Re: [POSSIBLE GRAVE SECURITY HOLD]

To: debian-devel@lists.debian.org
Subject: Re: [POSSIBLE GRAVE SECURITY HOLD]
From: Manoj Srivastava <srivasta@debian.org>
Date: 02 Feb 2000 21:23:32 -0600
Message-id: <87aeljhsuj.fsf@glaurung.green-gryphon.com>
In-reply-to: Nils Jeppe's message of "Wed, 2 Feb 2000 20:59:22 +0100 (CET)"
References: <Pine.LNX.4.20.0002022040240.21953-100000@wasteland.pandemonium.de>

>>"Nils" == Nils Jeppe <nils@jeppe.de> writes:

 Nils> On 2 Feb 2000, John Goerzen wrote:
 >> And as numerous people, including myself, have pointed out, it already
 >> exists and explains the situation in a sufficient manner.

 Nils> Maybe; but two points

 Nils> 1) who the heck thinks of checking the MBR documentation? I'd never even
 Nils> suspect it behaves any different than os/2 mbr, win mbr, whatnot mbr.

        Ok.

 Nils> 2) Even if the majority agrees to keep mbr as a default installation, 
 Nils> Where the hell is it gonna hurt anybody if you get a popup upon setting up
 Nils> mbr that says something to the effect of, "MBR makes it possible to boot
 Nils> from floppy; please check /usr/share/doc/mbr/whatever.txt for more
 Nils> information." ?!?

        Cause we already have too many things popping up in a new
 install. And the fact that this is not critical information for 99&
 of the installations. And because the other 1% should really read the
 Securing Debian documentation.

 Nils> This argument is getting really, really stupid. We should try
 Nils> to make a debian which is as secure as possible.

        Ribbish. We should make Debian the most usefule for the most
 people. And that means not going overboard with wnything -- and that
 includes security. 

 Nils> Too much security won't ever hurt you; too little will come
 Nils> back to haunt you one day.

        You really have nevere worked in the seurity industry, have
 you? That little myth is the first one exploded: security always has
 its costs. And one should never pooh pooh the costs of security, or
 they shall come back and bite you. 

 Nils> And no, most people do not have time to read all 4000+ Debian
 Nils> packages' readmes to the last line. They expect reasonably
 Nils> secure defaults; defaults that will not screw up everything or
 Nils> at least give them a choice. Or a fair warning.

        The key word is reasonable. And reasonable security means that
 you have physical security to the machine.

 Nils> Yes the mbr problem doesn't affect most debian users, I
 Nils> presume. But what frightens me MUCH more is the attitude some
 Nils> are displaying here.

        You know, I am getting tired of amatuers trying to play
 security experts. Go ask a professional. Or grow up.

        manoj
-- 
 Experience is a good teacher, but she sends in terrific bills. Minna
 Antrim, "Naked Truth and Veiled Allusions"
Manoj Srivastava   <srivasta@debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Torsten Landschoff <torsten@debian.org>

References:
- Re: [POSSIBLE GRAVE SECURITY HOLD]
  - From: Nils Jeppe <nils@jeppe.de>

Prev by Date: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by Date: Re: Debian for kids
Previous by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Next by thread: Re: [POSSIBLE GRAVE SECURITY HOLD]
Index(es):
- Date
- Thread