Re: From release notes for FC5T3 (web)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2006-03-08 at 00:41 -0600, Les Mikesell wrote:
> On Tue, 2006-03-07 at 23:48, Michael H. Warfield wrote:
> 
> > 	You want to ignore fundamental security principles at your convenience
> > and use other security vectors and principles as your defense.  You've
> > got a "patch it" mentality.  Patch it and you can ignore other basic
> > security principles. 

> More to the point, you can actually use the service when you
> need it.

> >  But modern security takes "defense in depth" as
> > axiomatic.  This you choose to ignore.  Ignore it your peril.

> What you are ignoring is that if nobody runs services they
> won't be fixed when you do have a need for them.

	And what you are doing is a logical fallacy of extrapolating from "you
don't" to "nobody does".  If NObody needs it or wants it or runs it,
what's it there for in the first place?  The ones who do intentionally
install it and run it are the ones that find the problems and get them
fixed.  They're not a subject of this discussion.  This is not the noobs
who install it and then don't run it or don't configure it.  The only
time THEY then enter into the bugfix equation is when they get bit by
something they weren't using which directly implies that they wouldn't
have been bit if they hadn't installed it.  I would rather see the bug
fixes from the people actively installing, configuring, and using the
software rather than the unintended honeypots deployed as a result of
"install everything" (A honeypot is any resource whose value is being
attack - if you have something on your system that you are not using and
it contributes to bug fixes by being attacked, you are acting as a
honeypot, whether you know it or like it or not).

> > 	Patching helps, but defend against the unknown holes as well.
> > Firewalls help, but so does tcpwrappers.  They do the same things but
> > differently.  So use the both.  When one thing fails, the next defends
> > you.  They can't break in through something you didn't install.  If they
> > break in, they can't exploit some stupid asinine local exploit to gain
> > root and install a root kit on your ass.  It happens.  It has happened
> > and it will happen.
> 
> And it will keep happening until the code is fixed.  Then it stops
> happening.  The code won't be fixed if no one runs it.

	Again...  Logical fallacy.  Taking away "install everything" does not
imply "no one runs it".  It only implies that it isn't installed without
intend as part of a catch all installation.  There will still be plenty
of people who do want it and install it and configure it and run it and
THEY are the ones who will contribute to the bug fixing.  Your argument
is predicated on "if no one runs it" which is a red herring.  Since
that's false, the conclusion is false.

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw@xxxxxxxxxxxx
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux