[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: red worm amusement



On Sat, Jul 21, 2001 at 05:29:35PM -0800, Ethan Benson wrote:
> 
> oh? and why not?  don't believe OpenBSD's hype about being the apex of
> computer and code security just because they have done auditing, they
> still miss A LOT.  thier audited ftpd had a remote root hole
> recently.  thier KERNEL also had a local root hole in it that was just
> fixed.  
>
Still not the point.  I'm talking about services being enabled, either 
by default, or by apt-get.  This is not a discussion of which OS claims
to be, or is more secure.  I'm trying to discuss policy, not advocacy.
I only mentioned OpenBSD because that is their policy.  With all things,
there are priorities.  OpenBSD's priorities when auditing code start
with services that are enabled by default.  ftpd is not enabled by 
default.  There are many ways to locally compromise any Unix-like OS,
therefore it has a rather low priority.  And anyway, I was talking
about remote services.
 
> > I think a lot of people are just curious, and they install things
> > they don't need, or really have any idea of what it does.  The only
> > reason they are able to get it to run is because it's easy.  They may
> > not have any idea that /etc/rc?.d exists.  They very well may not expect
> > it to be running the next time they reboot. 
> 
> well people need to learn.  you can't treat computers like toasters
> anymore.  deal with it.
>
And whose going to teach them?  Certainly not an OS that makes it as
easy as 'apt-get install apache' !!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Maybe you don't get it.  A system that is compromised poses a danger
to EVERYONE ON THE INTERNET.  Crackers do not launch attacks from
their own machines, and an increasing number of script-kiddies, who
have easy targets now that it's so darn easy to set up services, only
makes the detection of truly harmful crackers more difficult.

<jakemsr@clipper.net>



Reply to: