I came back later and realized some of my comments may have been grossly
misread. We ("we" <waving around>) know better than login as root all
day, over telnet, with the password as a command line option, etc. etc.
A Unix user should not be able; a Unix admin should know better. Every
Linux install I've done -- several distros since the RH 5 era -- has asked
me for a root pw and then insisted that I provide a normal user/pw for
daily work. Especially for new users, that unprivileged user lets you
poke around without irreparably damaging the box. *Especially* for new
users... I noticed one day that my Win95 box had all these loose files in
C:\, when everything else was in folders. I deleted them, of course. Two
hours later, I had the box reinstalled, and I never did that again. That
mistake is only possible in Unix when you don't appreciate "user".
As an example, I've put in StarOffice, and it told me to install somewhere
public if I wanted other users to have access. I don't mean to be
critical or point fingers unfairly, but *my* box warned me twice not to
install stuff under /root and work all the time as "root". I will readily
admit that the true, original concept of "users" is foreign to Win98
emigrants, and it is one of the tricky details to managing any variant of
Unix. You "su" to root to do the install, put it somewhere everyone can
access it, then get out of root to do real work. That's totally foreign
to most Windows users, and I'd context any finger-pointing I would ever do
with that concept in mind. My apologies if I wasn't clear earlier.
My Windows maintenance involves clicking on "Windows Update", in my Start
Menu, every few weeks and doing "Critical Updates". That's as routine as
changing my car's oil or the batteries in my Palm. It's also easy, brief,
and possible to do in the background while I continue working. The new
Red Carpet in my Ximian install updated my desktop, apps, AND underlying
Red Hat core without a single hiccup. All I had to do was start the thing
and click Next. That's how Linux updates "should be", but at least
apt-get and rpm -Fvh have automated updates to a manageable degree for
users without Ximian.
There are appliances that do nothing but email and web. A box without MS
Office or its ingredients is a heckuva lot more secure by default, and all
it would need is that monthly Windows Update. I feel that a stereotypical
"mom-n-pop" user should at LEAST be informed by a salesman or a glossy or
booklet to use Windows Update on about a monthly basis. I've actually
seen Windows provide a popup reminder on a scheduled basis. I hate
popups, but this is a good idea for OEM "appliances".
A box with Word and Outlook and PWS and a VBS environment running all the
time and file sharing turned on and a cable modem plugged in is just a
death trap. Somebody has to assume responsibility for putting all that
together. I'm inclined to say that, if Gateway didn't come out and
install the thing in your house that way, the responsibility falls on the
person who put that particular death trap together. Maybe @HOME should be
more informative about this, as they *do* come to your house and plug it
in.
I'm sorry, but I wouldn't install a security system in my house and
leave it turned off all the time. I wouldn't let the batteries die in my
smoke detectors. I wouldn't plug a computer into the internet without
taking a few basic precautions. I've read of new Linux boxen being
invaded less than 15 minutes after the install finished, because they were
plugged into the internet before they were secured. Windows is just as
easy.
-j
On Tue, 3 Jul 2001, John Hebert wrote:
<em>> Date: Tue, 3 Jul 2001 10:31:06 -0700 (PDT)
<em>> From: John Hebert <[EMAIL PROTECTED]>
<em>> Reply-To: [EMAIL PROTECTED]
<em>> To: [EMAIL PROTECTED]
<em>> Subject: Re: [brluglist] Fw: Steve Gibson's July/2001 News from GRC.COM
<em>> ...
<em>>
<em>> Dustin,
<em>>
<em>> IMHO, this is exactly why Steve Gibson is in a huff.
<em>> He's basically saying that M$ irresponsibility
<em>> concerning security in XP is going to cause a huge
<em>> increase in DDOS attacks.
<em>>
<em>> This is going to be seen as another point of
<em>> competition between OSs, because your typical home
<em>> user will be pretty upset when they find out their
<em>> machine has been hacked. This is not an apocalyptic
<em>> scenario, it will instead cause some good changes, in
<em>> that lots of people will start to learn about security
<em>> for the first time. I'm looking forward to seeing the
<em>> M$ propaganda campaign to convince the user it is his
<em>> fault.
<em>>
<em>> I say let M$ innovate. When the Internet starts to
<em>> come to a crawl, we will either make hackers into
<em>> terrorists or blame Microsoft. Either one is
<em>> interesting with far reaching implications.
