryear at usa.net
Thu Jul 5 08:37:55 CDT 2001
John Hebert wrote:
<em>>>I have to wonder if the scale isn't tipped in large
<em>>>part because of
<em>>>where the hacking community's attention is currently
<em>> The scale is tipped because the hackers are attacking
<em>> easy targets. Open source gets patched too quickly for
<em>> script kiddies to gain interest.
<p>No. Open source software that has active, qualified developers gets
patched quickly. That is not the same as "Open source gets patched
quickly." Of course, I happily concede that in most situations it is
easier to fix problems in open source code than closed source code.
<p><em>>>Actually, it is pretty darn simple to secure an NT
<em>>>box. In fact, it
<em>>>works just like it does under UNIX: turn off
<em>>>unnecessary services, apply
<em>>>patches, fix file permissions. As far as Windows 9x
<em>>>users, assuming they
<em>>>don't run a trojan they are pretty safe out of the
<em>>>box. The problem here
<em>>>is that, damnit, they keep running trojans.
<em>> You might as well say that the most secure box is one
<em>> that doesn't get used.
<p>Ok, now we are moving to another issue entirely. The original topic was
shipping secure products and being able to maintain those systems in a
<p><em>> I disagree that they are safe by default, for the
<em>> reasons John B. and others have pointed out. Win9x
<em>> users are root by default, and they do stupid stuff
<em>> (like click the box that says to share files with
<em>> others on a broadband connection). I posit it was
<em>> easier for M$ to design a more secure OS than to teach
<em>> users not to do stupid stuff. Hence, NT, then 2000,
<em>> then XP.
<p>I think this has occurred in large part because users are becoming more
sophisticated. In other words, there is a market need for a product that
is both secure locally and over the network. We need to keep in mind
that Windows 95 and 98 are consumer products first and foremost. Yes, we
are now seeing that even consumers need better host security, but again,
why aren't we arguing about Apple OS? It is just as vulnerable as
Windows 95 and 98 to these problems.
<p><em>>>So you are agreeing that it is the vendors
<em>>>responsibility to ship a
<em>>>reasonably secure product to the user and not the
<em>>>responsibility to ensure the vendor did their job?
<em>> Of course I do, but the difference here is that a M$
<em>> user can only go so far to ensure the vendor did their
<em>> job, whereas free software users (RH) can get right
<em>> down anal retentive about it.
<p>Some free software users. Most end-users could care less--they just want
to get their jobs done.
<p><em>>>But the original argument was
<em>>>Windows is no more a target than UNIX and Linux
<em>> Wrong. Closed source is less secure than open. M$
<em>> Windows and closed source UNIX OSs are a bigger target
<em>> than free software.
<p>I agree that closed source software is potentially less secure than open
source software. However, just being open source does not a secure
product make. Peer review is important, but I would bet that the vast
majority of open source software is not peer reviewed. This means those
products have the potential to be more secure, but they do not ever
actually realize that benefit of being open source.
<em>> >The difference
<em>>>here is that there are a lot of Windows boxes out
<em>>>there, but does that
<em>>>make Microsoft any more culpable for these attacks
<em>>>that Red Hat or Caldera?
<em>> It does if there is no peer review of source code.
<p>I disagree. A vendor is only liable if they ship an insecure product.
This makes all parties equally responsible.
<p><em>>>Does the number of boxes sold make you more
<em>>>vendors who ship equally insecure systems but have
<em>> Yep. When it's closed source vs open.
<p>So as long as I ship an open source product I can make it as insecure as
I want? I have no liability, or at least not as much as a closed source
Dustin Puryear <dpuryear at usa.net>
In the beginning the Universe was created.
This has been widely regarded as a bad move. - Douglas Adams
BRLUG - The Baton Rouge Linux User Group
Visit http://www.brlug.net for more information.
Send email to majordomo at brlug.net to change
your subscription information.
<!-- body="end" -->
<li><strong>Next message:</strong> Dustin Puryear: "Re: [brluglist] Book"
<li><strong>Previous message:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>In reply to:</strong> John Hebert: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Next in thread:</strong> Tim Fournet: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Reply:</strong> Tim Fournet: "Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM ..."
<li><strong>Messages sorted by:</strong>
[ date ]
[ thread ]
[ subject ]
[ author ]
[ attachment ]
This archive was generated by hypermail 2.1.2
: <em>Thu Sep 06 2001 - 11:10:54 CDT</em>
More information about the General