North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: The magic security CD disc Re: HTTP proxies

  • From: Scott Francis
  • Date: Mon Dec 09 13:22:07 2002

On Mon, Dec 09, 2002 at 05:53:28PM -0000, [email protected] said:
> 
> 
> --On 09 December 2002 08:39 -0800 Scott Francis <[email protected]> 
> wrote:
> 
> >*cough*OpenBSD*cough*
> 
> I've had lots of people off-list me to say how wonderfully secure X Y or Z
> OS distribution is. I am quite sure there is indeed a huge variation. MS
> fits somewhere into the scale too.
> 
> The sort of thing I meant though, for example, was how many Linux/BSD
> distributions, on a *desktop* install, when you select a caching
> nameserver, have it only bound to 127.0.0.1 rather than bound to
> INADDR_ANY? Yes, you can tweak the config file, but what % of menu-using
> users know they should do that, and, if so, do it? How many machines
> then got infected by a BIND worm that needn't have done?

My point was not that OpenBSD (or Foo OS distribution) is the solution to the
problem of insecure desktop machines. My point was, there IS a group out
there that has, for several years now, been successfully releasing software
that adheres to the philosophies of "less is more", "default deny" and
"secure by default" (not to mention software that fails gracefully - see
Schneier).

It _can_ be done, and is currently being done, contrary to the objections of
@major_commercial_vendors who proclaim loudly from time to time that that
level of security would render their software unusable.

My point in mentioning OpenBSD was merely to give an example of a group
that's proceeding along the lines you suggested. One would hope that other,
larger vendors would take notes.

> >Taking off my evangelism hat for a moment, I think commercial software
> >vendors in general will continue to ship whatever maximizes profit. When
> >it becomes unprofitable to ship insecure buggy bloatware (through legal
> >liability, for instance), companies will stop doing so.
> 
> This is exactly my point. If the US government (which appears to be taking
> an interest), took an interest in making life less comfortable (read
> profitable) to ship insecure OS's, vendors will start stopping. Until then,
> security is only something they need package in for those who think they
> need it - as opposed to 'for the common good'.

Since security is rarely a selling point for the average user in choosing
desktop software, it will rarely be a consideration by the vendors of such
software. Until it becomes commercially painful to ship insecure software,
vendors have no reason to do otherwise.

> From the point of view of traditional microecomics, operating system
> security has 'externalities' - i.e. costs incurred by third parties. Much
> the same as pollution. In the general case, sufficient externalities are a
> good reason to examine some form of government intervention (taxation,
> regulation etc.). Even when the problems are international, there are
> historical precedents (drug regulation for instance) for international
> coordination.

I'm not sure we need more governmental intervention as much as we just need
the government to get out of it altogether. Currently vendors have a lot of
clout to pass laws that effectively render them immune to any kind of legal
liability. Remove that governmental protection, and let the lawyers take a
stab at it (much as it pains me to say that). Given the success of the
tobacco lawsuits, I suspect there are any number of legal firms out there
drooling at the thought of a class-action suit against, say, Microsoft ...
-- 
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: pgp00003.pgp
Description: PGP signature