<em>>
<em>> John
<em>>
<em>>
<em>> --- Dustin Puryear <[EMAIL PROTECTED]> wrote:
<em>> > john beamon wrote:
<em>> >
<em>> > > I don't look to make Linux any "easier" for new
<em>> > users. I look for new
<em>> > > users who will at least recognize problems and
<em>> > devote a few minutes a
<em>> > > week to staying on top of their updates.
<em>> >
<em>> >
<em>> > Well, here is a fundamental difference in opinion on
<em>> > what users should
<em>> > and should not need to do. I don't feel a computer
<em>> > should be like a car
<em>> > where users need extensive training to use them.
<em>> > Rather, a computer
<em>> > should be like a TV where it can be turned on and
<em>> > just work.
<em>> >
<em>> > Users will not "devote a few minutes a week" to
<em>> > installing updates.
<em>> > Hell, who has the time? Users should just do their
<em>> > jobs and use
<em>> > computers like they use any other work-related tool.
<em>> > Vendors and
<em>> > administrators have the responsibility of properly
<em>> > configuring and
<em>> > maintaining systems.
<em>> >
<em>> > As far as home users, vendors should properly
<em>> > configure their products
<em>> > with reasonable security. Home users may be required
<em>> > to do more
<em>> > maintenance work than a business user, but only a
<em>> > little more. It should
<em>> > not be a daily or weekly task to check a vendor's
<em>> > website, download
<em>> > patches, backup system, install patches, check
<em>> > patches, ad nauseum.
<em>> >
<em>> > Regards, Dustin
<em>> >
<em>> >
<em>> > >
<em>> > > -j
<em>> > >
<em>> > > On Tue, 3 Jul 2001, Ricky Salmon wrote:
<em>> > >
<em>> > >
<em>> > >>Date: Tue, 3 Jul 2001 09:31:33 -0500
<em>> > >>From: Ricky Salmon <[EMAIL PROTECTED]>
<em>> > >>Reply-To: [EMAIL PROTECTED]
<em>> > >>To: [EMAIL PROTECTED]
<em>> > >>Subject: RE: [brluglist] Fw: Steve Gibson's
<em>> > July/2001 News from GRC.COM
<em>> > >> ...
<em>> > >>
<em>> > >>Well, to give M$ a little credit (duck), XP is
<em>> > supposed to have a fair
<em>> > >>amount of security by default.
<em>> > >>
<em>> > >>But, there's always that relationship between
<em>> > Security and Usability (is
<em>> > >>that a word?). I'm sure some
<em>> > >>developers/admins will love the fact that they
<em>> > finally get to use Raw
<em>> > >>Sockets, but that in turn decreases
<em>> > >>some amount of security. As people continue to
<em>> > add these new features, you
<em>> > >>can't always an "Idiot Proofing" mechanism that
<em>> > works well... It's a nice
<em>> > >>double edged sword...
<em>> > >>
<em>> > >>As for current windows machines, a million and one
<em>> > trojans already exist.
<em>> > >>So my question is, is it the responsibly of the
<em>> > Vendor to make sure the
<em>> > >>users know how to use a computer, or is it the
<em>> > responsibility of the user to
<em>> > >>know how to use a computer?
<em>> > >>
<em>> > >>As much as I love that certain vendor (sarcasm),
<em>> > their main focus is to put
<em>> > >>out more productive products with a fair amount of
<em>> > security. There aren't
<em>> > >>enough resources in the world to make sure that
<em>> > every Joe Blow isn't leaving
<em>> > >>themselves open...
<em>> > >>
<em>> > >>My 2 cents...
<em>> > >>
<em>> > >>Ricky
<em>> > >>
<em>> > >>
<em>> > >>
<em>> > >>-----Original Message-----
<em>> > >>From: [EMAIL PROTECTED]
<em>> > [mailto:[EMAIL PROTECTED]
<em>> > >>Behalf Of John Hebert
<em>> > >>Sent: Tuesday, July 03, 2001 9:02 AM
<em>> > >>To: [EMAIL PROTECTED]
<em>> > >>Subject: Re: [brluglist] Fw: Steve Gibson's
<em>> > July/2001 News from GRC.COM
<em>> > >>...
<em>> > >>
<em>> > >>
<em>> > >>
<em>> > >>--- Dustin Puryear <[EMAIL PROTECTED]> wrote:
<em>> > >>
<em>> > >>>Hmm. Is this about the raw socket deal with
<em>> > Windows
<em>> > >>>XP? Raw sockets have
<em>> > >>>been available in the UNIX world for a while, so
<em>> > I
<em>> > >>>guess that means UNIX
<em>> > >>>vendors are no better?
<em>> > >>>
<em>> > >>>From my understanding of Gibson's writings, he
<em>> > says
<em>> > >>that raw sockets are a problem in Windows XP
<em>> > because
<em>> > >>most people use M$ Windows operating systems
<em>> > >>(well, duh) AND M$ doesn't seem to have its act
<em>> > >>together when it comes to network security (hmmm,
<em>> > >>he's got a point). So, distributing M$ Windows XP
<em>> > >>with raw sockets for home users who don't properly
<em>> > >>secure their machines will only give DDOS script
<em>> > >>kiddies more platforms to attack from.
<em>> > >>
<em>> > >>:P
<em>> > >>
<em>> > >>John
<em>> > >>
<em>> > >>__________________________________________________
<em>> > >>Do You Yahoo!?
<em>> > >>Get personalized email addresses from Yahoo! Mail
<em>> > >>http://personal.mail.yahoo.com/
<em>> > >>================================================
<em>> > >>BRLUG - The Baton Rouge Linux User Group
<em>> > >>Visit http://www.brlug.net for more information.
<em>> > >>Send email to [EMAIL PROTECTED] to change
<em>> > >>your subscription information.
<em>> > >>================================================
<em>> > >>
<em>> > >>================================================
<em>> > >>BRLUG - The Baton Rouge Linux User Group
<em>> > >>Visit http://www.brlug.net for more information.
<em>> > >>Send email to [EMAIL PROTECTED] to change
<em>> > >>your subscription information.
<em>> > >>================================================
<em>> > >>
<em>> > >>
<em>> > >
<em>> > > ================================================
<em>> > > BRLUG - The Baton Rouge Linux User Group
<em>> > > Visit http://www.brlug.net for more information.
<em>> > > Send email to [EMAIL PROTECTED] to change
<em>> > > your subscription information.
<em>> > > ================================================
<em>> > >
<em>> > >
<em>> > >
<em>> >
<em>> >
<em>> > --
<em>> > Dustin Puryear <[EMAIL PROTECTED]>
<em>> > http://members.telocity.com/~dpuryear
<em>> > In the beginning the Universe was created.
<em>> > This has been widely regarded as a bad move. -
<em>> > Douglas Adams
<em>> >
<em>> > ================================================
<em>> > BRLUG - The Baton Rouge Linux User Group
<em>> > Visit http://www.brlug.net for more information.
<em>> > Send email to [EMAIL PROTECTED] to change
<em>> > your subscription information.
<em>> > ================================================
<em>>
<em>>
<em>> __________________________________________________
<em>> Do You Yahoo!?
<em>> Get personalized email addresses from Yahoo! Mail
<em>> http://personal.mail.yahoo.com/
<em>> ================================================
<em>> BRLUG - The Baton Rouge Linux User Group
<em>> Visit http://www.brlug.net for more information.
<em>> Send email to [EMAIL PROTECTED] to change
<em>> your subscription information.
<em>> ================================================
<em>>
================================================
BRLUG - The Baton Rouge Linux User Group
Visit http://www.brlug.net for more information.
Send email to [EMAIL PROTECTED] to change
your subscription information.
================================================
<!-- body="end" -->
<hr noshade>
<ul>
<li><strong>Next message:</strong> John Hebert: "[brluglist] ESR: Who is
"viral" now?"
<li><strong>Previous message:</strong> John Hebert: "Re: [brluglist] Fw: Steve
Gibson's July/2001 News from GRC.COM ..."
<li><strong>In reply to:</strong> John Hebert: "Re: [brluglist] Fw: Steve
Gibson's July/2001 News from GRC.COM ..."
<li><strong>Next in thread:</strong> Dustin Puryear: "Re: [brluglist] Fw: Steve
Gibson's July/2001 News from GRC.COM ..."
<li><strong>Messages sorted by:</strong>
[ date ]
[ thread ]
[ subject ]
[ author ]
[ attachment ]
</ul>
<hr noshade>
<small>
<em>
This archive was generated by hypermail 2.1.2
: <em>Thu Sep 06 2001 - 11:10:54 CDT</em>
</em>
</small>
</body>
</html>
