Mailinglist Archive: opensuse-factory (564 mails)

[Lars Müller <lmuelle@xxxxxxx>]

On Tue, Dec 06, 2011 at 07:20:54PM -0300, Cristian Rodríguez wrote:
> On 06/12/11 16:10, Brian K. White wrote:
>
> > Having a lot lot of stuff exposed and believing that it's all ok is
> > fundamentally less secure than not exposing anything in the first place.
>
> isn't that essentially "security through obscurity" (aka, path to fail ? )

What Brian suggested isn't security by obscurity.  It's a simple and
passive approach.

To me he illustrated it well with running but not needed services.  Each
non listening port can't cause a risk, never can be exploited.

It's quite obvious that enabled/ running services are subject of the
well known secure coding rules.  This includes reviews as they are
performed for example by the SUSE security team.

From the rules how the security team values incidents - is a service
started by default, does it listen on external interfaces, is it run as
non root user, inside of a chroot - Marcus' arguments sound quite well.

Lars
-- 
Lars Müller [ˈlaː(r)z ˈmʏlɐ]
Samba Team
SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany