News from PANUG/BizNix - September 15, 2003 http://panug.org - http://biznix.org UNIVERSITY OF BUFFALO You might be interested in the petition that University of Buffalo faculty drafted and approved regarding support for Open Source/Free software. Although the document has the unfortunate date of April 1, 2003 it is not a joke. http://www.panug.org/38 FEEDBACK TO SECURITY ADVICE We asked if anyone wanted to respond to this comment that appeared in a SANS broadcast last week: (Schneier): I suspect part of the problem is the multiplicity of operating systems and setups. But providing or requiring purchase of a uniform version of one brand of antivirus software would seem to be a major step in the right direction. A number of people responded: Joseph Robertson: Well, we have all heard "old saying regarding advice" But in this case if it involves a Windows based system I would have to agree. Karel P Kerezman: It might seem to be, but "requiring purchase of a uniform version of one brand of antivirus software" would also require the use of operating systems that said AV software could run upon. And that neatly rules out a number of *NIX-like systems, as well as possibly Macs (depending on vendor, of course). More to the point, a virus that affects one OS tends not to affect another. It also bears mentioning that "a uniform version of one brand" will cost you a bundle every few years as the vendor ceases support for that version. In truth, AV software is almost always a "barn door" solution. The hot new virus hits the 'net, thousands of networks are infected, _then_ the AV vendors push out the fixes. AV software cannot protect from new viruses, and are imperfect protection against old(er) viruses. I'm not knocking AV software, mind you, but let's not pretend that it's the end-all-be-all of computer protection. I would call AV software standardization a _minor_ step in _a_ right direction. A _major_ step would be to convert those machines that don't _need_ to run insecure/unsecurable OSes over to systems that are more natively secure and resistant to virus attack. Dick Pilz: Monoculture, anyone? We have seen countless examples of how slowly and complacently "One OS to rule them all and, in the darkness, bind them" responds to vulnerabilities. /sarcasm on/ Hey, let's do it like Microsoft! And let's just have one football team in the NFL! And let's have just one basketball team in the NBA! That's a major step in the right direction! /sarcasm off/. I wear a Leatherman(tm) on my belt for quick and dirty repairs and odd jobs. I still have hundreds of dollars worth of non-Leatherman tools in my tool chest at home and I am always on the lookout for a better tool for a particular job. The same reasoning applies to other endeavors. No one approach is the best for all. We need the cultural and technical diversity to respond to the next strain of attack. Ed Sawicki: Schneider's advice is pretty awful. I'm surprised to find it in a SANS broadcast. His advice will simply encourage colleges to reduce diversity and make the problem worse. A college campus environment, which is massively peer-to-peer, is one of the most difficult to secure. Throw in the vulnerabilities of Windows and Windows applications, like Outlook, and there's simply no way for Windows users to avoid the security problems that have plagued them for years. AV software clearly isn't the answer. We've had AV software for over a decade and still there's frequent problems. Microsoft's initiative about two years ago (I forgot what they called it) to fix security problems obviously didn't work. If you think Microsoft will one day fix Windows security problems, please bring whatever you smoke to the next PANUG meeting and share. Students and faculty that don't want to be attacked have to run more secure systems. DISCLAIMER PANUG and BizNix welcome contributions from all members. Member contributions do not necessarily represent the official positions of PANUG or BizNix. If you don't contribute, the views of members that contribute frequently may appear to be the official position of the group(s).