Andrew Plato wrote:
>Crispin Cowen wrote:
>
>>Begging to differ, but yes they are the great Satan :) Microsoft has been systematically holding back the trailing edge of technology for 20 years. Apart from their systems being generally dreadful, and their marketing practices outright illegal on many grounds, their security is especially bad.
>>
>I think Rob's point, one that I find very compelling, is that MS
>products were not designed or marketed to hardcore geeks. They were
>designed for mass-market consumption.
>
If that is the claim, then it is reprehensible. Mass-market consumers
are those users who are least able to defend themselves. Deliberately
handing them something that is shiny, but vulnerable as a result of
being shiny, is the kind of despicable marketing-based engineering
decision that first incited Ralph Nader.
>Yes, out of the box, a default installation, Windows security sucks. But
>honestly, there are a lot of ways to slice and dice Windows machines.
>With a modest amount of hardening, you can turn an NT/2000 box into a
>very secure machine. I've written a paper on this. Its not impossible,
>but it isn't something many people know how to do.
>
Ok, it is possible. But it is definitely much more difficult to do than
on sensible systems. Windows is marketed as being easier to use, but
using it securely is actually harder.
>Thus the problem...many IT departments do not have the staff, education,
>experience, or resources to do this properly. The race to get a computer
>
That is the security problem. It is separate from the "Does Microsoft
really suck that much?" question.
>>The mail client (Outlook) trusts scripts attached to incoming mail . This is the most dangerous way in which viruses propagate. The #1 biggest thing you can do to secure your company is to mandate that no one can use Outlook as a mail client. Choose any other mail client, it doesn't matter which one: they are all more secure than Outlook.
>>
>That is easy for hardcore nerds like us who can handle new software with
>ease. But for the average joe who does not understand computers very
>well, asking them to use an unfamiliar program is a massive problem. It
>would cause immediate and painful productivity problems for companies.
>
>I like to think of this as the "Mom" problem. My mom is a very
>intelligent, well-educated person. But she is not a computer person. She
>knows Outlook, IE, Word, a few basic programs and they allow her to be
>very productive and surf the web, buy stuff on E-Bay, send out letters,
>etc.
>
>If I sat my mom in front of a UNIX box she would scream in horror. It
>
I think you are misconstruing what I was saying. I know that UNIX is
waaay too difficult for your mom/receptionist/CEO to use. But there are
other mail clients that run on Windows that are every bit as easy to use
as Outlook (Netscape Communicator and Eudora being the leaders).
Using Windows is an unfortunate necessity in many circumstances. Using
Outlook is reckless, and should be regarded as malpractice in the IT
business.
>would take her months to re-learn everything. Well, most organizations
>have a lot of "moms" working in them and therefore they simply cannot
>just "throw away" their existing infrastructure because it has a few (or
>even a lot) of security holes. They must adapt that infrastructure to
>fit the needs of their users. That means patching holes as best they can
>and implementing systems to detect and catch attempts to exploit those
>holes.
>
Outlook's vulnerability is not a "hole": it is a designed in feature. It
is a door guaranteed NOT to lock.
>>I'm not sure what Robert Graham has been smoking; he's not normally this silly. He's essentially advising you to systematically do exactly the wrong thing everywhere.
>>
>No, he is taking a middle ground between practicality and security. As a
>person who has the inglorious job of actually making security systems
>work in corporate environments, Rob's comments are very true. Many
>organizations simply are not prepared to become a Fort Knox of computing
>security. They simply do not have the resources to devote to security.
>
That would be nice if it was true, but it is not. Graham is talking
absolute crap. He is advocating horribly insecure practices that don't
even approach the middle ground. He makes apologetic and disingenuous
excuses for some of Microsoft's most egregious design abuses, and
characterises that as reasonable practice. Nothing could be further from
the truth.
>>Yes its true that security is at odds with convenience: it must be, because it is thebusiness of saying "no" sometimes, so it is necessarily less convenient. Good security design (the Principle of Psychological Acceptability) accounts for this, and works hard to make sure that legitimate users see the "no" answer as rarely as possible. What Graham is suggesting is to throw up your hands and just disable security because it is too annoying. If you follow that advice, you will deserve what you get.
>>
>I don't see that as what Graham said at all. In fact I challenge you to
>point out where you feel Graham is saying that.
>
How about his opening quote:
"Security is mostly a superstition. It does not exist in nature, nor
do the children of men as a whole experience it. Avoidance of danger
is no safer in the long run than outright exposure. Life is either a
daring adventure, or nothing." - Helen Keller
So what the hell; go ahead and use a mail client that executes content
mailed to you from anyone, as root, on your workstation. Because life is
too short to give a damn about security :)
This theme continues throughout Graham's article, where time and again
he defends a bad security decision on the basis that it made operations
more convenient. While that is often true, in most cases a *different*
decision could have made operations equally convenient without exposing
the user to anywhere *near* as much risk as Microsoft did.
>What Graham does say, and I whole-heartedly support as a greedy
>capitalist pig, is that the market must decide what is appropriate. And
>I would say the market has already decided: people want Microsoft
>products.
>
Me and Judge Jackson question whether the market was ever given a choice
to select anything else.
>Furthermore, I can speak from direct experience that security is a
>complex problem that is best handled with practical solutions that
>carefully weigh cost and risk reduction. Sometimes, the cost of reducing
>risk is simply prohibitively too high for some organizations. I have
>numerous customers that simply cannot afford the price of expensive
>commercial products or the time to learn and implement open-source
>products. Therefore, they have to settle for some practical,
>"in-between" type solutions.
>
That's all true, but beside the point. Barry Shulak asked whether
Microsoft products were as bad as the jeers at the CRIME meeting
suggested, and why. I have argued that they are every bit as bad, and worse.
It is true that security is complex, and that most organizations cannot
afford the operational costs of high security. What is hidden is that
most organizations are paying through the nose for either the added
expense of trying to secure Microsoft's broken systems, or for the added
expense of just being vulnerable. There are alternatives if one takes
off the "Microsoft only" blinders. You can buy and use many
non-Microsoft products (based on Linux and *BSD) that are a vast
improvement over Microsoft for price, performance, security, and
occasionally even ease of use, and definitely ease of use *securely*.
>The simple fact is, the markets are deciding what is important. And that
>has some security people upset. But in my experience, the free-market is
>much better at deciding the fate of than centrally controlled
>organizations.
>
Where did anyone suggest a centralized authority replace the free
market? This is all just information to help our tiny little segment of
the market make a better informed decision :)
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:39:50 PDT