Date: Mon, 6 Sep 1999 20:20:19 +0200 From: Brad Knowles <blk@skynet.be> To: Tom <tom@uniserve.com> Cc: Dag-Erling Smorgrav <des@flood.ping.uio.no>, Pascal Hofstee <daeron@Wit401305.student.utwente.nl>, freebsd-questions@FreeBSD.ORG, freebsd-stable@FreeBSD.ORG Subject: Re: softupdates in latest build? Message-ID: <v04205532b3f9b4bcedb9@[195.238.1.121]> In-Reply-To: <Pine.BSF.4.02A.9909061043160.13016-100000@shell.uniserve.ca> References: <Pine.BSF.4.02A.9909061043160.13016-100000@shell.uniserve.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
At 10:48 AM -0700 1999/9/6, Tom wrote: > Uhh... this isn't true at all. It is far from trivial to get root. > Show me a rootkit that works on 3.2-stable. I don't need to. We're violating rule #1 of Cheswick & Bellovin -- if you don't need something, don't run it. This fact alone should be enough to cause this feature to be disabled by default. > This doesn't make any sense. Basically you are saying that it is real > easy to break in, so "password sniffing ability" should not be available > because it will be easy to tell if crackers try to turn it on. First of > all, it isn't easy to break into an up to date system. How many systems do you honestly expect to be "up-to-date" as opposed to "out-of-the-box"? Many years of experience have taught me that this percentage will be *very* low. Therefore, there's no reason not to make whatever *reasonable* changes you can in order to make the default out-of-the-box installation reasonable secure. You don't have to go all super-anal-OpenBSD, but if there are things that can be set by default to be either secure or insecure and it doesn't make all that much difference, why not choose security? > And second if you > have so many clear text passwords floating on your network, you've got a > much bigger security problem. Again, look at the services that get installed by default. Plenty of places will probably never hear about ssh. Although we don't necessarily have to have machines that automatically come up as an ipfw "closed" system and ssh has to be part of the base install (and the only supported method of remotely accessing the system), I think it would behoove us to choose to be a bit more careful in those areas where we can. > Besides, most ethernets are switched these days, making password > sniffing for anything but connections to or from the machine the sniffer > is running on completely useless. I have reason to believe that it is possible to sniff through switches, at least certain types of switches. I'll say it again. If the choices are "security" or "no security", and otherwise it doesn't make a whole lot of difference to how it operates out-of-the-box, then why not choose security? -- These are my opinions -- not to be taken as official Skynet policy ____________________________________________________________________ |o| Brad Knowles, <blk@skynet.be> Belgacom Skynet NV/SA |o| |o| Systems Architect, News & FTP Admin Rue Col. Bourg, 124 |o| |o| Phone/Fax: +32-2-706.11.11/12.49 B-1140 Brussels |o| |o| http://www.skynet.be Belgium |o| \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ Unix is like a wigwam -- no Gates, no Windows, and an Apache inside. Unix is very user-friendly. It's just picky who its friends are. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04205532b3f9b4bcedb9>