On Wed, 25 Apr 2001, Paul Lussier said:
pll> From: Paul Lussier <[EMAIL PROTECTED]>
pll> To: David Roberts <[EMAIL PROTECTED]>
pll> Cc: Greg Kettmann <[EMAIL PROTECTED]>, GNHLUG <[EMAIL PROTECTED]>
pll> Date: Wed, 25 Apr 2001 16:19:46 -0400
pll> Subject: Re: My Firewall Breach. A concern.
pll>
pll>
pll> In a message dated: Wed, 25 Apr 2001 14:56:10 EDT
pll> David Roberts said:
pll>
pll> >Paul - I agree, but not totally.
pll> >
pll> >Everyone keeps saying it is the user's responsibility to harden their
pll> >system and I agree, up to a point. We (the Linux community in general)
pll> >have also been a little too enthusiastic about moving people to use Linux
pll> >and too little enthusiastic about mentioning security and other issues
pll> >(although you did mention studying and an exam).
pll>
pll> Well, let me ask this. Does a Corvette or Ferrari owner's group warn
pll> you about going 180 on the highway?
No. But do the owners manuals tell the differences of driving a rear-wheel
drive vs a front wheel drive? You know the driving basics, but you get
into a little ice or snow and the differences will kill you. Does the
driver know to ask about the handling differences? Some do, some don't.
It depends on what they may have learned from previous sources.
pll>
pll> There's a certain amount of self-education that should be performed
pll> under "due diligence" here. If you purchase a chainsaw and
pll> accidently cut off your leg because the saw bucked when you the end
pll> of the bar hit the wood, is that the manufacturer's fault for making
pll> too powerful a saw, or your fault because you didn't read the manual?
pll>
No, but most users manuals, as I think you stated elsewhere but I deleted,
are written with language that most 3rd graders could understand (commonly
used words, simple examples, and HUGE warning signs about what NOT to do -
I used to be a small engine mechanic so I've seen 'em). If the RedHat (or
whoever) manual stated "DO NOT CONNECT TO ANY NETWORK BEFORE PROPERLY
CONFIGURING SECURITY" and gave examples it would be different. The
chainsaw manual tells you about gas/oil mixtures, proper startup
procedures, cutting stances, hardhats, glasses, gloves, chain sharpening,
raker filing, etc... BUT the Install Manual for Linux (to my recollection)
says very little about hardening a system, but does give enough to get you
connected to the network before you should be online though (this may be
way off though as my images were mostly "bootleg" CD's lately...).
While I agree with the idea that experienced users and users subscribed to
the list should know enough to at least be aware of the dangers. There are
the corner cases though, and that is what I was talking about:
- new person who has heard all the Linux complements, who goes to C-USA
and grabs a copy of Red Hat, reads/understands enough to install
or
goes to an install fest and has Linux installed for them (not my idea
of learning, but that's the way it goes sometimes)
- a person somewhat familiar with Unix, but has not dealt with networking
issues on their own yet
Each may NOT have a grasp yet of the terminology, much less the practices,
it takes to stay safe. And a user (M$, VMS, ...) who is used to being led
by the hand, will NOT find a lot of the man pages and FAQ's particularly
helpful as they often make a lot of assumptions about a person's knowledge.
The very fact we do see repeated problems within the list points to (IMHO)
one of:
- old user, LAZY/STUPID
- new or moderately experienced user who is new (to some degree) to
networking, and while trying to grasp the concepts, didn't catch on
before they were cracked
In the first category I have little sympathy, but in the second category
my contempt is a bit tempered. The user may not have even known enough to
ask right questions. Ignorance may be bliss, but it is also highly
deceiving. The user could have been on the right track (just shouldn't
have connected to the 'net yet).
I've rambled enough - damn allergy medicines. Good thing all I have is an
ISO audit tomorrow...
[... snip...]
pll>
pll> You do mean 19:00 *TONIGHT*, right?
pll>
Great - I knew I shouldn't have taken those allergy meds...! This commute
back up RT-3 is going to be a real trip! ;)
dlr
--
"The day Microsoft makes a product that doesn't suck is the day they start
making vacuum cleaners." -- As seen on the 'net
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
