Re: Debian default desktop environment

To: debian-devel@lists.debian.org
Subject: Re: Debian default desktop environment
From: Russ Allbery <rra@debian.org>
Date: Mon, 07 Apr 2014 10:51:35 -0700
Message-id: <[🔎] 87ppktyqmw.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] 5342E48F.5040305@physik.fu-berlin.de> (John Paul Adrian Glaubitz's message of "Mon, 07 Apr 2014 19:46:55 +0200")
References: <[🔎] CAODw5XyD0HGcW0BjP1TiPY4Y6yJFMc4n8SzhqRiZHbfdET8n3g@mail.gmail.com> <[🔎] 20140404135241.GB14641@bryant.redmars.org> <[🔎] 20140404144219.GB2817@upsilon.cc> <[🔎] 20140404151957.GA16323@bryant.redmars.org> <[🔎] 20140404223036.GF3111@asasello.local> <[🔎] 8738hszp0b.fsf@poker.hands.com> <[🔎] 1396720670.4331.48.camel@kagura.malsain.org> <[🔎] 20140405181809.GA280209@vauxhall.crustytoothpaste.net> <[🔎] CAKNHny-V5zoKdb=sr+j559JbyX2wZA5gYS5xYwOY56ncZUNs7A@mail.gmail.com> <[🔎] 5342DFDA.5040904@debian.org> <[🔎] 5342E1B1.1070809@physik.fu-berlin.de> <[🔎] 8761ml11kd.fsf@windlord.stanford.edu> <[🔎] 5342E48F.5040305@physik.fu-berlin.de>

John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> writes:
> On 04/07/2014 07:39 PM, Russ Allbery wrote:

>> Ah, BMC.  Now every computer comes with an extra full-fledged computer!
>> The main computer is for your use, and the other computer is for the
>> use of the attacker.

> That's why we block the kvms in our firewall so they cannot be reached
> from outside. I'm sorry, but when you have hundreds of servers in your
> server room, there is no other way than using automatic deployment and
> kvm over network.

Oh, sure, I'm not disagreeing with that part.

Those built-in controller "subcomputers" have an absolutely awful security
profile, though.  Be careful even of attackers on your same network.  It's
a great way to get a toehold on your server in a way that won't show up
through any host-based intrusion detection system and lets the attacker
bypass all host and kernel security.

Basically, you want to disable them whenever possible and, failing that,
limit access to them as tightly as you possibly can.  They have about as
much security as the maintenance port on your car.

And, of course, non-free software from top to bottom.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Debian default desktop environment
  - From: Thomas Goirand <zigo@debian.org>

References:
- Debian default desktop environment
  - From: Undefined User <unknowuser01@gmail.com>
- Re: Debian default desktop environment
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Debian default desktop environment
  - From: Stefano Zacchiroli <zack@debian.org>
- Re: Debian default desktop environment
  - From: Jonathan Dowland <jmtd@debian.org>
- Re: Debian default desktop environment
  - From: Wolodja Wentland <debian@babilen5.org>
- Re: Debian default desktop environment
  - From: Philip Hands <phil@hands.com>
- Re: Debian default desktop environment
  - From: Josselin Mouette <joss@debian.org>
- Re: Debian default desktop environment
  - From: "brian m. carlson" <sandals@crustytoothpaste.net>
- Re: Debian default desktop environment
  - From: Matthias Klumpp <matthias@tenstral.net>
- Re: Debian default desktop environment
  - From: Thomas Goirand <zigo@debian.org>
- Re: Debian default desktop environment
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
- Re: Debian default desktop environment
  - From: Russ Allbery <rra@debian.org>
- Re: Debian default desktop environment
  - From: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>

Prev by Date: Re: Debian default desktop environment
Next by Date: Re: Preparing openjpeg 2.0
Previous by thread: Re: Debian default desktop environment
Next by thread: Re: Debian default desktop environment
Index(es):
- Date
- Thread