North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The magic security CD disc Re: HTTP proxies

  • From: Alex Bligh
  • Date: Mon Dec 09 12:55:11 2002




--On 09 December 2002 08:39 -0800 Scott Francis <[email protected]> wrote:

*cough*OpenBSD*cough*
I've had lots of people off-list me to say how wonderfully secure X Y or Z
OS distribution is. I am quite sure there is indeed a huge variation. MS
fits somewhere into the scale too.

The sort of thing I meant though, for example, was how many Linux/BSD
distributions, on a *desktop* install, when you select a caching
nameserver, have it only bound to 127.0.0.1 rather than bound to
INADDR_ANY? Yes, you can tweak the config file, but what % of menu-using
users know they should do that, and, if so, do it? How many machines
then got infected by a BIND worm that needn't have done?

Taking off my evangelism hat for a moment, I think commercial software
vendors in general will continue to ship whatever maximizes profit. When
it becomes unprofitable to ship insecure buggy bloatware (through legal
liability, for instance), companies will stop doing so.
This is exactly my point. If the US government (which appears to be taking
an interest), took an interest in making life less comfortable (read
profitable) to ship insecure OS's, vendors will start stopping. Until then,
security is only something they need package in for those who think they
need it - as opposed to 'for the common good'.

From the point of view of traditional microecomics, operating system
security has 'externalities' - i.e. costs incurred by third parties. Much
the same as pollution. In the general case, sufficient externalities are a
good reason to examine some form of government intervention (taxation,
regulation etc.). Even when the problems are international, there are
historical precedents (drug regulation for instance) for international
coordination.

Alex Bligh