Date: Tue, 23 Apr 2002 11:07:21 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Robert Watson <rwatson@FreeBSD.org> Cc: Greg 'groggy' Lehey <grog@FreeBSD.org>, Jordan Hubbard <jkh@winston.freebsd.org>, Oscar Bonilla <obonilla@galileo.edu>, Anthony Schneider <aschneid@mail.slc.edu>, Mike Meyer <mwm-dated-1019955884.8b118e@mired.org>, hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) Message-ID: <3CC5A2D9.D9FB84A3@mindspring.com> References: <Pine.NEB.3.96L.1020423110123.64976j-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Robert Watson wrote:
> A more conservative default configuration results in a material
> improvement in system security.
I really don't think there's any way to fully protect a
security-unconscious user, as if they had spent the time to
learn what was necessary, and chosen the right settings for
their site. Nothing can replace a system administrator who
knows which end is up.
I think that trying to do this is doomed to failure, in that
it will engender a false sense of security which is, in many
cases, unwarranted and dangerous. This is particularly true
for FreeBSD, where the first thing anyone ever does with the
system is install packages/ports which may themselves have
undocumented security vulnerabilities (or even documented ones
for which the documentation is ignored).
This is particularly true when the system is running X11, as
the system *never* *only* runs X11, but instead has all sorts
of clients installed, as well, and generally a significant set
of unaudited software, such as KDE, which you can attack via
CORBA much easier than you could ever hope to directly attack
an X11 server, whose defaults already do not permit remote
connections through intrinsic access controls in the server
("xhost", et. al.).
-- Terry
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CC5A2D9.D9FB84A3>