I attended an executive briefing yesterday that was very interesting. Dr. Eugene H. Spafford, a professor at Purdue University who sits on the President's Information Technology Advisory Council, had many interesting and valid points, one the biggest ones being his "observation" on the default installation of unneeded services (Windows being the main culprit mentioned). These services are a big security risk, especially for those that are what we know as "newbies." These types of end users have no idea what these services are and most likely will never have a use for them.
One of his other "observations" was from a developers stand point. He pointed out that unfortunately most systems are designed with the virtuoso in mind (this includes operating systems, applications, even hardware interfaces such as web based firewall interfaces). Most end users are at a low level when it comes to computing. This means that developers should always be thinking of end users as low level, not as virtuosos. He also pointed out how most developers think about security after release, not during development. He stated that security should not be viewed as patch management, but should be taken care of from the very beginning stages of coding. He made some other points about being needlessly bound to legacy systems, user's lack of understanding statistics (look at tobacco use, airline travel vs. driving, etc), and gave an example of using the wrong requirements to make software decisions: The US Navy completed a study of MS products and found them to be insecure. A year later they announced they would be using Windows 2000 on one of their ships to the lower cost, not security. It makes you wonder. Lowering the total cost of ownership for a product, device, or application is not always the most important thing, especially if one of these things has a security problem that can lead to costly damages. Also, releasing a product before it is secure simply because you wish to meet a deadline or make profit is a bad practice (once again, Windows). (I should mention that Dr. Spafford has a working relationship with Microsoft and visits them quarterly, yet he still points out their flaws) Every one of the speakers on hand agreed that the best practice is to disable all services on install and only allow those that will be used. I am not sure if this is the answer or not. I personally like the convenience of having some things ready to go, but I know what to look for; others may not. I think ultimately the Mepis team must do what is best for Mepis. It is impossible to please everyone, but it is possible for the team to create the best distribution that they can create, which includes creating a happy medium between security and ease of use, includes timely updates when needed, and includes good user support. I think that Mepis as a whole has met these requirements. Here is a link to Dr. Spafford's site: http://www.cs.purdue.edu/faculty/spaf.html Joe _______________________________________________ Dev-mepis mailing list [email protected] http://mepis.org/mailman/listinfo/dev-mepis_mepis.org
