Hi, On 05-Oct-00 Thomas Michael Wanka wrote:
Hi,
to Kurt:security and endusers do not fit well together. To keep a system somewhat secure you need to know your system, making updates as described by you will lead to more unsecure systems in the end as endusers will no longer call a technician but do it themselves without knowing whether or not their systes are secure anyway. In general there are different security needs, and allways updating a complete set of all known vulnerabities is defenitely a waste of bandwidth. Why update sendmail when using qmail, or wuftpd when using proftpd, ....
Totally agreed. Mass updates in Microsoft style where one has to download some 100 MBs of service packs is nonsense. From a security admin's view it is nonsense, too, to upgrade packages just because there's a new version out; if you don't need the new features or if there are no serious bugfixes or plugged security holes, updating is just a (possibly dangerous) waste of time.
What I wanted to see (I know that will be absolutely irrelevant for most) was an "I" od "X" flag to announcements, preferred in the subject, indicating an vulnerabity to attacks from internal or external source. (I do not care about vulnerabities from internal users, either for the lock of them or their lack of knowledge)
I am not convinced that such flags would be a good idea. It may lead people to think that their systems without shell accounts (but with smtp, pop3 and/or ssh) are perfectly safe if they keep their "external" packages up to date. If their freshly updated wuftpd turns out to be buggy, black hats may gain access and happily root the machine by exploiting "internal" packages and their occasional vulnerabilities which have never been fixed properly. Personally I do not trust anyone interacting with my hosts, even less if it is an internal user. According to my experiences there's a percentage of 10 to 20% of security breaches committed by internal or "trusted" users; "the enemy lies within"! ;-) Boris ---