Today, Paul Lussier gleaned this insight:
> > There's *always* a way; the goal is really to make it too
> > hard to be reasonable, right?
>
>
> Absolutely. The only completely secure computer is the one that's not
> plugged in and has absolutely no physical access to it in any way
> shape or form by anyone. But talk about hindering productivity :)
>
> The goal is to make it more inconvenient than it's worth. Anyone
> dedicated to getting access to something which they're not meant to
> have access to will eventually find away, it's inevitable. We're not
> trying to say that we can totally and ultimately secure every scrap
> bit on our network. We are trying to say that there are a lot of
> different mechanisms for securing a network and the data on it and
> that they are all dependant upon each other. Remove one link, and
> you've weakened the entire chain, but maybe not enough quick enough
> for our other mechanisms to kick into place and warn us.
>
> No one should rely on just one thing to base their security on, and we
> never stated that we did. But we do want to point out that any
> weakening in the overall plan is just making the risk greater than it
> needs to be.
Exactly! Remember, all this started because I made an off-hand (and
admittedly poorly qualified) comment that engineers never need the root
password. In the vast majority of cases, that's true. Obvious exceptions
to development of the OS that you're using, and even then sometimes they
still don't need it.
Root password control and root access are NOT the be-all end-all of
network security. It is merely one EXTREMELY important aspect of it. So
you limit it where it makes sense to, and allow it only where it's
absolutely necessary.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
