Totally agreed. Mass updates in Microsoft style where one has to download some 100 MBs of service packs is nonsense. From a security admin's view it is nonsense, too, to upgrade packages just because there's a new version out; if you don't need the new features or if there are no serious bugfixes or plugged security holes, updating is just a (possibly dangerous) waste of time. [snipsnip] I am not convinced that such flags would be a good idea. It may lead people to think that their systems without shell accounts (but with smtp, pop3 and/or ssh) are perfectly safe if they keep their "external" packages up to date. If their freshly updated wuftpd turns out to be buggy, black hats may gain access and happily root the machine by exploiting "internal" packages and their occasional vulnerabilities which have never been fixed properly.
Personally I do not trust anyone interacting with my hosts, even less if it is an internal user. According to my experiences there's a percentage of 10 to 20% of security breaches committed by internal or "trusted" users; "the enemy
Also there are many problems (like in POP, ftp for example) where a user account is required to exploit it, making it an "internal" threat. There is a huge difference between an anonymous ftp exploit, and one requiring a user account. lies
within"! ;-)
You will find that as your perimeter security gets better (firewalls, anti virus, intrusion detection, etc.) the percentage of attacks originating from within will grow =). I'm just gonna quote an article I'm writing cause I'm lazy Security is a holistic practice, you can't just plug one hole and expect all your problems to be solved. No matter how perfect a technological solution you use (encryption, firewalls, etc.) as long as there are humans involved mistakes can be made, and people you thought you could trust turn out to be hostile in intent.
Boris
-Kurt