[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: secure installation

Pat wrote:

 Whose responsibility is it, in the US if you manufacture a defective
product legally it is your responsibility if someone is harmed.

There's a bit of a difference between a defective product and one
incorrectly used. When a driver knocks down a pedestrian, should
the car manufacturer be the party that gets prosecuted?

Johannes Wiedersich wrote:

Debian is behaving way more responsible in any respect than commercial
vendors, so your 'complaint' is wholly besides the point.

Debian protects you better from the perils of the internet than the big
commercial OS. Period.

That's not exactly saying a lot, is it? 'Better than Windows'.
It needs to be a *lot* better than Windows.

A few points I think should be mentioned that have not yet been:

Egress filtering in Windows personal firewalls, and finally built
into Vista, is there in response to spyware. This is not yet a
Linux problem, and is never likely to be as severe, but it will
happen when children start using Linux in significant numbers.
These firewalls also tend to monitor the originating executable,
and warn the user when its signature changes, something we would
normally associate with an IDS rather than a firewall. But on the
whole, a process with the privilege to install would also have
the privilege to disable the firewall, so it is doubtful whether
a personal firewall is of much use to a root user. It is far more
important to discourage root use, which most 'consumer' Linux
distributions do fairly well. Again, Vista finally does this, and
unlike XP is usable by a computer owner who runs unprivileged.
There's a lot in XP that can't be done outside a root logon.

Secondly, most consumer Internet users today use broadband, and
the vast majority of recent equipment has an SPI firewall. This
pretty much protects the user's computer against the kind of direct
attack that a personal firewall would be expected to repel.

The point has been made that networking is now normal outside
universities, but what was not mentioned was that practical
networking *requires* services to listen to the network which
are practically indefensible. Whether Samba or NFS, nobody would
consider sharing files over the Net, yet this is the primary
purpose of a private network. Such a network *must* have a bastion
firewall, but whether individual firewalls with the required
serious holes in them provide additional security is questionable.

Reply to: