Date: Wed, 24 Apr 2002 00:21:26 +0300 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: "M. Warner Losh" <imp@village.org> Cc: frank@exit.com, hackers@FreeBSD.ORG Subject: Re: Security through obscurity? Message-ID: <20020423212124.GB14808@hades.hell.gr> In-Reply-To: <20020423.094953.13280392.imp@village.org> References: <Pine.NEB.3.96L.1020423110123.64976j-100000@fledge.watson.org> <200204231523.g3NFNQnq029649@realtime.exit.com> <20020423.094953.13280392.imp@village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2002-04-23 09:49, M. Warner Losh wrote: > The decision to go for a more secure system by default was made years > ago. I for one think the Security Officers have done a good job at > doing this, but even as far as they have come, I suspect that > additional things will be locked down over time. That's the nature of > the threats to systems on the internet today. What was acceptible > years ago now no longer is acceptible. The attackers are getting more > and more sophisticated. The countermeasures for these attacks are > necessarily becoming more intrusive as the same sorts of bugs raise > their ugly head again and again. Very well said. Cutting functionality for the sake of security is the growing trend in today's unsafe, untrusted environment that we like calling the Internet. Things that were the default years ago are now considered silly at best, dangerous for the entire network at worst. As attacks get more sophisticated, the expected functionality of a ``default'' installation is trimmed down to avoid starting dangerous or exploitable services. This is not the first time that the need to lose part of the flexibility of a Unix system is necessary to avoid problems. Note that years ago, Sendmail would relay mail from anyone in its default installation. That was a useful feature of Unix servers around the world. Today, being an open relay is considered dangerous, and we blacklist those that run open relays. Some times, it's necessary to lose flexibility and functionality in the default installation, for the sake of security. Bearing in mind that TCP connection support is not removed from the X11 servers, but merely disabled, is this so very important? - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020423212124.GB14808>