Re: Secure Installation

On Thursday 16 August 2007 15:09, R. W. Rodolico wrote:
> Unfortunately, I have to point to some of the
> user oriented firewalls you get for windoze (which, to my knowledge, Linux
> does not have). When they are installed, the shut down basically
> everything incoming, and all but a few standard outgoing ports (http,
> smtp, pop and imap). When an application tries to go out of another port,
> a pop-up informs the user and they can choose to accept, accept or reject,
> with a "forever" modifier on both, and the firewall changes its rules
> appropriately.

The problem with these lies on 2 levels. The first is that all network traffic would have to somehow be routed through this application, which in windows is no big deal as all that is already in place. But we haven't installed that infrastructure, so it would be tougher to get that running in the first place. This is not a primary concern regarding the firewall, but it is an issue if we do eventually decide to integrate a firewall like that.

The second problem is what I pointed out earlier about Microsoft's "firewall" -- users are pacified by it. If it's there, they get the message, they have "ok", and "cancel", what does the average user do? The average user assumes the firewall will protect them no matter what they do, so they click the "ok" button and get on with what they are doing.

The greatest security hole in any system is the user. You can plug every other hole there is, and still have break-ins because users haven't been trained properly. There is no way to secure a system used by uninformed users. A firewall is only one more thing the user can foul up.

Linux (and debian especially) is inherently more secure than windows in one regard, firewall or not: we can all contribute to it. The only people contributing anything to windows are either microsoft, contributing bugs; or proprietary software companies, contributing proprietary software. This made a sink-hole where the user really doesn't know what's going on in the background, can't find out, and can't fix it even if they could find out. What more could the programmer of a trojan horse (IMO a bigger threat than anything a firewall will protect us from) ask for, than a user who completely trusts binary-only distributions?

We're sitting here discussing specific ways debian operates and how we can fix it. Who can do that in windows? That in itself makes debian more secure.

-- 
Sincerely,
Jack
jakykong@theanythingbox.com

My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.

-- To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org