On Mon, 2006-03-06 at 17:59, Michael H. Warfield wrote:
> In the security business, we have and expression for people like you.
> Those people who use the "install everything" button just because they
> "might" want something in the future (and then forget they installed it,
> if they even realize they installed it to begin with).
>
> We dub thee "owned".
As I said back a few messages, this is not what you want on
a production server. However, if you don't try the new stuff
somewhere, how are you ever going to know if it will improve
your production or not?
> The funny thing is that (and I've seen this in this thread) most of the
> time people will use the argument that the newbie user is the one who
> needs the "install everything" option, because they don't know what they
> want, so they'll be sure to get it. They are EXACTLY the LAST people
> who need or should use that damn thing. They are the MOST likely to get
> burned by it (and I've spent too much time helping newbies fix broken
> systems what would not have been broken into if they had only installed
> what they needed).
The people who need it are the ones deciding what needs to
run in production next month. A lot of people are doing a lot
of work writing this stuff. Do you want only your competitors
to be using it?
> Fine, now we are much more careful that
> "installed" services are not "enabled" services until you take some
> action. And the firewall defaults definitely help. But what about
> Apache add ons (like PHP et al).
What about them? Name *one* service that hasn't had security
issues. They get found and fixed only after people start
using them. Speeding up that process helps us all.
> I've preached for years that one of the worst security vulnerability in
> many Linux distributions was the "install everything" button. That
> remains true to this day. Ignorance WILL bite you.
If a distribution contains security flaws they need to be fixed,
not ignored.
--
Les Mikesell
lesmikesell@xxxxxxxxx
