Re: secure installation

To: debian-security@lists.debian.org
Subject: Re: secure installation
From: Johannes Wiedersich <johannes@physik.blm.tu-muenchen.de>
Date: Fri, 17 Aug 2007 10:01:54 +0200
Message-id: <[🔎] 46C555F2.4020800@physik.blm.tu-muenchen.de>
In-reply-to: <[🔎] 2e4e9dbd0708161052w47d46478w76ec22e1beadc7b6@mail.gmail.com>
References: <[🔎] 2e4e9dbd0708151223q2f88f8e1m7689fb2912ca16fd@mail.gmail.com> <[🔎] 46C3726B.8040508@st-andrews.ac.uk> <[🔎] 2e4e9dbd0708152047kbd810f7o41f2f31e481d07e1@mail.gmail.com> <[🔎] fe374f8d0708160338u3bc87335q6e7c042a54466d84@mail.gmail.com> <[🔎] 2e4e9dbd0708161052w47d46478w76ec22e1beadc7b6@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pat wrote:
>  Well, considering there are those of us who want to see linux become
> an operating system for the average person, and I do believe this is
> the ultimate goal of many linux communities.

Agreed. But since debian is arguably more secure without a firewall than
 a certain other OS provided for cash (unless the (unexperienced) user
dashes out some more cash to buy a security/virus suite), I can not see
any reason why debian should limit the freedom of its users by applying
some automated pseudo-responsibility.

After all cigarette lighters aren't more secure in the US with their
security stickers attached than in Europe (without those ugly stickers):
A little child can not read them anyway, and any one with the mental
capacity to read and understand should be intelligent enough to
understand that those are dangerous and how to use them.

>  Whose responsibility is it, in the US if you manufacture a defective
> product legally it is your responsibility if someone is harmed. 

I should really file a suit to all the damages I incurred over the
years, being trapped (by my employer) into their way of forcing the user
to work in an inefficient manner, and wasting my time bothering about
the (in)-security of the OS they provide.

Debian is behaving way more responsible in any respect than commercial
vendors, so your 'complaint' is wholly besides the point.

> Also,
> if you fail to provide warning labels to protect persons who do not
> know any better it is again your responsibility. I will leave my
> personal beliefs out of the discussion.
>  There are many things in the world you would be clueless about that
> great lengths are gone to to protect You from. hazardous chemicals,
> collasped bridges to name a few.

Debian protects you better from the perils of the internet than the big
commercial OS. Period.

> "installing a Firewall that defaults 'on' provides you no real extra
> protection if you don't know what in the hell you're doing with it.
> (You are coming to a sad realization, cancel or allow?)."
> Every little bit helps.

No. Protection only works, if the user knows how to use it. It's no use
to force cyclists to carry a helmet, if they don't know that they have
to wear it on their head.

> "Let's not dumb down Debian for the rest of the world because a
> clueless user _might_ compromise their own credit card numbers."
> I said absolutely nothing about dumbing down Debian, I said the
> operating system should install a little more securely by default.

Debian is secure. Debian provides the means to tailor the security to
your own needs. Your mileage may vary. It is your responsibility to opt
for additional security, if you need it. More security is useless, if
you don't know how to use/configure it. If you want to have a 'super
secure' system, it takes your understanding and your time to implement it.

My .02

Johannes

PS: Before M$ added a built in firewall to their O$, it was already much
more insecure than debian is today. Furthermore, theirs is _not_ a
firewall. It is a program with some features of a firewall that is
called a firewall. On my XP box it is not possible to block outgoing
connections, so it's lacking one important feature of a true firewall.
Of course any decent linux firewall is much more powerful as well as
better configurable than what you seem to consider as desireable.

On Window$ vista it is sold as a security feature that you agree in the
EULA, that M$ reserves the right to remove any software from your
computer that _they_ _think_ might be a security issue. We don't want
this kind of thinking ever to trickle into debian. We don't want debian
to remote control our computers the way M$ remote controls theirs.

PS 2: While we are at it: debian by default also does not install or
enable an automated system to install security updates. It is the
responsibility of the user to decide whether and when security updates
are installed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGxVXxC1NzPRl9qEURAovqAJ4u4JwJSJLwJ7AkuhJGHH8b/f5nAwCcCSCW
ozaU4RNa1XF0/RjoxfKZwlU=
=1rOk
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: secure installation
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- secure installation
  - From: Pat <paparsoss@gmail.com>
- Re: secure installation
  - From: Ian McDonald <iam@st-andrews.ac.uk>
- Re: secure installation
  - From: Pat <paparsoss@gmail.com>
- Re: secure installation
  - From: "John Keimel" <john@keimel.com>
- Re: secure installation
  - From: Pat <paparsoss@gmail.com>

Prev by Date: Re: secure installation
Next by Date: security.debian.org: MD5Sum mismatch
Previous by thread: Re: secure installation
Next by thread: Re: secure installation
Index(es):
- Date
- Thread