[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause

To: full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
From: "James Patterson Wicks" <pwicks@oxygen.com>
Date: Thu, 15 Jan 2004 18:27:37 -0500

And we all know that there are no flaws in Linux security, right?

--------------------------------------------------------------------------------
Security group warns of hole in Linux kernel - 
http://www.infoworld.com/article/04/01/05/HNlinuxhole_1.html

Flaws raise red flag on Linux security - 
http://www.computerworld.co.nz/news.nsf/UNID/ECE4790310BB04F7CC256E1900083AC2?OpenDocument

Hackers Attack Debian Linux - 
http://enterprise-linux-it.newsfactor.com/story.xhtml?story_title=Hackers_Attack_Debian_Linux&story_id=22748&category=distributions

I could go on, but you all get the picture . . . .
--------------------------------------------------------------------------------

Is Linux by nature more secure than Windows?  Of course.
Are any operating systems totally secure and without flaws?  Of course not.
Can an average user set up and operate a Linux desktop easier than a Windows 
desktop?  Of course not.  The functionality that Windows desktops users are 
accustomed to is not easily duplicated in Linux desktops, especially when it 
comes to video editing software and games.

Many people jumping on their soapboxes calling Windows everything but a child 
of God have something in common - they are very good at using Linux and have 
found a way to function in the home and/or work environment without it.  It 
does not take a rocket scientist to use a Linux system, but it takes a lot 
longer to learn to use Linux effectively than it does Windows.  That is time 
that businesses and home users are not willing to commit to.  And yes, that 
unwillingness comes at a cost - security.

Bill Gates created an imperfect product, rushed it to market and dominated the 
market.  He continues to make a product that focuses on ease-of-use rather than 
security.  Does he suck for having suck a awful business focus?  Yes, but then 
again he's a billionaire and I'm begging the boss to pay for a better hotel at 
the Networker conference.

The reason Windows is so popular is that the average Joe can go to Walmart, buy 
a complete Windows XP PC for about $500 and send out an e-mail in about an 
hour.  Is his system fully secure out of the box?  Heck no, no system is.  You 
have to work to secure any operating system, you just need more skill/training 
to secure a Linux system.

What does Joe have to do to make his Windows XP system somewhat secure?
        - Install a personal firewall (with basic IDS features)
        - Install an anti-virus program
        - Apply all of the critical updates
        - Install an anti-spyware application like Spybot or Ad-Aware 
        - Make sure that his computer, firewall, anti-spyware and anti-virus 
applications stay updated.

Now, does the average Windows user do this?  Of course not.
Since the average user fails to perform basic maintenance and software updates 
on a Windows-based system, just how in the heck do you expect him to learn 
Linux command-line syntax and how to compile an Linux operating system when new 
kernel flaws are found?  Can he use the web and an x-windows interface to 
secure his system?  Possibly, but to suggest that you can properly secure a 
Linux system without using the command-line interface is being coy and 
deceptive.

This whole "Linux is the answer for the average home user" is a fantasy.  If 
Grandma Bessie in the mountains of West Virginia has to take a couple if Linux 
classes at the local community college just to email her grandkids, then I 
think that she might just opt to just call them on Sundays. 

While I feel this whole "Personal Firewall Day" is just some marketing gimmick, 
I do feel there is still a need to educate Windows OS users on what basic home 
computer security is about.

And how to download the Mozilla browser . . . . 
;)

-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of David F.
Skoll
Sent: Thursday, January 15, 2004 3:37 PM
To: Exibar
Cc: tlarholm@pivx.com; full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day,
help the cause

On Thu, 15 Jan 2004, Exibar wrote:

>  But not 100% safe though...  there are Linux viruses,

Such as ... ?

> what about all those e-mails that
> try to steal my SS# and CC#'s?

Never had one of those, because our anti-spam system blocks them.

> Education is the key, not the OS that you run or don't run.

That's not entirely true; the OS makes a huge difference.

> > A default install of a modern Linux distro includes firewalling rules
> > by default, and is fairly safe.

> there aren't any holes in that Linux distro?

There are, but none are exploitable remotely on our systems.

> there sure are, pleanty of them.  Oh, so the Personal Firewall is
> protecting the user... interesting, aren't there Personal Firewalls
> for Windows OS's?  Tons of them....

Linux has them built-in, and on modern distributions, turned on by default.

> > Because it is impossible to use Windows safely; the very design of the
> > operating system is flawed.  This is not just my opinion; it's also that
> > of Bruce Schneier and many other people, some of whom lost their jobs

>   it IS possible to use Windows safely, with Education of the user.

It's probably also possible to weld safely while standing knee-deep in
gasoline.  You just have to be really careful.

Or you can start with a secure foundation and then add user-education.

> I don't buy that you block them ONLY to save disk space and stop
> annoying messages...  don't buy it at all....

I don't care what you buy or don't buy, but it's the truth.  We don't
run Windows, so we aren't susceptible to the viruses in the wild.

> > We have since 1999, and haven't had any problem.  If you don't use
> Windows, > you don't need anti-virus software.

>  Ignorance is bliss they say...  If you honestly and truely believe
> what you say, more power to you.  I honestly hope that nothing bad
> happens to your systems due to a virus outbreak that A/V software
> would have taken care of....

There is no A/V virus designed to protect Linux systems.  There is
A/V software that runs on Linux, but it's designed to catch Windows
viruses.

I've been in the computer security business for a while now; I think
I know what I'm doing.

Regards,

David.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

This e-mail is the property of Oxygen Media, LLC.  It is intended only for the 
person or entity to which it is addressed and may contain information that is 
privileged, confidential, or otherwise protected from disclosure. Distribution 
or copying of this e-mail or the information contained herein by anyone other 
than the intended recipient is prohibited. If you have received this e-mail in 
error, please immediately notify us by sending an e-mail to 
postmaster@oxygen.com and destroy all electronic and paper copies of this 
e-mail.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Next by Date: Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]
Previous by thread: Re: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Next by thread: RE: [Full-Disclosure] Re: January 15 is Personal Firewall Day, help the cause
Index(es):
- Date
- Thread