From owner-freebsd-questions Wed Jan 2 6:31:31 2002 Delivered-To: freebsd-questions@freebsd.org Received: from ns2.worldgatein.com (ns2.worldgatein.com [203.109.64.24]) by hub.freebsd.org (Postfix) with ESMTP id 32E7037B41C for ; Wed, 2 Jan 2002 06:31:26 -0800 (PST) Received: from rivendell.worldgatein.net (interoffice.worldgatein.net [203.109.64.31]) by ns2.worldgatein.com (Postfix) with ESMTP id 311CCBDF8 for ; Wed, 2 Jan 2002 19:59:59 +0530 (IST) Received: by rivendell.worldgatein.net (Postfix, from userid 1001) id A049032609; Wed, 2 Jan 2002 21:04:14 +0530 (IST) Date: Wed, 2 Jan 2002 21:04:14 +0530 From: Devdas Bhagat To: freebsd-questions@freebsd.org Subject: Securing systems (was Re: Teaching parents UNIX) Message-ID: <20020102210414.D569@rivendell.worldgatein.net> Reply-To: Devdas Bhagat References: <1DA741CA6767A144BAA4F10012536C27A97C@LKLDDC01.GARGANTUAN.COM> <20011230000519.GB7709@raggedclown.net> <20011229220904.A493@starpower.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20011229220904.A493@starpower.net>; from rjhalljr@starpower.net on Sat, Dec 29, 2001 at 10:09:05PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 29/12/01 22:09 -0500, Bob Hall wrote: > As the level of knowledge necessary to operate a computer decreases, > people who were previously unable or unwilling to use computers > start using them, and the average level of competence of computer > users decreases. Any specific system is only as secure as the > person using it makes it. For most users, improvements in MS This is perfectly correct. Howeve, I will blame MS for one thing. they always value convinience over security. Convinience is a good thing, but sometimes lack of convinience forces the user to assume responsibility. Having everything enabled by default is a bad thing. Not making it easy to turn off is even worse. Breaking stuff from working because of secure systems is even worse. > software aren't going to make their computers any safer because the > users are still going to leave the machines wide open to infection. > And now that DSL and cable are becoming popular, people leave their > computers on and connected to the internet 24/7. Virii that scan for > hosts to infect are going to start hitting client machines. Right. Simple minimal solutions: Disable Javascript in the system by default. Disable automatic file sharing by default (ADMIN$ and C$). Disable automatic parsing of HTML email, and scripting in email. Email doesn't need scripting. > MS contributes by selling their software at the beta stage, but > that contribution is small compared to the other factors. Even > if MS bundled anti-virus with their software, they can't force > users to use it or update the virus signatures. The solution is not an antivirus. The solution is a software that doesn't default to insecurity. I think that OpenBSD is on the right route (though they have sendmail enabled by default). I believe immunix also has the same philosophy. To enable anything, the user has to take specific action, and thus assume responsibility for it. Securing NT is hard precisely because you have to make is secure from insecure defaults, and there is no choice of that in the install process. Devdas Bhagat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message