[4365] in WWW Security List Archive
Re: UNIX less secure than Win95? (was Re: Sceptic about (Funds ...)
daemon@ATHENA.MIT.EDU (Jay Heiser)
Tue Feb 11 19:10:44 1997
Date: Tue, 11 Feb 1997 15:24:13 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Matt Mosley wrote:
> On February 10, Jay Heiser wrote:
>
> > Whoah! I hope I'm not quoting you out of context. Security issues
> > rarely have
> > a higher priority than business issues.
>
> For vendors, yes. It's very unfortunate.
I sometimes wonder if the security business wouldn't be a lot more
profitable
if we hadn't scared the hell out of the potential customers.
> Actually, many of these apps (not all, but many) have already been
> ported to UNIX systems of some kind (and where they haven't, other
> ones are generally available.)
Maybe we should take this offline, but can't seriously expect that large
numbers of personal productivity workstations will migrate to UNIX. I
like UNIX, but I left the UNIX biz years ago when I realized it was
becoming less significant. Normal people do not run UNIX on their
desks.
> > with UNIX than with NT. But even though its easier to use, NT still
> > requires an understanding
> > of computing that Win95 does not.
>
> How is this so? In a secure UNIX environment, it's very difficult for
> an inexperienced user to cause damage. It's also much easier to make
> UNIX secure than it is to make NT/95 secure; source code is generally
> available for most any UNIX application.
You're supporting my argument. Only a very small % of administrators
are
prepared to deal with source code. The roll-your-own concept has sort
of a frontier pioneer appeal, but if large numbers of people want to do
something, then vendors will have the opportunity to sell easier
solutions.
For most people, the words 'much easier' and 'source code is available'
do not appear in the same sentence. You've just argued that a very
experienced administrator can make UNIX really tight, and I'm not
arguing
against that.
>
> > I could easily run UNIX at home, but its a lousy personal productivity
> > environment.
>
> I disagree. I run it at home, and it's an excellent productivity
> environment. In fact, I find it to be much more useful than anything
> Microsoft has ever written.
>
> > I couldn't easily run Quicken, MS-Word, my scanner, and my tax prep
> > software. It
>
> Maybe not those particular packages, no. But there are others
> available.
But those apps are my requirements. in UNIX I can spend $2K to buy a
scanner app,
I can buy Frame for $1k, but I still can't buy Quicken and I've spent
10 times what I would for Windows. Once when I was working for SCO, a
question floated around the company in e-mail asking the best way to do
a mail merge with the either Troff (actually Eroff) or the
character-based
word processor we sold (WYSIWYP). One person piped up with the
marvelous
suggestion that you didn't need an application at all, but you could
create
a great mail merge script with awk, sed & m4. I imagined clerical
workers
all over the world boning up on m4 so they'd be able to do mail merges.
(I can't explain why this is funny. Its like the Washington Post. If
you don't get it, then you don't get it.)
You're obviously productive, so 'personal productivity' was apparently
not
a politically correct term. Think up a new word to describe 'what most
people do with PCs. There will be no mass exodus to UNIX.
>
> In one sentence, you say "let's avoid religious wars" and in the next
> one "for most people, Win95 is still the best choice". Sounds like
> you just don't feel able to respond to any intelligent argument, so
I didn't mean to give that impression, but you can't convince me that
the
majority of Windows 95 users would be better off moving to UNIX. They
are designed for completely different purposes.
>
> > BTW, which operating system is sucessfully attacked more often over the
> > net,
> > UNIX, NT or Win95? So far, its been UNIX, hasn't it? Couldn't we
> > make a case
> > that UNIX is less secure than Win95? Is there a 4th choice to consider?
>
> No, we couldn't. It's a simple case of UNIX being around much longer,
> and having much more public availability and scrutiny. NT is so new
> that not enough people have analyzed it yet to find the holes (plus,
> there's no source available for it so it's more difficult) and 95
> isn't really even an operating system (and even if it was, it has no
> default ability to accept incoming connections; if you turn off inetd
> and all incoming connections on a Unix box, you'd achieve the same
> thing as Win95).
Thanks -- that's what I was trying to say. So you agree that an
inexperienced
user installing Win95 will end up with a less vulnerable box than an
inexperienced user installing UNIX (who doesn't know to turn off all the
services that aren't necessarily needed).
If your requirements don't call for an operating system, then why
install
one? All that extra stuff just leads to trouble.
>
> -Matt
>
> P.S. I don't speak for my employer on the above, just personal
> opinion.
>
> Matt Mosley DIGEX (Digital Express Group, Inc.)
> mattm@digex.net 6800 Virginia Manor Road
> Network Security Administrator Beltsville, MD 20705-4212 USA
--
Jay Heiser, 703-610-6846, jay@homecom.com
Homecom Internet Security Services
http://www.homecom.com/services/hiss
For company & industry news...subscribe to newsletter@homecom.com
