In a message dated: Thu, 22 Jun 2000 12:39:10 EDT
"Kevin D. Clark" said:
>Please stop with these vague assertions. Please tell me in concrete
>terms what kind of security problems I'm going to run into if:
>
> o I have root access to my machine.
> o I'm getting work done and making money for the company.
> o My machine is on the regular network, not in some lab.
> o I'm behind a firewall that is supposedly impregnable,
> since, after all, it is run by sysadmins like yourself.
> o I am very careful with my root access. I always use SSH, I
> have no trust relationships with any other system (no .rhosts
> files, etc.), I don't give out my root password to people I
> don't completely trust, I always verify sources before I
> install third-party software.
> o I always lock my machine when I leave, even for 20 seconds.
> o Most of the interesting intellectual property that I deal with
> doesn't even reside on my box, but instead resides upon
> servers that are run by IT (source code, design documents, etc).
>
>Please stop being so vague. Please specifically mention why I
>shouldn't have root access, and how, given my situation
>(above), somebody could make some special exploit based on the fact
>that I have root access to my own box.
I've already mentioned most of them but the concerns are with you, trustworthy
Kevin. The problem is how do we know you're trustworthy? And if we give the
access to you, how can we not give it to others? And I wouldn't consider
screen locking secure. If you have a root session logged in behind that
screen saver, and I have either sniffed your password off the network or
cracked the NIS password file to obtain it, the screen lock may as well not be
there. The point isn't whether or not the data is actually local to your
machine, but that your machine is compromised and can be then used with root
priviledges to attack other more secure machines.
>I know what I can do as root and I take the responsibility seriously.
You're one person, how many work there? Are they all as good you? And how
are we supposed to know that?
--
Seeya,
Paul
----
"I always explain our company via interpretive dance.
I meet lots of interesting people that way."
Niall Kavanagh, 10 April, 2000
If you're not having fun, you're not doing it right!
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
