Educause Security Discussion mailing list archives
Re: Spaf did not receive your email (was Re: Job Descriptions)
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Wed, 26 Feb 2003 19:49:21 -0500
At 17:57 -0500 2/26/03, Bruhn, Mark S. wrote:
This is an age-old discussion and issue -- not whether security people should personally boycott MS products, which I suppose we could discuss as well, but whether we should (and in fact can, given alternatives) actively attempt to influence our communities to avoid MS products.
Let me be clear -- I am not advocating a boycott of MS products. However, I do think it is incumbent on us to help discourage dangerous behaviors. We know that some software and configurations are more dangerous than others. Our user population may not know that -- my own informal polling indicates most end-users believe all software is equivalent in risk. Think of it as being similar to banning smoking in the workplace, or encouraging people who ride in your car to fasten the seatbelt. Or compare it to forcing users to use Kerberos or token cards instead of passwords. We know that they may resist at first, but it makes our systems more secure and decreases the risk. Why can't we do that with applications too? Some behaviors are much more dangerous than others. Sending Word documents is more dangerous than sending PDF or plain ASCII (and it is also more wasteful of space). Using Apache is generally safer than running IIS. Using Eudora or Mac Mail or elm or.... is generally safer than using Outlook.
I'm sure someone knows the statistics -- I would guess 65% of our community use Windows and MS products. We can certainly grouse about that and strongly encourage them to use something else (What? Someone could start by listing the suite of products that equate), but the reality is that they are not going to stop using that suite of applications, and we're going to have to spend time on helping them secure them.
Actually, users do switch. They can be influenced. The secret is to show them how to do what they want with an alternative. It needs to be functional. And if the time is spent up-front helping secure the systems when installed, it won't need to be spent applying hundreds of patches and recovering after worms, viruses, break-ins, etc. FYI, I am, as I type this, in an NSF workshop with people from around the country who deal with information security issues and emergency response (including your boss, Mark). Half the laptops in the room are Macs. Of the rest, some non-zero percentage are *BSD or Linux. This community is doing quite well with other tools. Avoiding risk and getting work done are not incompatible! ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Spaf did not receive your email (was Re: Job Descriptions) Gene Spafford (Feb 25)
- <Possible follow-ups>
- Re: Spaf did not receive your email (was Re: Job Descriptions) Gene Spafford (Feb 25)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Bruhn, Mark S. (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Kevin Shalla (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Gene Spafford (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Bruhn, Mark S. (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Dan Updegrove (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Gene Spafford (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Jim Wilcox (Feb 26)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Kevin Shalla (Feb 27)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Bruhn, Mark S. (Feb 27)
- Re: Spaf did not receive your email (was Re: Job Descriptions) Randy Marchany (Feb 27)