Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Full Disclosure>
  3. Full-Disclosure
Re: Counseling not to use Windows (was Re: Ano
nick at virus-l
Jul 14, 2002, 3:19 PM
Post #1 of 4 (1057 views)
Permalink
"David F. Skoll" <dfs@roaringpenguin.com> wrote:

> > throwing out a blanket "don't use Windows" or "don't use
> > <pet peeve network client software>" is not a constructive response.
>
> I disagree. I consider myself a security professional, and I tell all
> of my clients not to use Microsoft Outlook. I would consider it a
> dereliction of duty _not_ to tell them that. I also tell them they
> should switch away from Windows to Linux or some other free UNIX, and
> again, I think it's my duty to tell them that.
>
> They are free to take my advice or not, but they understand that if
> they do not take my advice with regards to Outlook, I am absolved of
> responsibility for any e-mail borne malware.
>
> I think it's important for security professionals to tell people not
> to use Windows, if only to open their eyes to the risk they put
> themselves at, and also to the fact that there are alternatives out
> there.

I agree with all of the above.

My point was, on lists like this, if someone is using Windows or some
especially distasteful Windows network client software they are most
likely doing so either because, as in my case, they have chosen to
after weighing the various pros and cons of that decision or because
"they have to" (being under one of those aforementioned "stupid"
policy restrictions that requires all desktops to conform to a
limited sense of "corporate normality"). Telling such people to drop
their carefully chosen or enforced environment means you are more
likely to be ignored as being "out of touch" or some such.

That does not mean it is necessarily a waste of breath to advise a
paying customer, but doing it among a group of security aware
professional peers is likely to make one look bigoted and thus more
likely to get you ignored.

My comment about unprofessionalism was limited to a specific setting.
Suggesting a "spot fix" that a nanosecond's consideration shows is
likely to be policy violating in many corporate IT environments will
have one branded "unthinking" at best and quite likely
"unprofessional". Making the same suggestion when asked for
professional advice is not unprofessional (at least, so long as the
rest of the "structural chenges" such as altering local security
policies to accomodate the suggested changes, etc are also covered in
that advice).


Regards,

Nick FitzGerald
Re: Counseling not to use Windows (was Re: Ano [ In reply to ]
dufresne at winternet
Jul 14, 2002, 5:23 PM
Post #2 of 4 (1012 views)
Permalink
On Mon, 15 Jul 2002, Nick FitzGerald wrote:

[SNIP]

> Telling such people to drop
> their carefully chosen or enforced environment means you are more
> likely to be ignored as being "out of touch" or some such.
>
> That does not mean it is necessarily a waste of breath to advise a
> paying customer, but doing it among a group of security aware
> professional peers is likely to make one look bigoted and thus more
> likely to get you ignored.
>

[SNIP]

Hmmmm, Does it not make those that do not wish to listen the fewls, being
there have been warnings and issues with the tools on their desktops and
at their fingertips since some of these lists began and prior. Issues
that are "fixed and patched" again and again, and the same warnings have
been issued about actieX and java within those tools for how long now?

Again, if folks have to play in insecure settings on the corp backbone,
then perhaps they need to find alternative ways to play in some of these
lists. I can't count the times that windows users on the vuln-dev list
have been infected with exploit code published there, and then whined
about it! <chuckle> Even after warnings by BB that it was what the list
was for. People need to take some of the responsibility for their own
security upon themselves, IRL and online...

Thanks,


Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.
Re: Counseling not to use Windows (was Re: Ano [ In reply to ]
cmason at unixzone
Jul 15, 2002, 6:32 AM
Post #3 of 4 (1016 views)
Permalink
On Mon, Jul 15, 2002 at 10:19:30AM +1200, Nick FitzGerald wrote:
...
>
> I agree with all of the above.
>
> My point was, on lists like this, if someone is using Windows or some
> especially distasteful Windows network client software they are most
> likely doing so either because, as in my case, they have chosen to
> after weighing the various pros and cons of that decision or because
> "they have to" (being under one of those aforementioned "stupid"
> policy restrictions that requires all desktops to conform to a
> limited sense of "corporate normality"). Telling such people to drop
> their carefully chosen or enforced environment means you are more
> likely to be ignored as being "out of touch" or some such.
...
>
> My comment about unprofessionalism was limited to a specific setting.
> Suggesting a "spot fix" that a nanosecond's consideration shows is
> likely to be policy violating in many corporate IT environments will
> have one branded "unthinking" at best and quite likely
> "unprofessional". Making the same suggestion when asked for
> professional advice is not unprofessional (at least, so long as the
> rest of the "structural chenges" such as altering local security
> policies to accomodate the suggested changes, etc are also covered in
> that advice).
>

Well, that's what I get for making such a short comment. :)

Anyway, let me try to be more clear. The many holes in clients such as
Internet Explorer and Outlook have been made clear over and over again for
many years now. The insecurity of these products is not news.

Companies who were dependant on these programs, or who had policies
referring to them, have had years now to plan a migration away from them
to other tools, and to write new policies. There should never have been
any need for a "spot fix."

However, there's no point in saying "I told you so" either. So, while
it's unfortunate that these products are still so widely used, it not too
late. Companies can still make the necessary decisions and more forward
to ensure a more secure and productive environment.

My post was intended as a simple reminder that even if you've been banging
your head against the wall for years, it's never too late to stop. :)


Chris
Re: Counseling not to use Windows (was Re: Ano [ In reply to ]
dfs at roaringpenguin
Jul 15, 2002, 7:32 AM
Post #4 of 4 (1010 views)
Permalink
On Mon, 15 Jul 2002, Chris L. Mason wrote:

> However, there's no point in saying "I told you so" either. So, while
> it's unfortunate that these products are still so widely used, it not too
> late. Companies can still make the necessary decisions and more forward
> to ensure a more secure and productive environment.

Amen.

> My post was intended as a simple reminder that even if you've been banging
> your head against the wall for years, it's never too late to stop. :)

Right. And that is why I think security professionals *must* advise clients
to make long-term plans to wean themselves from proven-insecure products.
While security is a process, not a product, the flip side is that
insecurity can indeed result from a specific product. The use of insecure
products can upset even the most careful security process.

So, security professionals who don't mind getting dirty should, by all
means, help their clients patch up their Windows networks. (I happen
to mind getting dirty, so I decline that work.) But all security
professionals should help their clients maintain perspective, and
realize that fighting with Windows is not a long-term viable solution.

(And those same professionals, by the way, should be critical of
developments in the Linux world like GNOME's installer:
"lynx -source url | sh". This is just as bad as the worst Windows design.)

--
David.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal