on Thu, Oct 02, 2003 at 01:36:06PM -0500, Michael D Schleif (mds@helices.org) wrote:
> Ron Johnson <ron.l.johnson@cox.net> [2003:10:02:04:44:28-0500] scribed:
> > On Wed, 2003-10-01 at 23:17, ScruLoose wrote:
> > > On Wed, Oct 01, 2003 at 07:56:07PM -0500, Michael D Schleif wrote:
> > > > "Karsten M. Self" <kmself@ix.netcom.com> [2003:10:02:00:37:35+0100] scribed:
> > [snip]
> > > > That kind of executable -- one that entices a user to click on it -- is
> > > > just as real a threat to non-Microsoft userland, that I insist that your
> > > > point is not all inclusive of the threats at hand. Simply because there
> > > > is not yet a major, far reaching virus/worm propagating primarily from
> > > > Linux boxen, does not rule out the existence of a threat . . .
> > >
> > > Most non-MS users are not likely to be logged in as root when they
> > > check the mail, so whether some virus auto-executes or entices them to
> > > click on it, the damage is generally going to be pretty well contained.
> > >
> > > It's going to take a _hell_ of a lot of social engineering to convince
> > > me to su, provide my root password, install and run some program that
> > > showed up in my inbox. No matter how pretty a message it's packaged
> > > in. Even assuming that the user getting the infected mail _has_ the
> > > root password.
> <snip />
>
> > Given the security model of Unix, we truly do *not* have to worry
> > about email viruses (or viruses coming through click-thru social-
> > engineering vectors).
> <snip />
>
> Wrong!
>
> In fact, just this week, I am engaged with a prominent software
> development company, and every one of the developers develops on
> various Linux boxen, and every one of them insists on running as root.
Hrm...
Your resume indicates current experience with Platinum Systems
http://www.helices.org/resume/mds_resume.txt
> I also help support several neighborhood *nix users, and most of them
> are equally recalcitrant root account users.
LART 'em. Repeatedly.
Such attitudes are growing more common. People _don't_ see the risk
they are putting themselves at. Or others. It's rooted boxes which
serve as launchpads for other systems. I see this far too frequently on
#debian where "~tell luser about root" (triggering a bot factoid on the
topic) is _way_ too wired into my fingers.
So: people who abuse their privs should be curtailed. Software which
allows itself to be trivially abused (e.g.: TMDA), should be configured
against this, disabled, or removed from general circulation.
> Yes, this is the debian-users mailing list; but, we are 31337 Linux
> users, and we support standards and best practices. We do not qualify,
> for the most part, as Joe-Average users -- and, we probably never will.
This is why it's critical to do several things:
- "Out" organizations with bad security practices.
- "Out" software with bad security defaults.
E.g.: there are _good_, _solid_ reasons Debian doesn't allow Mozilla to
run as root, why X11 TCP connections are disabled by default, and why
SSH is strongly recommended. Yes, it's possible to override or ignore
these settings, but that's not information I share, particularly not
with newbies, on the simple principle that learning how to shoot
yourself in the foot _might_ just provide you with some clue as to why
this is a bad idea.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Reading is a right, not a feature
-- Kathryn Myronuk http://www.freesklyarov.org
Attachment:
signature.asc
Description: Digital signature