[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: red worm amusement



On Sat, Jul 21, 2001 at 04:32:32PM -0800, Ethan Benson wrote:
> 
> if you install a service its expected you want to run it, so if you
> don't need it don't install it.
> 
Not really what I was getting at.  I was saying this is TOO EASY.
I'm saying that Debian doesn't do a good enough job of warning
people about doing these things.  I'm thinking about first time
users who are not behind a firewall.  I'm thinking about myself two 
years ago, running apache, mysql, exim, telnetd, portmap, and
who knows what else, all while directly connected to the internet.
Sure, I had some idea that running servers could be dangerous, but
as Debian touts itself as "secure", I figured it would tell me if
I were doing something "dangerous".

> last i used OpenBSD (2.6) it started portmap and identd by default at
> the very least, maybe fingerd too i don't remember for sure.
>
The difference is, those were not exploitable. 

Also, when 'pkg_add'ing something like mysql, starting it, and adding
it to the init scripts is completely up to the user.  

I think a lot of people are just curious, and they install things
they don't need, or really have any idea of what it does.  The only
reason they are able to get it to run is because it's easy.  They may
not have any idea that /etc/rc?.d exists.  They very well may not expect
it to be running the next time they reboot. 

<jakemsr@clipper.net>



Reply to: