Re: whitehouse cyber strategy review

[Dan Kaminsky <dan () doxpara com>]

On Sun, Nov 15, 2009 at 4:36 AM, Rich Kulawiec <rsk () gsp org> wrote:
> On Sat, Nov 14, 2009 at 07:51:25PM -0500, Larry Seltzer wrote:
> > > > Don't run Windows, morons.
> >
> > Most of us have wondered for years what it would take for the malware
> > community to pay attention to non-Windows platforms. This would do it.
>
> Oh, no doubt.  But they will find it considerably more difficult to
> go up against people like Cox and de Raadt, who actually fix problems
> in a timely manner, rather than denying them in press releases and
> quietly releasing broken patches weeks or months or years later.
>
> Of course, this is only a first step, but it would in one sweeping blow
> eliminate the obviously-weakest component.  Lather, rinse, repeat...
> because the way to secure massive operations is not by trying to
> protect inferior components, it's by eliminating them.
>
> And equally of course, this will never happen, because it would require
> actual thinking and innovation rather than mere reapplication of the
> same time-worn techniques that have already failed so predictably.

Your problem is that you think Cox and de Raadt are particularly
relevant on the attack surface.

They're not.  They expose TCP, SSH, and maybe HTTP.  Big whoop.  Throw
Wordpress onto either of their platforms and they're rather thoroughly
hosed.

And lets not even talk about client side code.  Firefox isn't any more
secure on Linux/OpenBSD, and it's had a pretty rough year.

Stuff on Windows is attacked because its popular.  That's really all.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.