Date: Thu, 12 Jun 2008 22:24:13 +0200 From: David Naylor <naylor.b.david@gmail.com> To: Jeffrey Goldberg <jeffrey@goldmark.org> Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD and User Security Message-ID: <200806122224.19147.naylor.b.david@gmail.com> In-Reply-To: <62860DF8-423D-48B3-9757-CC3D24732CF0@goldmark.org> References: <200806112225.36221.naylor.b.david@gmail.com> <200806121519.12820.naylor.b.david@gmail.com> <62860DF8-423D-48B3-9757-CC3D24732CF0@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart6191335.KVvtVEzS8j Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Thursday 12 June 2008 18:43:40 you wrote: > On Jun 12, 2008, at 8:19 AM, David Naylor wrote: > > I think this argument is rather mute, just because there are no > > programs > > exploiting security vulnerabilities does not been there are not > > vulnerabilities, > > But it is far from moot if you are interested in the actual threat > against your system. In a sense, using a less popular OS is a form of > "security by obscurity" which is not to be heavily relied on, but > still it does make a real, practical, difference in the case that you > described. Very true, however having a large scale usage of FreeBSD (for example, if a= =20 government were to adopt it) would bring pressure to bare. For anything bu= t=20 such a large scale adoption in the medium to long term then it is a=20 valuable 'asset'. =20 > > and a determined cracker would create his own program. > > You have not articulated what you are trying to defend against. Do > you anticipate determined crackers going after your particular system > and what resources will such attackers have? We can't talk about a > system being "secure" in general, but the question needs to be framed > in terms of "secure against what". This is a general enquiry. What had sparked my interest in this subject is= =20 the above mentioned article. In this case it is a workstation used to acce= ss=20 and manage account and cash flows. The threat would be anyone gaining acce= ss=20 to 'divert' funds to incorrect accounts, for obvious personal gains. =20 Specifically, the two threats would be remote attach (such as spyware being= =20 deployed, or gaining remote access) or physical access (in which case keepi= ng=20 the username and password safe will be the only option? Assuming their is = no=20 compromise on the human side) > > That said I hope there are, actually, no vulnerabilities. > > That is demanding too much. What you need to hope for is a > combination of "no known unpatched vulnerabilities at the moment" and > more importantly "procedures and practices to keep things that way". > As Bruce Schneier likes to say, "Security is not a product but a > process". The vast majority of actual system compromises involve > failure of system administrators to keep systems patched and follow > good security practices. Good point! Thank goodness for automatic signed incremental updates (that= =20 actually work) Leason: always keep your system up-to-date! (With security patches) > One reason that I switched from Linux to FreeBSD is that I find it > much easier to maintain FreeBSD, particularly in terms of security > updates. I have been responsible for Linux machines that did get > rooted because I was having problems keeping them up-to-date for a > variety of reasons. > > > [Security through obscurity is just an illusion] > > In your post you mentioned concern about spyware. It is not an > illusion that FreeBSD has not been targeted by spyware writers while > Windows has. Even if some of that is the consequence of security by > obscurity, it is no illusion. Of course we need to understand that > those security benefits from obscurity are fragile, but we shouldn't > dismiss it entirely. Point taken. =20 > Again, what sorts of benefits such things may add (or subtract) > depends on the nature of the attacker. Thank you for your feedback David --nextPart6191335.KVvtVEzS8j Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBIUYXyUaaFgP9pFrIRAhgfAJ40fvuzNTjhYSz50Fq0JidYrWyIiQCfSVES 3W08V64vEIiCONwsa61Hg+0= =2DPo -----END PGP SIGNATURE----- --nextPart6191335.KVvtVEzS8j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806122224.19147.naylor.b.david>