Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Apr 2002 11:38:26 +0200
From:      Neil Blakey-Milner <nbm@mithrandr.moria.org>
To:        Joerg Micheel <joerg@cs.waikato.ac.nz>
Cc:        Greg 'groggy' Lehey <grog@freebsd.org>, Jochem Kossen <j.kossen@home.nl>, hackers@freebsd.org
Subject:   Re: Security through obscurity? (was: ssh + compiled-in SKEY support considered harmful?)
Message-ID:  <20020423093826.GA58411@mithrandr.moria.org>
In-Reply-To: <20020423211359.D48271@cs.waikato.ac.nz>
References:  <rwatson@FreeBSD.ORG> <11670.1019530386@winston.freebsd.org> <20020423131646.I6425@wantadilla.lemis.com> <200204231009.51297.j.kossen@home.nl> <20020423183452.M6425@wantadilla.lemis.com> <20020423211359.D48271@cs.waikato.ac.nz>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue 2002-04-23 (21:13), Joerg Micheel wrote:
> On Tue, Apr 23, 2002 at 06:34:52PM +0930, Greg 'groggy' Lehey wrote:
> > Well, yes.  But I've been using X for 11 years.  Why should I have to
> > read the man page to find changes?  How do I know which man page to
> > read?  If I did that for everything that happened, I wouldn't get any
> > work done.  And you can bet your bottom dollar that somebody coming
> > from another UNIX variant and trying out FreeBSD won't do so.  They'll
> > just say that it's broken and wander off again.
> 
> FWIW, I would be extremly pissed about this myself, I just happen to
> not having installed 4.5 myself yet, for other reasons. I thought there
> was a policy of the least surprise, it might have been to kernel code,
> but should be applied here as well.
> 
> The system has to work right away, when installed out of the box. Period.
> No when's and if's. And don't tell me that X11 is an add-on and luxury.
> We are living in the 21st century.

There are people who will tell people that still use X11 tcp sockets to
start living in the 21st century.  ssh X11 forwarding still works, it's
only the (often much lower security) tcp sockets that are disabled by
default.  (And if the "none" cipher is available, the overhead would be
minimal for even the most underpowered machine.)

At least Debian takes this stance, and so many believe it's a sane
default.  If it were reverted, I'm sure there'll be lots of people
re-adding the change to their security regimen.  And lots more people
scurrying to patch when the next DoS or exploit comes out.

Neil
-- 
Neil Blakey-Milner
nbm@mithrandr.moria.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020423093826.GA58411>