Security Portal: Why do vendors ship us junk they wouldn't use? Part IIJul 12, 2000, 19:17 (1 Talkback[s])
(Other stories by Kurt Seifried)
"Wow, the previous article generated a lot of feedback, which is nice. This implies that this is something people are concerned about, and it should be addressed a bit more. Some people also brought up issues I didn't cover, and I will admit I didn't cover the solutions as thoroughly as I should have. Feedback ranged from "Excellent article" to "You're not being realistic, we can't get rid of X". In addition, I made one small error, saying that Mandrake defaults to installing Postfix - I checked mail.linux-mandrake.com, and it replies with Sendmail banners. In retrospect, I see that it claims to be an old version with known holes, so I suspect the banner is false and put there to confuse attackers...."
"There is also a lot of controversy over whether to enable things by default or not. There are basically two arguments:"
"Don't enable things by default-make users turn them on. This is a lot safer, and generally speaking users will notice much faster that things are turned off, than they will notice that they are turned on (if NFS is running, most home users will not notice it, nor will they use it)."
"Or, enable things by default and make life easier for users. This will generate fewer complaints ("NFS is broken!" - "No it's not, you just have to turn it on!"). This is generally what most vendors do (for example, Sun and IRIX, with their love of RPC-based services)."
0 Talkback[s] (click to add your comment)