On Wed, Nov 01, 2000 at 10:25:17AM +0100, Peter Hugosson-Miller wrote: > > Whoa, Ethan! This part was clearly marked as of interest for newbies > only. Yes, all your points are valid, but the key question here is "Do teaching newbies how to run arbitrary code as root on there machine without having the slightest idea what it is going to do is a bad idea. the fact that this is targeted at newbies makes it WORSE. its just like MS who has tought there users `just double click the icon in your Outlook window' or `just click the message and that silly attachment will be opened for you!' if these methods MS has proven lead to disaster are carried over to GNU/Linux we will soon see the same kind of crap as ILUVYOU and such happening to GNU users. educate them *correctly* telling them tricks like that sh pipe and soon there will be evildoers telling them to run the same command to get something else c00l. it was safe for helix gnome should be safe for this too right? wrong! > you trust helixcode?" The above was copied directly from their Debian > installation instructions, which you can read for yourself here: what if someone hijacks the connection? i didn't see an https in that url. what if someone puts up a similar site offering some other nifty gadget and offers an equally `easy' way to get it. arguably someone could pull a similer stunt asking users to install a new apt line themselves creating a aptable trojan archive, but then again that is more work then writing a nice shell script to add something cute to /etc/inetd.conf. skript kiddies i would venture to say might be too dumb to create an aptable archive with real debianized trojans but i bet they know how to write a shell script to install a simple rootkit. > http://www.helixcode.com/desktop/instructions.php3?distribution=gognome > > What the script does is to add a line to /etc/apt/sources.list, and im sure the legitimate helix script is all well and good, thats not my point, my point is teaching newbies how to run arbitrary code from a web server as root is not a good idea. > > and that's it! I assume anyone actually running this script would > first look at it in a normal web browser at least! i haven't seen anyone say how to look at it, just how to pipe into /bin/sh and run god knows what as root! > One day, the Debian install will work so well, that raw newbies won't > have to resort to such desperate methods as go-gnome. Till then, it's > the only way to go that actually works. That black and white console > gets old pretty quickly, and if I wasn't so stubborn I would have > given up on Linux a long time ago. at what cost? what good is a better quality more secure OS if we dumb down the users (or allow them to remain dumb) to the point where they will suffer just as many security problems as they would under the redmond OS? there is a point where things are made TOO easy, the problems with MS Outlook demonstrate this quite nicely, its TOO easy to execute that cute attachment Mr. Kiddie sent you, and since MS has made their users SOO feebleminded and dumbed down they simply don't know any better for A LOT of no-duh practices to protect themselves. another example: root vs user. a ordinary user is really not very user friendly after all i can't touch a damn thing as a normal user! it would be SOO much *easier* to just run as root all the time, after all i trust myself don't i? i don't go and delete stuff and break things! until some dumb bug in netscape lets someone run arbitrary code. (s/netscape/whatever other network enabled software/) do we just tell users to just use the root account and be done with it? NO! do we chmod -R g+w / chgrp -R admin / and put the normal users accounts in group admin to make these silly permissions things go away? NO! (well apple/MS does but....) instead we teach users about the root account and how to use it responsibly. the same needs to be done for executing other's code with privilege. piping a random web page into /bin/sh as root is TOO easy, and too hidden. a few extra steps helps reduce the chances for social engineering to suceed. just like you have to 1) save your email attachments, and 2) run chmod +x on them and 3) actually execute them instead of `just click!' > Sarcasm noted. What you really mean is "Debian is not for newbies". > Well we all know that. I happen to have discovered that this might no > longer be the case... thats not what i am trying to say at all, i am trying to say that making things easier on newbies is a good goal but we should not make it TOO easy, it keeps them dumb and ready to be attacked sucessfully and it keeps them from learning this new system. MS has demonstrated that making the system TOO easy and the users too dumb leads to disaster, we should learn from their mistakes instead of making them again. "those who do not know history are doomed to repeat it" anyway </soapbox> -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpCfGHDNXuqo.pgp
Description: PGP signature