On 12/7/2011 1:44 PM, Linda Walsh wrote:
Cristian RodrC-guez wrote:
On 07/12/11 10:49, Marcus Meissner wrote:
"principle of least privilege" is probably the better wording.
Which usually becomes the "principle of least possible usability" :-(
---- Bingo.
Principle of least privilege is great for systems designed to constrain and control users. You want to keep users under your thumb and allow them nothing unless they need it. That how the US government is becoming...
The alternative is 'freedom' -- and educating users how to responsibly use that freedom. But in doing that -- you create users with more 'self power' -- not good if you are trying to center/gather power at the top.
The US was built in an attempt to create a shared and distributed, on the idea that it would grow best by giving local authorities carte-blank except in key areas needed to be controlled by the central authority.
Unix was created in the same spirit -- to enable people .. not to control them (look to VMS/ IBM for those OS's). Those controlling OS's are all but dead, and the innovation coming from those under those systems is likely VERY different from the level of innovation of someone developing on an open platform.
In short. A desired for a 'controlled/controlling' system to be the 'default' is a reflection of wanting to dominate and control users -- which will lead to lower productivity (which as happened in the US as more freedoms were taken by the government (and made illegal), the US's economy has suffered -- instead of finding fulfillment through work and acquiring new knowledge, people are encouraged to have fun in beer football, and playing politics to see who can become the most powerful (at the expense of the rest of the players).
Linux/Unix is designed top be open as it was designed to be LEARNED from. We don't want to hide thigns by *default* ... (which says nothing about making it have the ability to be configured 'closed' -- flexibility and configurability are good things). But the default configuration going out to users -- should be 'open' and transparent. And importantly -- an open source allows end users to discover flaws and more quickly fix them and/or work around them, vs. closed source OS's like *R*X, that had 10's of thousands of bugs filed against it (many from internal people). But policy was to only fix those bugs when a paying customer found them.
The most secure system is one that is open and transparent -- where everyone can see the security code -- but even knowing the formulae, doesn't give them access, or benefit, as the algorithms create authentication tokens on the fly that are not decipherable/decryptable in any useful time period.
I.e. it's security through good design, vs. security though obscurity -- and yes, a closed up system is a form of security through obscurity.... you may not be hiding passwords in the code, but you are hiding algorithms in the code, that, in well designed ones, don't give you any advantage. Their advantage is in the algorithm, not whether or not the algorithm is known.
Please think about that Marcus. I'm 100% with you in having the *options* for strong hardening present, but don't think they should be the default... it's not the write-mindset for the space, IMO....
-linda
This isn't about freedom. This is simple robust design vs cross-your-fingers-and-pray design. Yet another analogy that uses already accepted wisdom to make the point that should never have been up for debate in the first place: This is approximately the same thing as why "you just do not log in as root for day to day use". You log in as root only when you need to for some specific reason, the rest of the time you operate as a user with vastly reduced privileges. The reasons why are well explained many times over to every new unix admin, and Windows too for that matter, and the theory is beyond any doubt or debate. This has nothing to do with freedom. Please do not try to warp the conversation with emotional misdirection. The ludicrous extreme examples like "turn the machine off and it's even safer" are likewise invalid attempts at misdirection. The electricity is actually a necessary function for most users by default. That fact that the machine is running and does anything at all is a necessary function for most users by default. No one has yet shown that debugfs is a necessary function for most users by default. Can you not view a web page, play an mp3, edit a document, send an email, without debugfs? I'm not actually saying debugfs is necessarily so horrible, but so far the arguments presented here against the OP's questioning of it being enabled by default for everyone, have been stupid and invalid and have missed the core point of robust design in general, let alone in the security context. -- bkw -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org