Re: Security through obscurity? (was: ssh + compiled-in SKEYsupport considered harmful?)

[Garance A Drosihn]

At 2:37 PM -0400 4/23/02, Robert Watson wrote:
Here I'll disagree with you: we make a concerted effort to
produce a system that is safe to use.  This involves a number
of things, and it doesn't just mean security fixes.  I would
argue that we have a moral obligation to do so.

I agree that there is this obligation.  I also observe that
the internet is unquestionably getting to be a more hostile
place, and we have to adapt the system to stand up to that
hostility.

Let me claim that it is fact that we will have to make changes
to the default system configuration, and that we will also have
to make changes to the preferred system configurations when
someone is just upgrading.  I recognize that some people
disagree with that (particularly the second half), but let me
claim that for the moment.

I think an important component of any such change is making
sure the right people find out what changed, and that they
get this information when they *need* it, and not as part of
some 20,000 line README file which we know no one will read
because it's too damn big.

In the case of the sshd change, the change was simply wrong
and should be fixed.  Just MO...   :-)

In the case of the 'startx -listen_tcp' option, is there some
thing we could set up so a person who *wanted* the former
behavior is given quick notification of exactly why things
suddenly stopped working.  Note that the person who runs
into the problem is not necessarily the same person who did
the system upgrade.  I think it's doable, if we just took the
attitude that it needed to be done.

Some of these changes catch me offguard too, and most of the
time it is not the change itself which bothers me, it's the
six hours I spent trying to find out why something stopped
working.  (a six-hour period which may not start until a week
or two after the system upgrade...)  I think that's the part
we need to improve on.

-- 
Garance Alistair Drosehn=   [EMAIL PROTECTED]
Senior Systems Programmer   or  [EMAIL PROTECTED]
Rensselaer Polytechnic Instituteor  [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message

Re: Security through obscurity? (was: ssh + compiled-in SKEYsupport considered harmful?)

[Garance A Drosihn]

At 8:44 AM +0930 4/24/02, Greg 'groggy' Lehey wrote:
On Tuesday, 23 April 2002 at 12:06:01 +0200, Jochem Kossen wrote:
   *shrug* I was the one who sent in the patch. It was added
   some time around 2001/10/26 to the XFree86-4 megaport. When
   the metaport was created, the patch was incorporated too.
  
   A simple 'man startx' should have cleared your mind:

   Well, yes.  But I've been using X for 11 years.  Why should I
   have to read the man page to find changes?

I think the first thing we need to do, before we get too worked
up, is stop taking to Jochem about it.  All he did was send in
a PR with a suggestion.  He's not responsible for the change
being committed into the system.


   How do I know which man page to read?

   You start X with startx, seems obvious to me. The disabling
   of tcp connections only applies to startx

I don't stay with startx.  Next I go to xinit, then to Xwrapper,
then to X.  All of these work fine.  When I try to start an xterm,
nothing happens.

This is where we (the freebsd project) need to take a bit more
time at when we are making a change like this.  I think it makes
little difference whether we document the change in UPGRADING,
or man pages, or heads up on the mailing lists, or errata.html
pages on the web site.  There will always be some people who are
not going to see documentation like that, because it's too far
out of the way of what they are doing.

What we need, in this case, is something which gives the user
the information when they do that *xterm* -- ie, at the time
of failure, to the person who is seeing the failure.

For the case of 'startx -listen_tcp', this might suggest that
if a person uses startx without -listen_tcp, then startx should
(one way or another) start some process which *does* listen for
an incoming connection, and does nothing but tell the user
(one way or another...) when that connection comes in.

Yes, that's a bit of work.  However, it is also a bit of work
when someone (like Greg) wastes six hours of a day trying to
understand why something broke.  That's a very frustrating
six hours of work, and it's also very useless.  His six hours
of work won't help anyone else when they have to track down
the same issue.

A simpler solution might be to at least have startx print out
a message (somewhere) which mentions the change when it is
started up.  Maybe print it out only once per userid.

I realize that I am being a little vague with these suggestions,
but I don't use X all that much, so I'm not sure what the best
idea would be.  But I do think it is reasonable for FreeBSD to
make changes like this, and I do think that *if* we make changes
like this then we need to think about how we can best get info
about the change to the all people who really *are* effected by
the change, and get the info to them when they need it.

-- 
Garance Alistair Drosehn=   [EMAIL PROTECTED]
Senior Systems Programmer   or  [EMAIL PROTECTED]
Rensselaer Polytechnic Instituteor  [EMAIL PROTECTED]

To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-hackers in the body of the message