From owner-freebsd-security Sat Sep 30 15:37:11 2000 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 1FBA137B66C for ; Sat, 30 Sep 2000 15:37:06 -0700 (PDT) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.12 #5) id 13fVFY-0007qR-00; Sun, 01 Oct 2000 00:36:56 +0200 Date: Sun, 1 Oct 2000 00:36:56 +0200 (IST) From: Roman Shterenzon To: cjclark@alum.mit.edu Cc: security@FreeBSD.ORG Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) In-Reply-To: <20000930152917.E25121@149.211.6.64.reflexcom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 30 Sep 2000, Crist J . Clark wrote: > On Sat, Sep 30, 2000 at 11:43:20PM +0200, Roman Shterenzon wrote: > > Still, I think the default should be "insecure" install, since most > > machines are firewalled. > > This brings up a funny problem. > > The people putting up boxes behind firewalls are typically the ones > who know what they are doing, your pro and semi-pro sysadmin. They > don't need the 'dumb defaults' on the system to turn stuff on for > them. They could and often are going to customize that stuff anyway. > > The people putting up boxes naked on the net are many time your home > coax cable, DSL, etc. users. They are less likely to know what they > are doing. They are the ones the dumb defaults are aimed at. > > So, we have an interesting situation. The very person the dumb > defaults are aimed at, the UNIX newbie, is the same person who is most > likely to be running the machine naked on the net and have the least > understanding of the security implications of his actions. > > Worrying about how the default install affects the experienced user is > not too much of a concern since the experienced user knows how to turn > stuff on and off (but personally, I'd rather have it all off). > > I guess I am one of the few that thinks we should default off for the > good of the newbie user, rather than save the newbie 5 minutes of RTFM > to turn on telnet and ftp. Just everyone hope no exploit like the > recent SGI telnetd bug is ever found hiding in FreeBSD's telnetd. I think that you're quite right on this one. I think that the solution which has "secure install" and "insecure" one with a cursor on the "insecure" is good enough for most of the people. Like one said, if you want to shoot yourself in the foot, just do it. Which reminds me - OpenBSD has "afterboot" manpage which describes many aspects of the system, perhaps we need something similar. --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message