bololupa.de

• Next message: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Previous message: Joerg Henner: "Re: [suse-security] General firewall question"
• In reply to: Thomas Michael Wanka: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Roman Drahtmueller: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: bacano: "Re: [suse-security] Suggestion to the SuSE security people"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 05-Oct-00 Thomas Michael Wanka wrote:
> Hi,
>
> to Kurt:security and endusers do not fit well together. To keep a
> system somewhat secure you need to know your system, making
> updates as described by you will lead to more unsecure systems in
> the end as endusers will no longer call a technician but do it
> themselves without knowing whether or not their systes are secure
> anyway.
> In general there are different security needs, and allways updating a
> complete set of all known vulnerabities is defenitely a waste of
> bandwidth. Why update sendmail when using qmail, or wuftpd when
> using proftpd, ....

Totally agreed. Mass updates in Microsoft style where one has to download some
100 MBs of service packs is nonsense. From a security admin's view it is
nonsense, too, to upgrade packages just because there's a new version out; if
you don't need the new features or if there are no serious bugfixes or plugged
security holes, updating is just a (possibly dangerous) waste of time.

> What I wanted to see (I know that will be absolutely irrelevant for
> most) was an "I" od "X" flag to announcements, preferred in the
> subject, indicating an vulnerabity to attacks from internal or external
> source. (I do not care about vulnerabities from internal users, either
> for the lock of them or their lack of knowledge)

I am not convinced that such flags would be a good idea. It may lead people to
think that their systems without shell accounts (but with smtp, pop3 and/or
ssh) are perfectly safe if they keep their "external" packages up to date. If
their freshly updated wuftpd turns out to be buggy, black hats may gain access
and happily root the machine by exploiting "internal" packages and their
occasional vulnerabilities which have never been fixed properly.

Personally I do not trust anyone interacting with my hosts, even less if it is
an internal user. According to my experiences there's a percentage of 10 to 20%
of security breaches committed by internal or "trusted" users; "the enemy lies
within"! ;-)

Boris

---
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com

• Next message: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Previous message: Joerg Henner: "Re: [suse-security] General firewall question"
• In reply to: Thomas Michael Wanka: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Next in thread: Roman Drahtmueller: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: bololupa.de: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: Kurt Seifried: "Re: [suse-security] Suggestion to the SuSE security people"
• Reply: bacano: "Re: [suse-security] Suggestion to the SuSE security people"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]