From owner-freebsd-hackers Tue Apr 23 14:29:32 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 06A6C37B41A for ; Tue, 23 Apr 2002 14:29:18 -0700 (PDT) Received: from hades.hell.gr (patr530-a197.otenet.gr [212.205.215.197]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g3NLT7Su026284; Wed, 24 Apr 2002 00:29:08 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.2/8.12.2) with ESMTP id g3NLT88i016948; Wed, 24 Apr 2002 00:29:09 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.2/8.12.2/Submit) id g3NLLSKN016804; Wed, 24 Apr 2002 00:21:28 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 24 Apr 2002 00:21:26 +0300 From: Giorgos Keramidas To: "M. Warner Losh" Cc: frank@exit.com, hackers@FreeBSD.ORG Subject: Re: Security through obscurity? Message-ID: <20020423212124.GB14808@hades.hell.gr> References: <200204231523.g3NFNQnq029649@realtime.exit.com> <20020423.094953.13280392.imp@village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020423.094953.13280392.imp@village.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 2002-04-23 09:49, M. Warner Losh wrote: > The decision to go for a more secure system by default was made years > ago. I for one think the Security Officers have done a good job at > doing this, but even as far as they have come, I suspect that > additional things will be locked down over time. That's the nature of > the threats to systems on the internet today. What was acceptible > years ago now no longer is acceptible. The attackers are getting more > and more sophisticated. The countermeasures for these attacks are > necessarily becoming more intrusive as the same sorts of bugs raise > their ugly head again and again. Very well said. Cutting functionality for the sake of security is the growing trend in today's unsafe, untrusted environment that we like calling the Internet. Things that were the default years ago are now considered silly at best, dangerous for the entire network at worst. As attacks get more sophisticated, the expected functionality of a ``default'' installation is trimmed down to avoid starting dangerous or exploitable services. This is not the first time that the need to lose part of the flexibility of a Unix system is necessary to avoid problems. Note that years ago, Sendmail would relay mail from anyone in its default installation. That was a useful feature of Unix servers around the world. Today, being an open relay is considered dangerous, and we blacklist those that run open relays. Some times, it's necessary to lose flexibility and functionality in the default installation, for the sake of security. Bearing in mind that TCP connection support is not removed from the X11 servers, but merely disabled, is this so very important? - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message