Crispin Cowen wrote: > Begging to differ, but yes they are the great Satan :) > Microsoft has been systematically holding back the > trailing edge of technology for 20 years. Apart from > their systems being generally dreadful, and their > marketing practices outright illegal on many grounds, > their security is especially bad. I think Rob's point, one that I find very compelling, is that MS products were not designed or marketed to hardcore geeks. They were designed for mass-market consumption. Yes, out of the box, a default installation, Windows security sucks. But honestly, there are a lot of ways to slice and dice Windows machines. With a modest amount of hardening, you can turn an NT/2000 box into a very secure machine. I've written a paper on this. Its not impossible, but it isn't something many people know how to do. Thus the problem...many IT departments do not have the staff, education, experience, or resources to do this properly. The race to get a computer on everybody's desk has taken a back seat to securing those systems. I've been inside a lot of firms right here in Portland. And as much as they care about security, the fact is there is only so much one or two IT guys can do in a day. Many IT folks are working 90 hour weeks as is. Asking them to suddenly become experts in security and transform their entire environment into super-hardened UNIX boxes is simply not going to happen. > The mail client (Outlook) trusts scripts > attached to incoming mail . This is the most > dangerous way in which viruses propagate. > The #1 biggest thing you can do to secure your > company is to mandate that no one can use > Outlook as a mail client. Choose any other > mail client, it doesn't matter which one: > they are all more secure than Outlook. That is easy for hardcore nerds like us who can handle new software with ease. But for the average joe who does not understand computers very well, asking them to use an unfamiliar program is a massive problem. It would cause immediate and painful productivity problems for companies. I like to think of this as the "Mom" problem. My mom is a very intelligent, well-educated person. But she is not a computer person. She knows Outlook, IE, Word, a few basic programs and they allow her to be very productive and surf the web, buy stuff on E-Bay, send out letters, etc. If I sat my mom in front of a UNIX box she would scream in horror. It would take her months to re-learn everything. Well, most organizations have a lot of "moms" working in them and therefore they simply cannot just "throw away" their existing infrastructure because it has a few (or even a lot) of security holes. They must adapt that infrastructure to fit the needs of their users. That means patching holes as best they can and implementing systems to detect and catch attempts to exploit those holes. > I'm not sure what Robert Graham has ben > smoking; he's not normally this silly. > He's essentially advising you to > systematically do exactly the wrong > thing everywhere. No, he is taking a middle ground between practicality and security. As a person who has the inglorious job of actually making security systems work in corporate environments, Rob's comments are very true. Many organizations simply are not prepared to become a Fort Knox of computing security. They simply do not have the resources to devote to security. I think it is encouraging that many companies are beginning to take security seriously. But the road to security is long, complex, and sometimes expensive. It will not happen overnight regardless of how many brilliant theories and methodologies the security community devises. > Yes its true that security is at odds with > convenience: it must be, because it is the > business of saying "no" sometimes, so it > is necessarily less convenient. Good > security design (the Principle of > Psychological Acceptability) accounts > for this, and works hard to make sure > that legitimate users see the "no" answer > as rarely as possible. What Graham is > suggesting is to throw up your hands and > just disable security because it is too > annoying. If you follow that advice, > you will deserve what you get. I don't see that as what Graham said at all. In fact I challenge you to point out where you feel Graham is saying that. What Graham does say, and I whole-heartedly support as a greedy capitalist pig, is that the market must decide what is appropriate. And I would say the market has already decided: people want Microsoft products. Furthermore, I can speak from direct experience that security is a complex problem that is best handled with practical solutions that carefully weigh cost and risk reduction. Sometimes, the cost of reducing risk is simply prohibitively too high for some organizations. I have numerous customers that simply cannot afford the price of expensive commercial products or the time to learn and implement open-source products. Therefore, they have to settle for some practical, "in-between" type solutions. The simple fact is, the markets are deciding what is important. And that has some security people upset. But in my experience, the free-market is much better at deciding the fate of than centrally controlled organizations. ------------------------------------ Andrew Plato President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com Yahoo Messenger: Anitian ------------------------------------
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:49 PDT