From owner-freebsd-hackers Tue Apr 23 11:57:37 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from snipe.prod.itd.earthlink.net (snipe.mail.pas.earthlink.net [207.217.120.62]) by hub.freebsd.org (Postfix) with ESMTP id 0BC5837B404; Tue, 23 Apr 2002 11:57:21 -0700 (PDT) Received: from pool0547.cvx22-bradley.dialup.earthlink.net ([209.179.200.37] helo=mindspring.com) by snipe.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 1705TX-0000hV-00; Tue, 23 Apr 2002 11:57:16 -0700 Message-ID: <3CC5AE6E.9622AF93@mindspring.com> Date: Tue, 23 Apr 2002 11:56:46 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Greg 'groggy' Lehey , Jordan Hubbard , Oscar Bonilla , Anthony Schneider , Mike Meyer , hackers@FreeBSD.org Subject: Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Robert Watson wrote: > "System programming is hard, let's go shopping". This is exactly the phrase that comes to mind every time someone yanks the plug on a service they are afraid might one day have an exploit found for it. > Someone who's unaware or unwilling to address security issues will *still* > be safer if we provide a safer system. If they are going maliciously out > of their way, sure, there will be problems, but if they don't need telnet, > and we disable telnet by default, we have actually produced a safer system > for them. And if they do need telnet, it's easy to turn on. "Securing telnet is hard; let's turn it off and go shopping". 8-). > I think you've correctly identified an area where a lot of future security > work is needed. However, that doesn't negate the need for security work > in the base system, because without a secure base system, you're building > everything else on sand. If you have the time and resources to spend > helping to kick KDE and its related dependencies into shape, I welcome > your doing that. It's something I haven't had time to work with yet, but > have definite future plans to do. No one has *that* much time. Auditing that code base would be on the order of the difficulty of auditing Windows, and we have the source code the KDE. I agree that the base system needs to be secure, but I think you either trust your security model, or you don't: X11 *does* have a security model, even if it doesn't encrypt all the traffic over all its connections by default. If the security model is flawed, then it needs to be fixed, not turned off. I think it's a lot worse to leave a vulnerable telnetd turned off by default but available to be turned on, than to have one that's non-vulnerable turned on by default. The fear that someone is going to find a vulnerability should be balanced by the idea that someone is going to fix it, not balanced by the idea that that you can hide the vulnerability by not running the vulnerable code, "mostly". I guess this is a basica philosophical difference: IMO, exposure equals the probability of a fix. Turning things off belongs in the firewall code. FWIW: I wouldn't object to a firewall rule that disallowed remote TCP connections to the X server by default, if the firewall is enabled. I think we already have this... -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message