On Sep 15, 2005, at 1:11 PM, Gabriel Sechan wrote:
Yes, I'm a programmer. But did you RTA? That section wasn't about ports and network traffic, but about virus checkers, spyware preventers, etc. The point was that nothing should *run* on the computer unless it was pre-authorized. THen we wouldn't need the above. Sure, its one hell of a lot more secure, but it has a huge negative impact on productivity. I'd say (and think most would agree) that the negative impact on productivity outweighs the positive on security. On the other hand, for external requests through the firewall I can understand your point (but wait, here comes SOAP and tunneling everything over port 80 to screw it all up anyway).
All the world is as I see it. All decisions are black and white.You don't honestly believe that if we all had systems which allowed the "default deny" policy on code execution, that sysadmins would insist that everything be pre-authorized on *developer* systems, do you? :)
I mean, really, let's give some credit to us sysadmins who know that people need to get work done. Simply agree that certain systems require exemptions of the "anything can run on this system" or "anything contained in this sandbox can run" variety.
Nothing in life is one-size-fits-all. Especially things like system/ network security policies. It just doesn't work.
Gregory -- Gregory K. Ruiz-Ade <[EMAIL PROTECTED]> OpenPGP Key ID: EAF4844B keyserver: pgpkeys.mit.edu
PGP.sig
Description: This is a digitally signed message part
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
