From owner-freebsd-questions@FreeBSD.ORG Fri Dec 11 13:19:45 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 904231065672 for ; Fri, 11 Dec 2009 13:19:45 +0000 (UTC) (envelope-from roberthuff@rcn.com) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4A9048FC08 for ; Fri, 11 Dec 2009 13:19:44 +0000 (UTC) Received: from mr08.lnh.mail.rcn.net ([207.172.157.28]) by smtp02.lnh.mail.rcn.net with ESMTP; 11 Dec 2009 08:19:44 -0500 Received: from smtp01.lnh.mail.rcn.net (smtp01.lnh.mail.rcn.net [207.172.4.11]) by mr08.lnh.mail.rcn.net (MOS 3.10.7-GA) with ESMTP id LHL17099; Fri, 11 Dec 2009 08:19:03 -0500 (EST) Received: from 209-6-91-204.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO jerusalem.litteratus.org.litteratus.org) ([209.6.91.204]) by smtp01.lnh.mail.rcn.net with ESMTP; 11 Dec 2009 08:19:02 -0500 From: Robert Huff MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19234.18114.158979.591345@jerusalem.litteratus.org> Date: Fri, 11 Dec 2009 08:18:58 -0500 To: Paul Schmehl In-Reply-To: <1802D62A06A3A0AF64412A2C@Macintosh-2.local> References: <20091210144141.GB834@mech-cluster241.men.bris.ac.uk> <20091210095122.a164bf95.wmoran@potentialtech.com> <20091210162150.GA1135@mech-cluster241.men.bris.ac.uk> <5d6848b00912101211m20c20995x212ac7e5093df42c@mail.gmail.com> <1802D62A06A3A0AF64412A2C@Macintosh-2.local> X-Mailer: VM 7.17 under 21.5 (beta28) "fuki" XEmacs Lucid X-Junkmail-Whitelist: YES (by domain whitelist at mr08.lnh.mail.rcn.net) Cc: freebsd-questions@freebsd.org Subject: Re: Root exploit for FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 13:19:45 -0000 Paul Schmehl writes: > >> And from I understand it's going to get worse. > >> Apparently the IT services are drawing up > >> plans to completely forbid use of "non-autorized" > >> OS. I imagine fbsd will not be authorized. > >> So I'm anticipating another battle already. > > > > Does this extend to computers used for academic research, student > > owned computers being used on campus, etc? > > > > Perhaps it's because we're conditioned to think this way but a lot of > > us at universities in the US see a lot of this as being commonplace > > and to *not* do them is generally considered bad security practice. > > > > This last part is surprising to me. Not only are we not > Windows-centric, the very idea of not allowing a diversity of > OSes is foreign to our operation. We are a heavy Solaris shop > (as are many universities), have a good amount of Suse and RHEL > and far less Windows servers exposed to the Internet. At the > desktop users may install whatever they want, so long as it's > maintained properly (which we audit routinely) and used in an > acceptable manner (which you agree to when you get an account.) > We have just about every OS you can imagine, including some you > wouldn't believe still exist. I haven't worked directly with academic IT in decades ... but I live in Boston, which has the highest concentration of colleges on the planet, and talk to peopke who do. If any of the major local colleges tried to ban non-Windows OSs as either or desktop, the only question would be who got to IT first - the students with the stakes and holy water, or the professors with the tar and feathers. On the other hand a well considered security policy specifying ends and not means, and accompanied by end-user detection/correction mechanisms, would be adopted quite happily. Robert Huff