From: David Brown on
On 03/06/2010 23:01, Keith Keller wrote:
> On 2010-06-03, David Brown<david.brown(a)hesbynett.removethisbit.no> wrote:
>> Keith Keller wrote:
>>>
>>> ...such as keeping up with security updates.
>>
>> Somebody has been living too long with Windows, and even then with the
>> myths perpetuated by "security" software vendors.
>
> You are reading *way* too much into my post. I did not say "install
> every single update that the vendor distributes". I mean more or less
> what you do: keep an eye on the updates that are issued, and install the
> ones you deem to be important. But if your distro no longer distributes
> security patches, you have to choose whether to give up on them
> altogether, patch the relevant software yourself, or upgrade/switch to a
> current distribution. Many people will choose the third option.
>

Perhaps I did read too much into your post. I guess it accidentally
triggered one of my pet hates - the myth that to keep a system secure
you need the latest software with the latest patches and updates on
everything, along with anti-virus, software firewalls, anti-spyware
programs, etc. I have spent far more time helping people who have had
problems with windows add-on "security" programs than I have spent
chasing down or removing malware.

Note also that if the system in question is not in a vulnerable position
(such as being accessible only from a secure network), then there are no
need for /any/ security patches. When there is no risk of attack,
effort spent on defence is wasted. I've got a couple of Linux servers
on our network that are more than 5 years old, and an NT 4.0 server.
They don't get updated or patched at all, because they are not vulnerable.
From: Keith Keller on
On 2010-06-04, David Brown <david(a)westcontrol.removethisbit.com> wrote:
>
> Perhaps I did read too much into your post. I guess it accidentally
> triggered one of my pet hates - the myth that to keep a system secure
> you need the latest software with the latest patches and updates on
> everything, along with anti-virus, software firewalls, anti-spyware
> programs, etc. I have spent far more time helping people who have had
> problems with windows add-on "security" programs than I have spent
> chasing down or removing malware.

I always thought Norton, Symantec, McAfee, et. al. were malware. ;-)

I have had minimal contact with Windows for such a long time, I must
have gotten rid of the implicit assumption that one ''must'' keep the
system up to date all the time. I promise I didn't mean to set you off!

> Note also that if the system in question is not in a vulnerable position
> (such as being accessible only from a secure network), then there are no
> need for /any/ security patches.

How would you obtain them anyway? :)

This is probably 99% true. But if, for example, you have untrusted
users with local login privileges (or on the LAN), you might wish to
install patches for applicable exploits. One possible situation: you
run a compute cluster, and while the nodes are only accessible from the
head node, a user could submit a job to a node that (accidentally or
intentionally) tickles a hole in some subsystem on the node. I think
how paranoid to be will vary wildly by scenario.

> When there is no risk of attack,
> effort spent on defence is wasted.

Don't forget unintentional attacks! A user could very easily
unintentionally write code with a bug that happens to hit a problem
(beyond the obvious unintentional DoS ''attacks'' like eating all the
machine's memory).

> I've got a couple of Linux servers
> on our network that are more than 5 years old, and an NT 4.0 server.
> They don't get updated or patched at all, because they are not vulnerable.

I'm a firm believer in never believing that a particular system is
*completely* invulnerable. Let's say that their vulnerability is
negligible--greater than zero, but so small it's not worth any effort to
patch.

--keith

--
kkeller-usenet(a)wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

From: David Brown on
Keith Keller wrote:
> On 2010-06-04, David Brown <david(a)westcontrol.removethisbit.com> wrote:
>> Perhaps I did read too much into your post. I guess it accidentally
>> triggered one of my pet hates - the myth that to keep a system secure
>> you need the latest software with the latest patches and updates on
>> everything, along with anti-virus, software firewalls, anti-spyware
>> programs, etc. I have spent far more time helping people who have had
>> problems with windows add-on "security" programs than I have spent
>> chasing down or removing malware.
>
> I always thought Norton, Symantec, McAfee, et. al. were malware. ;-)
>
> I have had minimal contact with Windows for such a long time, I must
> have gotten rid of the implicit assumption that one ''must'' keep the
> system up to date all the time. I promise I didn't mean to set you off!
>
>> Note also that if the system in question is not in a vulnerable position
>> (such as being accessible only from a secure network), then there are no
>> need for /any/ security patches.
>
> How would you obtain them anyway? :)
>
> This is probably 99% true. But if, for example, you have untrusted
> users with local login privileges (or on the LAN), you might wish to
> install patches for applicable exploits. One possible situation: you
> run a compute cluster, and while the nodes are only accessible from the
> head node, a user could submit a job to a node that (accidentally or
> intentionally) tickles a hole in some subsystem on the node. I think
> how paranoid to be will vary wildly by scenario.
>

I think if you have users like this, then your system is in a vulnerable
position, and then needs the extra effort to prevent exploits. Then
your level of paranoia should match the competence of the users, and the
likelihood of them intentionally doing something naughty.

>> When there is no risk of attack,
>> effort spent on defence is wasted.
>
> Don't forget unintentional attacks! A user could very easily
> unintentionally write code with a bug that happens to hit a problem
> (beyond the obvious unintentional DoS ''attacks'' like eating all the
> machine's memory).
>

I think the most common unintentional "attack" is loss of data because
someone deletes or overwrites the wrong file, and most of such "attacks"
are actually suicidal. But you are correct that you have to protect
against such problems (balancing the risk of them occurring, the
consequences of them, and the cost of protection).

Outside of this and the DoS's you mentioned, I think the risk of
accidentally triggering exploits is very low these days. If you are
worried about that sort of thing, virtual machines are cheap and give
very good protection - there are plenty of options.

>> I've got a couple of Linux servers
>> on our network that are more than 5 years old, and an NT 4.0 server.
>> They don't get updated or patched at all, because they are not vulnerable.
>
> I'm a firm believer in never believing that a particular system is
> *completely* invulnerable. Let's say that their vulnerability is
> negligible--greater than zero, but so small it's not worth any effort to
> patch.
>

I agree entirely with that - I was using lazy terms. I like to think
that once your computer is so secure that the biggest risk is someone
breaking into the building and stealing it, then there is little point
in putting more time or effort into securing it more.

Security is a process, not an absolute state of the system, and so is
vulnerability.
From: William Poaster on
Nico Kadel-Garcia wrote:

> On Jun 4, 11:56�am, RayLopez99 <raylope...(a)gmail.com> wrote:

<snip>

>> Just an update: �I don't badmouth things unless they are usually
>> really bad, unless I'm just trolling, in which case anybody with half
>> a brain can figure out when that is.

Which is ALL the damn time.

>
> That's a "curses" based interface. They used to be quite common for
> the open source and free software tools on which Linux is based: it's
> still popular for software in very small Linux releases, or for boot
> installation systems. While it harkens back to the days of 2400 baud
> modems, it's a very lightweight way to do interfaces and I highly
> recommend it for small tasks, tasks that would only be burdened by
> having too many buttons and keys. It's also ridiculously stable: I
> recently ported some 15 year old code from an old UNIX to a modern
> Linux, and the curses material worked just fine. (There was one weird
> old bug, actually a bug in ncurses, but it was addressed with the next
> release.)

--
FreeBSD 8.0 64-bit
Kubuntu 10.04 64-bit
Mandriva 2010 64-bit