From owner-freebsd-security Wed Feb 3 07:09:37 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20671 for freebsd-security-outgoing; Wed, 3 Feb 1999 07:09:37 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20664 for ; Wed, 3 Feb 1999 07:09:34 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id KAA28015; Wed, 3 Feb 1999 10:09:00 -0500 (EST) Date: Wed, 3 Feb 1999 10:09:00 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: proff@suburbia.net cc: Peter Jeremy , jkh@zippy.cdrom.com, security@FreeBSD.ORG Subject: Re: tcpdump In-Reply-To: <19990203085051.1688.qmail@suburbia.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Feb 1999 proff@suburbia.net wrote: > Frankly I'm sick of seeing anal security idiots undermining useful > functionality. I don't see why we should let this useless, winging > segment of the network community, which spends all its time working > out new ways to prevent people doing anything, shove their uncreative > bankrupt, and wholly paranoid philosophy down everyone else's throats. Come now, I resent that :). I consider myself an anal security.. er.. person :). My feeling is that it is actually very important that system designers impose security features on an operating system: they are in the best position to do so while maintaining maximum flexibility and functionality. They have the best understanding of the system and what its limitations are. Patching security on afterwards is almost always a disaster. However, you'll note that some of the argument here has been about whether limiting access to bpfilter actually improves security, or whether it just makes access to the packets more obscure. And it is quickly clear that with capabilities such as lkm/kld that it is merely obscurity in low securelevels. Similarly open/close limitations are not sufficient in securelevels because of other operating system features that require modification to understand these limits. A trully paranoid security philosophy requires seeing the whole picture, not just the parts; incorrect slapping on of limiting security patches that have no real effect on the actual security of the system are of no use. As such I welcome a truly paranoid security idiot who wants to be involved in FreeBSD :-). Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message