From owner-freebsd-hackers Tue Apr 23 2:36:39 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from infinitive.futureperfectcorporation.com (infinitive.futureperfectcorporation.com [196.25.137.68]) by hub.freebsd.org (Postfix) with SMTP id C6AF837B416 for ; Tue, 23 Apr 2002 02:36:30 -0700 (PDT) Received: (qmail 79057 invoked by uid 0); 23 Apr 2002 09:36:24 -0000 Received: from unknown (HELO gerund.futureperfectcorporation.com) (196.25.137.65) by infinitive.futureperfectcorporation.com with DES-CBC3-SHA encrypted SMTP; 23 Apr 2002 09:36:24 -0000 Received: (qmail 58574 invoked by uid 1001); 23 Apr 2002 09:38:27 -0000 Date: Tue, 23 Apr 2002 11:38:26 +0200 From: Neil Blakey-Milner To: Joerg Micheel Cc: Greg 'groggy' Lehey , Jochem Kossen , hackers@freebsd.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <20020423093826.GA58411@mithrandr.moria.org> References: <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <20020423211359.D48271@cs.waikato.ac.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020423211359.D48271@cs.waikato.ac.nz> User-Agent: Mutt/1.3.27i Organization: iTouch Labs X-Operating-System: FreeBSD 4.3-RELEASE i386 X-URL: http://mithrandr.moria.org/nbm/ Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue 2002-04-23 (21:13), Joerg Micheel wrote: > On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote: > > Well, yes. But I've been using X for 11 years. Why should I have to > > read the man page to find changes? How do I know which man page to > > read? If I did that for everything that happened, I wouldn't get any > > work done. And you can bet your bottom dollar that somebody coming > > from another UNIX variant and trying out FreeBSD won't do so. They'll > > just say that it's broken and wander off again. > > FWIW, I would be extremly pissed about this myself, I just happen to > not having installed 4.5 myself yet, for other reasons. I thought there > was a policy of the least surprise, it might have been to kernel code, > but should be applied here as well. > > The system has to work right away, when installed out of the box. Period. > No when's and if's. And don't tell me that X11 is an add-on and luxury. > We are living in the 21st century. There are people who will tell people that still use X11 tcp sockets to start living in the 21st century. ssh X11 forwarding still works, it's only the (often much lower security) tcp sockets that are disabled by default. (And if the "none" cipher is available, the overhead would be minimal for even the most underpowered machine.) At least Debian takes this stance, and so many believe it's a sane default. If it were reverted, I'm sure there'll be lots of people re-adding the change to their security regimen. And lots more people scurrying to patch when the next DoS or exploit comes out. Neil -- Neil Blakey-Milner nbm@mithrandr.moria.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message