Today, Kevin D. Clark gleaned this insight:
>
> Derek Martin writes:
>
> > Yeah, anyone responsible for developing products, and not responsible for
> > the security of the network will chime in here. It's not your job to
> > worry about security, so you don't.
>
> <sarcasm>
> Gosh, I'm so glad you know what's going on in my head.
> </sarcasm>
Yeah, I'm generalizing there.
> > We do.
> There's the second sweeping generalization in your email.
No, I'm not generalizing here... In this case I was specifically refering
to me, Paul, and Kenny.
I'm not going to address too much of the rest of this message, because
I've already admitted I was too tired and irritated when I wrote the
message this one was a response to. I don't want to get into a
name-shouting battle with anyone here. That's not the point of this
mailing list.
Most of the questions you raise are addressed in other messages in this
thread. However, you do bring up one that I specifically want to address,
because I hear it all the time:
> What do you mean by "connected to the outside world" anyways? I'm
> behind a firewall that is run by the sysadmins. My access to the
> outside world is severely limited by what the sysadmins here do.
Firewalls can be broken. Everyone seems to think that a firewall is a
security panacaea. It ain't. When I say connected to the outside world,
I mean your network isn't in a closed room with no external connections.
If you're connected, you're vulnerable. Period.
And one more:
> : Engineers almost never really need the root
> : password to do their jobs.
>
> ...and I said that I used my root access several times per week. Most
The root password and root access ARE NOT THE SAME. You don't need the
root password, unless you routinely need to fix a broken system in single
user mode.
And finally:
> Please stop being so vague. Please specifically mention why I
> shouldn't have root access, and how, given my situation
> (above), somebody could make some special exploit based on the fact
> that I have root access to my own box.
Go read the books I mentioned. I can't possilby address that here. If
you still have no idea why you having the root password is a security
problem, than you really have a lot to learn about network security. I
can't possibly give that the treatment it requires in this forum.
I highly recommend you read the books I mentioned in a previous e-mail.
> Look, let's not get into an insult battle here.
I don't mean to insult you or anyone else. I have high regards for you
and everyone on this list. Everyone here has demonstrated that they are
very skilled at what they do. But not everyone knows a lot about
security. When I first started to read up on it, I was aghast. If you
haven't done security work, It's a whole different world from the one you
live in.
--
PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
------------------------------------------------------
Derek D. Martin | Unix/Linux Geek
[EMAIL PROTECTED] | [EMAIL PROTECTED]
------------------------------------------------------
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
