From owner-freebsd-security Thu Sep 21 18:25:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id A3B7437B449 for ; Thu, 21 Sep 2000 18:25:11 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.9.3/8.9.3) id MAA89178 for ; Fri, 22 Sep 2000 12:25:09 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: from wf-133.aipo.gov.au(192.168.1.133) by pericles.IPAustralia.gov.au via smap (V2.0) id xma089173; Fri, 22 Sep 00 12:25:01 +1100 Received: from localhost (anwsmh@localhost) by stan (8.9.3/8.9.3) with ESMTP id MAA00778 for ; Fri, 22 Sep 2000 12:24:59 +1100 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan: anwsmh owned process doing -bs Date: Fri, 22 Sep 2000 12:24:59 +1100 (EST) From: Stanley Hopcroft X-Sender: anwsmh@stan To: security@FreeBSD.ORG Subject: Re: sysinstall DOESN'T ASK, dangerous defaults! (Was: Re: whats so special about freeBSD?) In-Reply-To: <4.3.2.7.2.20000921182152.046d6ee0@localhost> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to suggest that the criteria for deciding about these things is consider who will benefit from changing the default settings or what market one aims for ? If ones customers are naive users, then sure take the MS Windows approach and do it (whatever it is) all for them and hope they eventually realise what you have done for/to them and appreciate it. If there's a benefit by adopting the firewall principal of disabling whatever's unnecessary, or equivalently, a reducible or unacceptable cost in not doing so, then disabling stuff seems sensible. As Mr Glass says, optimising these settings to harden many of the boxen I deal with (routers, terminal servers, DNS servers etc) is time consuming. It would be nice to only enable what I want rather than bear the risk of *not* disabling stuff. That said, one of the lovely things about Unix is that it *is* configurable. The only thing I might add is that setting up a workstation on memory strapped hardware (eg the a P133/32 MB when I'd like to run kde, netscape etc) is unfortunately fairly painful and shows up the different trade offs in the MS and Unix environment. Since this has no bearing on seecurity and is probably caused by applications or the different kernel approaches (not to mention the disgusting lack of MS integrity that surely must infect their code), its hardly worth mentioning in this context. However, it would be a lovely advertisement to be able to highlight the robustness and grunt of FreeBSD by showing it run good looking applications with the same apparent carelessness as MS Windows on the same gutless hardware. As for me, my workstations happy thrashing FreeBSD. Thank you, Yours sincerely. S Hopcroft Network Specialist IP Australia +61 2 6283 3189 +61 2 6281 1353 FAX To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message