[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wednesday 04 July 2007 23:01, Simon Waters wrote: > Tom Potts wrote: > > I'm afraid the above notes list to a large degree why computing has > > ground to a halt over the last few years. M$ has been selling the lie > > that computing can be made easy - it cant! You cant make something easy > > to use, useable and secure. > > I disagree strongly to this. Consider locks, there are various different > types of locks in common usage on peoples front doors, which vary widely > in security, and hardly at all in ease of use, I don't see how something > being on a computer suddenly changes this. > > You might be right in the practical question of much of modern computing > is built in a slapdash fashion (all cheap Yale locks), but I don't think > there is a fundamental reason why usability and security should clash. > > Those who think security is in opposition to ease of use, are I think > simply wrong. In most instances they are orthogonal, and in many > instances ease of use is necessary to ensure a system remains secure. In order to make a system secure it must be locked down from the very start. In order to make it easy to use it must be unlocked from the very start. In order to achieve true security and ease of use you need to discuss ownership of resources and distribution of rights. If you've ever tried to put in an erp system you will know that this is not a simple matter. > > > Default username/passwords are a must in this environment as otherwise > > there would be thousands of inaccessible boxes everywhere! > > I don't understand this at all > The only security you have is physical - I don't care what password you have on your Cisco box because if I can get to it I can replicate it and swap it out with one of my own. If I cant get to it I shouldn't be able to take control of it. OK if you need to reconfigure it on a regular basis then have a SECURE connection to it that can only be accessed. But this should not be network wide - you don't want to try and control a piece of equipment from a windows machine that might have a key logger on it. In other words it doesn't really matter what the password is - that should be the LAST thing you worry about security wise. > Some common ADSL routers do insist you set an admin password on > installation (as does Oracle these days), as does Debian and most other > distros. These boxes aren't suddenly inaccessible because of this. So do you write your password down (insecure) or do you memorise it and die? My ADSL router doesn't allow control from the WAN side (unless I tell it which restricted IP's can.) - so the only way to control it is from the internal network. If they've got access my password could take 400million years to crack and still be useless. > > Setting unique security credentials on installation is a sensible model, > that can be easier to use than a default username/password, since you( > don't even need to look in the manual to discover what the default is > when you first configure the device. Now where did I write that down..or is it an office wide generic so you have to change everthing every week? > > > Secure web browsing is a nice idea but at some time there will be a power > > cut and you will loose all your bookmarks and most people will grind to a > > halt then. > > I think the security folk would argue all you need is a channel from the > browser to a permanent storage for bookmarks. can you guarantee thats safe? Looks like a good target to hack to me - maybe I can set a bookmark from a piece of javascript if your securities a bit off so when you go to a certain page I've got control! Anyway as IT you've much better things to do with your time than micro-manage browsers... > The problem is our > computer models allow the browser to write all sorts of things to disk > in all sorts of places, rather than what the programmer expected. Which > is where models like SELinux come in, or "contract models", where that > which is allowed is made explicit in advance. Most linux allow you to create users that cannot 'seriously' affect the larger system. If they go bad you delete them. Or you can lock them up tighter. Has anyone heard of a linux system being compromised through the browser? > > I don't think losing bookmarks will cause most people to grind to a > halt, although they might do more random surfing and less work, I don't > see that as a problem. No but I bet your boss will - he'll have that at home and his dick will fall off if he doesn't have it in the office. And he's just computer savvy enough to be a complete menace and can get you overridden in meetings. > Now if it was Google that was missing... Most companies I've worked for restrict Google to a few 'managers' to prevent the real workers getting distracted. Once the word gets out about Google cache..... You can have faux security which will keep the managers happy or you can have a 'real' approach to security which will mean everything is shutdown for all users unless specifically allowed. This will inevitably be LDAP or similar (oh thats too complicated - ie it fits the bill perfectly - we cant be bothered with that) and can mean it can take several days for a user/worker to gain access to a resource as the owners are missing. But this also requires Organisation from Management and thats an oxymoron in most of the UK as far as I can tell. Tom te tom te tom -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html