From owner-freebsd-hackers Tue Apr 23 3:48:20 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from HAL9000.wox.org (12-232-222-90.client.attbi.com [12.232.222.90]) by hub.freebsd.org (Postfix) with ESMTP id 33D6E37B404; Tue, 23 Apr 2002 03:48:16 -0700 (PDT) Received: (from das@localhost) by HAL9000.wox.org (8.11.6/8.11.6) id g3NALkp00811; Tue, 23 Apr 2002 03:21:46 -0700 (PDT) (envelope-from das) Date: Tue, 23 Apr 2002 03:21:46 -0700 From: David Schultz To: "Greg 'groggy' Lehey" Cc: Jochem Kossen , hackers@FreeBSD.ORG Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <20020423032146.A490@HAL9000.wox.org> Mail-Followup-To: Greg 'groggy' Lehey , Jochem Kossen , hackers@FreeBSD.ORG References: <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020423183452.M6425@wantadilla.lemis.com>; from grog@FreeBSD.ORG on Tue, Apr 23, 2002 at 06:34:52PM +0930 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Thus spake Greg 'groggy' Lehey : > work done. And you can bet your bottom dollar that somebody coming > from another UNIX variant and trying out FreeBSD won't do so. They'll > just say that it's broken and wander off again. I agree with this point, in general. FreeBSD shouldn't be like OpenBSD, where everything is so secure by default that you can't get anything done. For example, most people who use X don't know---and don't want to know---how it works. If the defaults are too restrictive, they will be frustrated, and maybe they'll figure out how to make things unrestrictive without understanding what's going on. On the other hand, if the defaults are not cautious enough, the same people will need to apply patches when the next remotely exploitable hole in X is found, and many of them won't bother. I'm a bit more wary of third-party applications, particularly big ones like X, so disabling TCP connections by default seems like a reasonable thing to do. But it should have been documented in a place where people actually look when they upgrade. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message