Re: hurd does NOT need /hurd

To: debian-devel@lists.debian.org
Subject: Re: hurd does NOT need /hurd
From: "Joel Baker" <lucifer@lightbearer.com>
Date: Mon, 20 May 2002 13:25:31 -0600
Message-id: <[🔎] 20020520132531.B22215@lightbearer.com>
In-reply-to: <[🔎] 87u1p21vkq.fsf@becket.becket.net>; from tb@becket.net on Mon, May 20, 2002 at 12:13:41PM -0700
References: <[🔎] Pine.LNX.4.33.0205192031530.9857-100000@yakko.doogie.org> <[🔎] 87it5ja8bt.fsf@becket.becket.net> <[🔎] 20020520051008.GB16576@azure.humbug.org.au> <[🔎] 20020520141603.GB1505@celeron.dekkers> <[🔎] 20020520145256.GF29854@212.23.136.22> <[🔎] 20020520151349.GB25130@azure.humbug.org.au> <[🔎] 20020520173448.GI1505@celeron.dekkers> <[🔎] 20020520180124.GB11058@ucsd.edu> <[🔎] 87u1p21vkq.fsf@becket.becket.net>

On Mon, May 20, 2002 at 12:13:41PM -0700, Thomas Bushnell, BSG wrote:
> "John H. Robinson, IV" <jhriv@ucsd.edu> writes:
> 
> > Debian (using a linux, bsd, or gnumach/l4 (micro)kernel) should be
> > ``Secure by default.'' if this means that no firewalling -> no debian
> > release, then so be it.
> 
> Except:
> 
> 1. Debian does not have firewalling by default, so if firewalling is
> necessary for security, then it is not secure by default.

Valid point; perhaps we should fix it. Probably a long undertaking.

> 2. Firewalling is not actually an asset in network security; the
> notion that it is is misguided and thoroughgoingly erroneous.

I hope you meant to say "automatically" rather than "actually", or, as
a professional network engineer, I'm going to have to hurt myself laughing
at you.

Firewalling is *not* automatically a benefit, any more than having locks on
your car is a benefit to prevent theft. You also need a key, and you need
to *use* the locks... but if you're really trying to claim that the use of
configured firewalling (even 'configured to defaults') is not useful to
network security, then you are making an assertion that runs counter to the
vast majority of both research and field experience on the topic.

Rule #1: attackers cannot attack what they cannot reach. Firewalls are not
perfect; they can be misconfigured, disabled, and in some cases (which do
apply to Debian), machine-based firewalls can have bugs in the firewalling
code which expose parts of the machine despite the firewall, or machines
behind the firewall. But I'll take a 99% reduction in attack vectors any
day of the week, thanks.

> 3. Picking some random kernel feature and saying "this must be there
> or it can't be Debian" is not appropriate.  That's just not how policy
> works.

I can't comment usefully on this, so I won't.
-- 
***************************************************************************
Joel Baker                           System Administrator - lightbearer.com
lucifer@lightbearer.com              http://users.lightbearer.com/lucifer/

-- 
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: hurd does NOT need /hurd
  - From: Michael Stone <mstone@debian.org>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)

References:
- Re: hurd does NOT need /hurd
  - From: Adam Heath <doogie@debian.org>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: hurd does NOT need /hurd
  - From: Anthony Towns <aj@azure.humbug.org.au>
- Re: hurd does NOT need /hurd
  - From: Jeroen Dekkers <jeroen@dekkers.cx>
- Re: hurd does NOT need /hurd
  - From: "John H. Robinson, IV" <jhriv@ucsd.edu>
- Re: hurd does NOT need /hurd
  - From: tb@becket.net (Thomas Bushnell, BSG)

Prev by Date: Re: hurd does NOT need /hurd
Next by Date: Re: hurd does NOT need /hurd
Previous by thread: Re: hurd does NOT need /hurd
Next by thread: Re: hurd does NOT need /hurd
Index(es):
- Date
- Thread