Linked by Christian Paratschek on Thu 23rd Sep 2004 05:59 UTC
Editorial After reading Adam Scheinberg's original article "The Paradox of Choice" and Kevin Russo's response, I want to add my personal comments to this discussion. I will quote Adam and Russo several times and pick up their arguments.
Permalink for comment
To read all comments associated with this story, please click here.
Re: ralph (IP: ---.dip.t-dialin.net)
by drsmithy on Thu 23rd Sep 2004 13:29 UTC

Call author names, call him an idiot, tell him that he is wrong, because all you have to do to avoid the problem is turn on the firewall.

Does that in anyway contradict what the author said? No?
So was there a point in saying it? No.


Trouble is, his 'point' - that running an unpatched XP machine straight on the internet without any sort of protection - is asinine. It applies equally well to any OS, Windows is hardly specific. All he's doing is saying "Windows sucks", but trying to dress it up as a legitimate complaint by implying it's adive that only applies to Windows.

As an aside, you certainly can successfully run Windows without a firewall or AV - I've been doing it at home for years - all you really need is some sort of NAT device, regular patching and keeping IE use to a minimum (or just stay away from questionable websites). This is far from an *ideal* configuration for the typical end user, but it will - practically speaking - reduce exposure to pretty much the same level as a firewalled machine directly on the internet with an AV.

And your comment about the precise security hole is equally impressive.

Actually I'd be just as happy if he could even come up with a theory as to how disabling the DNS Client service is going to meaningfully improve security. I mean, it's like saying removing all the virtual consoles from /etc/inittab will meaningfully improve security.

I know this will come as a surprise to you, so hold on to your seat, but every service that doesn't run is a service that can't be exploited if a vulnerability is found. That's why all the world but drsmithy and MS agrees that it is good security policy to run only the necessary services.

No doubt. Trouble is taking that theory through to its logical conclusion leaves us flipping switches on the front of an Altair or sliding beads back and forth on an abacus. There are very, very few things that are truly "necessary".

See, the theory of minimising service us is fine, but the particular poster I was replying to doesn't *really* understand that, he's just parroting a line he heard somewhere - probably the same "expert" on the Register a week or two back who implie a DHCP client was a gaping security hole - who thinks having the DNS Service turned on by default has a meaningful negative impact on security. Had the poster picked some service that really does fall into the "shouldn't be on by default" basket I wouldn't have commented, but by picking something so insignificant and harmless, they demonstrate that they haven't actually *thought* about either the principle or the specific example.

The DNS Client doesn't really do much. It doesn't listen on any network ports, it just makes DNS queries and caches them to reduce network bandwidth usage, reduce name resolution latency and, in general, improve the end user experience.

By all means, services that really don't do anything to help the end user and/or perform actions that significantly increase system vulnerability - like listening on network ports - should be minimised. But harmless stuff like DNS caching, DHCP clients and, say, mousewheel daemons or USB daemons fall well and truly into the category of 'acceptable risk'.