[BLU] RE: [REDHAT] Dell knocks Linux off the desktop (fwd)

[ddm at pizzashack.org (Derek Martin)]

On Wed, Aug 08, 2001 at 08:44:16PM -0400, Scott Ehrlich wrote:

> I believe WinME was designed for the low-end, home user, where NT/2000 is
> more for the business, higher-end market.  

Yes, that's the model MS uses...

> Thus, home users will likely not need as much security and will not
> tax the OS as much.  

But this I don't agree with at all, either part of it.  I DO think
that the average home user fails to regard their data as requiring
security or being vulnerable.  In the past I've pointed out numerous
reasons why a home user's data should be considered sensitive or
vulnerable, but at the very least I think everyone has a
responsibility to the rest of the Internet community to keep their
systems secure so that they will not be used by malicious netizens as
a base of attack, as is currently going on with both Code Red and
Sircam.

Today I have been forced to submit to a reduction in the Internet
service I am afforded, precisely because people don't regard their
systems as needing to be secured.  AT&T now filters all requests to
port 80 across their entire network.  So despite the fact that I have
made every effort to keep *MY* system secure, and don't even use the
software or OS affected by the plague of the day, I suffer a loss of
service at the hands of people who chose to run services without
regard to their responsibility to keep them secure.  

If you use AT&T, your ISP obviously disagrees with the above theory,
as evidenced by their decision to filter port 80.  By this somewhat
heavy-handed approach, they're doing what little they can to keep
users' systems secure, since they won't.

As for taxing the OS, one of the most taxing applications is games,
which is one of the top applications home computers are used for.  

Now I know that some people will be quick to respond to my little rant
above by pointing out that MediaOne, and subsequently AT&T, have
always had a no server clause in their ToS.  Which is fine and dandy,
except that it has always been tolerated provided you do not pose a
threat or abuse your bandwidth, and I used the service knowing that.
Now that's changed, only because some home users will insist upon
running services but won't own up to their responsibility to secure
their systems.  So, like everything else, they've spoiled it for those
of us that are well-behaved.

In addition to the "no server" clause, AT&T also says that it is your
responsibility to secure your system.  Since these are the people that
acutally are the problem, I'd much rather see AT&T go after people who
violate this clause, than to filter those of us who very quietly make
use of our service to provide a web server, which (if done
responsibly) hurts no one.  They will, of course, not do that because
it is much easier to filter port 80, and they'll lose more business by
doing it my way.

They even give you a bunch of ways to help you secure your machine
here:

  http://help.broadband.att.com/legal/security.jsp

Despite some misuse of terminology, this really isn't that bad a
document for beginners, which is its target audience.  But what I
don't think they do well enough is talk about WHY you need to do this.
In fact, they seem to downplay it, saying that securing your system is
easy and almost effortless.  But at least they're telling you to do
it, which is better than a year ago, when ISPs pretty much ignored the
issue of (user side) security entirely.

I shouldn't end this without thanking Microsoft.  If it were not for
their shoddy software, none of this would be possible.  They have
repetedly ignored security issues in order to satisfy requests for
features from their "customers" (which I'm now convinced really means
their business partners that want to sell you stuff, and pay MS for
the privilege to get in your face).  And, for a company that touts
themselves as hiring only the best and the brightest, they seem to be
remarkably unable to hire programmers that understand the concept of
bounds checking.

And no, I have not forgotten that Linux software (and Unix for that
matter) can be vulnerable too.  But I also know that the Linux
community is generally MUCH, MUCH better about responding quickly and
responsibly to security issues than are MS and their users, and much
more likely to design security into their programs than MS.

<frustrated sigh>

-- 
---------------------------------------------------
Derek Martin          |   Unix/Linux geek
ddm at pizzashack.org    |   GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).