on Thu, Oct 02, 2003 at 09:25:50PM -0400, Bijan Soleymani (bijan@psq.com) wrote:
> On Fri, Oct 03, 2003 at 01:42:28AM +0100, Karsten M. Self wrote:
> > E.g.: there are _good_, _solid_ reasons Debian doesn't allow Mozilla to
> > run as root, why X11 TCP connections are disabled by default, and why
> > SSH is strongly recommended. Yes, it's possible to override or ignore
> > these settings, but that's not information I share, particularly not
> > with newbies, on the simple principle that learning how to shoot
> > yourself in the foot _might_ just provide you with some clue as to why
> > this is a bad idea.
>
> I agree that security is generally a good thing, but some people turn it
> into some sort of cult.
Security is a process. It involves application of principles.
Consistently. With understanding.
> Once upon a time I tried running FreeBSD (or was it NetBSD) and some
> script I had died, because I didn't have permission to write to
> /dev/null. That really made me laugh.
*That* is a configuration issue. /dev/null should be world writeable.
The fact that it wasn't indicates an improperly configured system.
> One thing I really like to do is disable passwords for local logins.
> But I'm sure there are people who will tell me that the CIA is going
> to come to my house, tie me up, log into my computer and steal all my
> mp3s or something :) I really like doing this because it saves me from
> typing my password 300 times a day, and it doesn't make my computer
> any easier to hack over the network.
An why the hell are you typing your password 300 times a day? In my
experience, this almost always indicates a misunderstanding of available
tools.
- For your local system, your login need be typed only when logging
in, or when clearing your screensaver password.
- For access to remote systems, you want to use ssh-agent, ssh, rsakey
authentication, and a passphrase-protected SSH key. If you need
help setting this up, or don't understand any of these terms, post
to list.
- Those two situations should cover the vast majority of your password
use situations. Me? I end up typing my password probably a dozen
times or so a day, generally when going root (via sudo), or when
clearing my screensaver.
Given that I live alone with a cat, I still lock my desktop when I walk
away for any length of time, set xscreensaver to cut in (and lock)
anyway, and require a password for 'sudo' on my personal account.
> So I think there should be a proper balance between convenience and
> security. For instance the current version of Outlook Express (aka
> outhouse excess, etc.) defaults to preventing users from opening any
> attachments: "Sorry this attachment could be a virus.". It does this
> even with "plain/text" attachments. I've had to fix this on any number
> of people. Even worse is the fact that Outlook's GPG/Mime handling is
> broken and it actually doesn't show the message but shows it as an
> attachment, which if the user clicks on it, gives them a warning
> saying that it may be a virus. I mean this prevents legitimate
> attachments like jpegs, etc. So users simply disable it, and you're
> back to square one.
First, this is debian-users, not wmswindows-users. Second, Microsoft
Outlook is a security hole that happens to be an email client. Third:
go away for a while and read:
http://www.ccianet.org/papers/cyberinsecurity.pdf
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Scandinavian Designs: Cool furniture, affordable prices, great service,
satisfied customer. http://www.scandinaviandesigns.com/
Attachment:
signature.asc
Description: Digital signature