NetSec Letter #30, 15 October 2003
The Microsoft Factor, Part 2

Fred Avolio, Avolio Consulting, Inc., http://www.avolio.com/

In response to NetSec Letter #29 ( http://www.avolio.com/columns/29-TheMicrosoftFactor.html), David Strom wrote, "You raise some good points, but I don't think you take it far enough. What should corporations with significant investments in MSFT software do?" In this letter I'll give some suggestions. But first, an account of a recent experience I had trying out a Linux desktop. (The full recount is in my weblog at A Linux Desktop.)

A Linux Desktop

I needed a second system and decided on a computer from Wal-Mart. Why? It was $200. It came with Lycoris -- a Linux system. I wondered, "Could Mom&Pop use this as their only computer system?" The set-up was very easy--as easy as a Windows system. Internet access and e-mail with Mozilla was fairly straightforward. I couldn't get my Epson printer working (and Mom&Pop would probably not know where to search the Internet for drivers). And when it seemed able to work with our network-connected HP printer, I found it wanted to print PostScript. Our HP cannot. What would Mom&Pop do? Maybe they would buy a printer with the computer and have a better chance of it working.

I sent a pointer to my weblog to Jon "maddog" Hall, my friend and the Executive Director of Linux International (http://www.li.org). This is what he wrote:

It sounds like Lycoris is getting close, and maybe for the "home sophisticated" Lycoris will work fine, but for my "Mom&Pop" it still will not work ... their "support mechanism" is not in place yet.

We have support mechanisms like the 'friendly' systems administrator... When we have questions, we ask the person in the next cubicle. If the systems admin does not know, he or she calls the vendor's help line. But Mom&Pop do not use that type of support. They do not have a contract with a vendor, nor do they have a systems administrator in residence. Mom&Pop get their support from their church friends, their club friends, or (in the last possible case) their children.

Fred, you 'played around' with the system until you got certain things to work. Mom&Pop don't. They have a notebook where they write down step by step what to do. 'You type this, and it does that'. This is what the 'Dummies' books are all about. But if they 'do this' and the system does not 'do that,' then Mom&Pop just sit there, dumb-founded.

When a lot of people are using Linux at work, then the "church support" will be there, and then Mom&Pop can think about using Linux at home. And this is not just true of Linux, but of Microsoft too.

Of course, Jon's right. And thinking back, many of us can remember small businesses that popped into existence to meet the need for "PC consulting." But, what can we do now?

Diversification

Let me make some suggestions; all are obvious.

Techie desktops. You'll save no money here in insisting people who are used to and comfortable with Windows move to something else. But do encourage the techies who already want UNIX-based desktops to have and use them. If part of their jobs requires using MS Office products, then by all means give them the ability to buy products that can write and read Office-rendered files. Don't dictate an operating system to support word processing.

Other desktops. They are primarily Microsoft-based, of course. Don't change those. You cannot. It would disrupt your business too much. Make sure that you defend them from targeted attacks. You do this by first putting them behind a firewall. If they are portable computers, this translates to a personal firewall (or a SoHo firewall for a small office). Next, they all must run up-to-date antivirus software. After that, run AV software in your internal e-mail servers. Finally, have your firewall or e-mail gateways strip out attachments containing PC executables. (See a brief discussion of this in my blog entry "Buried in Swen," at http://blog.avolio.com/2003/09/buried-in-swen.html.)

UNIX servers. Move to using UNIX-based servers (including Solaris and Linux). Yes, there are attacks targeted against Linux computers. You will still have to keep your "*ix" systems up-to-date with patches. There is practically no reason for network servers to have to use one vendor's operating system. This diversity might save you from what the "Geer et al." paper called "cascading failure."

I use a Windows desktop and notebook. I am contemplating changing my notebook PC over to Linux. Maybe I will dual-boot for a while. I'd do it in a heart-beat if I found someone to pay for a write-up on the attempt. Maybe during the Christmas slow-down... Maybe not. But, I do not use a Windows network server. For diversity? Sure. Reliability? Of course. Expense? Definitely.

Promotions, Self and Otherwise

Some "made for non-techies" Linux systems:

Next month I will be teaching at three conferences.

Check out Marcus Ranum's The Myth of Homeland Security, John Wiley & Sons; (October 2003), ISBN: 0471458791.

“Mom&Pop” is a trademark of Jon “maddog” Hall. ;-)