long Re: [TriLUG] Re: Re: Accountability and possible solutions

[Mike Mueller]

On Friday 12 September 2003 16:27, James Manning wrote:

> > The email does not contain FUD. 

I'll refine this:  The author did not intend to spread FUD against MS.

> Yeah, there's a lot of that problem, and as many (most?) good admins
> would agree (I hope, at least), good admins make for secure machines,
> not good OS's - sure, you hope for more "secure by default" operating
> systems like OpenBSD, but you have to balance that with utility, of
> course.
>
> Yes, Linux has to be kept up to date just like a Windows box.  That's
> a very important point.  Yes, Jim Bruce's email did come off a tad on
> the perspective of "only happens to Windows", but that's likely just a
> measure of his frustration with having to deal with it specifically
> twice in such a short time frame.

Good point.  Security happens because of effort - MS or OSS.  Security 
depends on accountability.  The OS community demonstrates that it is more 
accountable.  The evidence is in the public record and that OSS systems are 
not bothered as often or as severely by security problems.  
>
> So, yes, Mike, I see your point.  I think the slant (which I'd agree
> is there, albeit subtly IMHO) of the email can be construed as FUD,
> but I'd likely give him the benefit of the doubt and consider it just
> the result of frustration and emotions rather than cold, calculating
> word/thought manipulation (I try to reserve the term "FUD" for things
> I consider to be more in this category, such as a lot of SCO
> rhetoric).

I don't think Jim Bruce wrote his email as anti-MS FUD.  The first lines send 
a subtle yet powerful message which can be _used_ as FUD.  A message like 
this can be used in FUD campaign to demand accountability from software 
vendors.  You can't be any more accountable than open source, can you?

FUD is PR and PR is bad Rx (see http://www.prwatch.org/; it's got a political 
edge, but look past the politics to see how the PR industry works).  If the 
OSS doesn't fight back, they'll eventually face accusations that open source 
is undermining the security of the country or some other such nonsense. OSS 
is the target of a huge PR effort right now.  SCO might be a sacrificial lamb 
in a brilliant PR effort by...gee, I wonder who could be paying for this?  
>
> That's a subjective and opinionated view of the matter, though, and
> it's definitely possible that Jim is trying to short MSFT in his
> portfolio, so I can't say for sure.

I find that people with subjective and opinionated views are often associated 
with OSS.
>
> In summary, I see what you're saying now, Mike.  Yes, anyone that
> paints Windows as the sole problem OS on this front (although he
> didn't do so explicitly IMHO, but I could see your interpretation of
> it as valid) is fooling both themselves and anyone else who chooses to
> believe them.

Let me be clear on my position.  GNU/Linux/xBSD/Apache/other OSS are 
naturally better choices for building secure computing environments.  Both 
reason and experience bear this out.  MS is not a secure choice because they 
are not accountable and we all have experience that bears this out.  If 
tomorrow the world changed to OSS completely there would be security problems 
but they would be fewer and less severe.  There's also a good chance that the 
victims would be publicly ridiculed and would not be able to collect 
insurance awards if they did something stupid.

Bruce Schneier has a new book out entitled "Beyond Fear" about improving 
security in a post 9/11 world.  Bruce was interviewed by Investor's Business 
Daily on 9/10/2003.  In that interview IBD asks, "Are computer viruses 
becoming a bigger problem?"  Schneier's responded with, 

<quote>
No, but it's not becoming smaller, either. It will get worse before it gets 
better. One main reason is that the companies responsible aren't liable. 
Microsoft produces lousy software.  It wants us all to think that viruses 
just happen, like the weather. 

Microsoft and other software companies no have no business incentive to fix 
this situation. What if Gates said the company is going to take two years to 
really improve security, but in the meantime earnings will fall 50%. The 
board would fire him.

I have faith in the American capitalistic system. Provide the correct 
business incentives, and we're creative and smart enough to fix the problem.
</quote>

Bruce Schneier is saying what David Matusiak and Bentley Midkiff are saying 
(see original post).  The business incentive is to stop buying and using 
poorly made and poorly support products.  OSS is a clear alternative.  
>
> And, FWIW, I ran windows update to update 2 different Win2K machines
> at my house last night, along with up2date'ing and apt-get'ing others
> as well :)
>
> I guess it'd be ideal for neither camp (Windows and Unix-or-whatever)
> to really point at the other and laugh when holes arise, but take the
> opportunitiy to help educate the public that all computer
> administrators, whether home PC's or professionals or whatever, need
> to keep their machines updated with security patches and configured to
> be as secured as possible (and still get their work done, of course :)

That would be the high road.  
>
> Good point, Mike.  I hope my above interpretation of your thoughts was
> correct, and if so, I definitely agree.

Good exchange of ideas all around.  It's complicated my thoughts on whether 
or not _all_ software should be open source.

-- 
Mike Mueller
324881 (08/20/2003)
Make clockwise circles on the floor with your right foot; now, without 
looking at your foot, use the index finger on your right hand to draw the 
number "6" in the air