[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Secure Installation

On Thursday 16 August 2007 15:09, R. W. Rodolico wrote:
> Unfortunately, I have to point to some of the
> user oriented firewalls you get for windoze (which, to my knowledge, Linux
> does not have). When they are installed, the shut down basically
> everything incoming, and all but a few standard outgoing ports (http,
> smtp, pop and imap). When an application tries to go out of another port,
> a pop-up informs the user and they can choose to accept, accept or reject,
> with a "forever" modifier on both, and the firewall changes its rules
> appropriately.

The problem with these lies on 2 levels. The first is that all network traffic 
would have to somehow be routed through this application, which in windows is 
no big deal as all that is already in place. But we haven't installed that 
infrastructure, so it would be tougher to get that running in the first 
place. This is not a primary concern regarding the firewall, but it is an 
issue if we do eventually decide to integrate a firewall like that.

The second problem is what I pointed out earlier about 
Microsoft's "firewall" -- users are pacified by it. If it's there, they get 
the message, they have "ok", and "cancel", what does the average user do? The 
average user assumes the firewall will protect them no matter what they do, 
so they click the "ok" button and get on with what they are doing.

The greatest security hole in any system is the user. You can plug every other 
hole there is, and still have break-ins because users haven't been trained 
properly. There is no way to secure a system used by uninformed users. A 
firewall is only one more thing the user can foul up.

Linux (and debian especially) is inherently more secure than windows in one 
regard, firewall or not: we can all contribute to it. The only people 
contributing anything to windows are either microsoft, contributing bugs; or 
proprietary software companies, contributing proprietary software. This made 
a sink-hole where the user really doesn't know what's going on in the 
background, can't find out, and can't fix it even if they could find out. 
What more could the programmer of a trojan horse (IMO a bigger threat than 
anything a firewall will protect us from) ask for, than a user who completely 
trusts binary-only distributions?

We're sitting here discussing specific ways debian operates and how we can fix 
it. Who can do that in windows? That in itself makes debian more secure.


My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.

Attachment: pgp5pebufTNw4.pgp
Description: PGP signature

Reply to: