Re: risks of using net apps as a user in wheel or adm?

To: debian-user@lists.debian.org
Subject: Re: risks of using net apps as a user in wheel or adm?
From: "Douglas A. Tutty" <dtutty@porchlight.ca>
Date: Sat, 3 Nov 2007 08:19:42 -0400
Message-id: <[🔎] 20071103121942.GA6641@titan.hooton>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] fghj90$reo$1$8302bc10@news.demon.co.uk>
References: <[🔎] 20071102171958.GB7681@titan.hooton> <[🔎] fgg4sf$d82$1$8302bc10@news.demon.co.uk> <[🔎] 20071102231741.GN12370@localhost.localdomain> <[🔎] fghj90$reo$1$8302bc10@news.demon.co.uk>

On Sat, Nov 03, 2007 at 10:41:35AM +0000, Joe wrote:
> Andrew Sackville-West wrote:
> >On Fri, Nov 02, 2007 at 09:29:51PM +0000, Joe wrote:
> >>Microsoft Update and apt-get are probably as close as you get, and 
> >>I wouldn't bet a large amount of money that either is 100% safe. One day 
> >>MU will get hacked, and the whole world will collapse.
> >>
> >
> >wow, that's quite a comparison: Microsoft Update which will secretly
> >upgrade stuff on the system even when explicitly told not to versus
> >apt-get which must be explicitly told what to do and then asks "are
> >you sure?" And I won't even go into the parts where you get to look at
> >apt code...
> >
> >Frankly I hope MU does get hacked (if it hasn't already) because some
> >people need to learn some lessons, not the least of which is MS itself
> >for releasing such tragically flawed software to begin with. 
> >
> >Note though that I do not wish ill upon the poor users of this
> >product... merely that the PTB's over there would get a clue (and yes
> >I know many of them do have a clue, just not enough or the right ones).
> >
> 
> Ah, I wasn't comparing operational use, just the systems as being 
> reasonably tamper-proof methods of delivering software from the original 
> sources to the user. The vast majority of downloaded software comes from 
> unidentifiable sources via paths which are relatively easily hacked.
> 
> The MU issue is simply one of monoculture, not software quality. If 90% 
> of the world's PCs used apt-get daily, the repercussions of malware 
> smuggled into major packages would be just as serious as an MU hack today.
> 

Right, but what about on a stock Debian system (no windows), using
iceweasel with javascript and flashplayer while a member of wheel, ssh,
adm, staff, and having important info and documents in one's home
directory?

Would it be better to have a separate user not a member of any special
groups (perhaps rdtutty instead of dtutty) then put a /home/rdtutty/uldl
directory owned rdtutty.dtutty and symlinked to /home/dtutty/uldl.  This
would facilitate file transfer of downloads (such as OS .iso's, pdf's,
etc)?

Would that fully protect my stuff, or is the whole box's security at
some risk having any user on a box run iceweasel, javascript, and flash?

Doug.

Reply to:

References:
- risks of using net apps as a user in wheel or adm?
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Joe <joe@jretrading.com>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Joe <joe@jretrading.com>

Prev by Date: Re: Other avenues to get help
Next by Date: Re: how to reinstall?
Previous by thread: Re: risks of using net apps as a user in wheel or adm?
Next by thread: Re: risks of using net apps as a user in wheel or adm?
Index(es):
- Date
- Thread