On Wed, Apr 20, 2005 at 11:50:27AM -0700, Rachel Garrett wrote: > On 4/20/05, Stewart Stremler <[EMAIL PROTECTED]> wrote: > > > It's that the target market for Linspire > > (aka Lindows) are those of unwashed masses who are going to use the machine > > in a single-user frame of mind. And whats-his-face's assertion that there > > is no security problem in that case is distressingly hard to refute. > > I am confused. If these single-user systems get attacked and > compromised while they're running as root, the attacker can do a lot > more to the system than if the person was running as something other > than root. E.g., the attacker can hide the fact that the system has > been compromised, which is much more difficult to do without root > access. This has been pointed out here more than once. Why is this > *not* a refutation of the idea that there's no security problem > running as root in a single-user system? > > --Rachel
I think some of the people who argue these things lose sight of the practical. For example, I know that the FBI or a competent locksmith could pick the lock on my front door, but I lock it anyway and consider that sufficient security for my needs. This is because my imperfect lock offers sufficient discouragement for 99.999% of the people who I believe might try to enter my house for bad purposes. I also believe that 99.999% of them would leave evidence of a break in when circumventing my present locks. Likewise, I understand that there are people skillful enough to penetrate my firewall and own my Linux systems in my house w/o console access (I can root any Linux box from the console, and so can you). I'm not sure how, but I've been told it's true by people who should know what they're doing. I also realize that it would be beyond my skill level and price range to prevent this. So I take what I think are reasonable precautions to force the thieves to go elsewhere. I try not to be low-hanging fruit. My concern about Lindows (or whatever the kids are calling it now) is that it hangs the fruit way low and doesn't attempt to even educate the new buyers that there could be problems. When I read the comments of what's-his-name, the former MP3 and present Lindows guy, I come away convinced that he is personally clueless. Not the end of the world for a business type, but in this case, both clueless and unwilling to listen to others. Bad combination. So IMO Lindows will end up adding to the already overpopulated pool of machines that will be rooted by spammers etc. And even though Stewart and jhriv and Tracy and probably a few others we could name could crack our boxes, you and I will not be rooted because we do a few simple things, like having a basic firewall, not using passwords in the clear over untrusted lines, and not running as root except when we have a rooty thing to do. Like install an update to ssh ;-) -- Lan Barnes [EMAIL PROTECTED] Linux Guy, SCM Specialist 858-354-0616 -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
