|P is for Practical|
Re: Stay aware of securityby arhuman (Vicar)
|on Mar 15, 2001 at 19:44 UTC||Need Help??|
I totally agree with you when you say that we must be security aware.
However, I real life you just CAN'T always setup the adequate security level.
I mean security is almost always a tradeoff for ease of use...
Of course you can recompile your kernel adding various security patches, audit your sources, log everything on your box,
changes your password to a random one every week (and Remember it), disable all unused ports,
set up a tcpwrapper AND a firewall, use secure protocol (ssh, IMAP(?)) and forbid the insecure ones (telnet, ftp...),
you can spend 2 hours a day browsing for security holes on vulnerability lists and patching all your proggies to new versions...
But will it be necessary for single user box, with no sensitive data and connected few hours a day to the net ?
Even if some of you scream 'YES' the answer is 'no' (mainly beccause of the hours lost in the patching/upgrading work ;-)
Security must be adapted to the level of security you NEED.
Enhance the security where it's necessary (or at least where it's the most efficient).
Don't ge me wrong ! in a perfect world (where I would get paid to do it full time with skillfull user accepting the drawbacks)
the 'everything should be secure' policy would be fine.
Sadly, My boss think my job is to code as much as I can, and allow me almost no time to administer 5 servers and several workstations.
My users say SCP is too complex and that they WANT to use their (unsecure) AceFTP client.
So in this world I have to carefully use the few time I have to enhance the security with a maximum efficiency (with the little time/resource I have).
So IMHO, even If you must be always security aware, there are some things that you can't afford to do.
It remembers me the (Merlyn?) 10/10 rules about 'use strict' stating that any script with more than 10 lines
or running more than 10 times should be using use strict.
We should always use the strict pragmata, but we can't afford it for simple case...
Have you ever wonder why there are so few b1 compliant computers ?
It's only beccause REAL security make the use of a computer REALLY horrible.
So even if it's not so clear, here is my message :
Be security aware, especially beccause you CAN'T reach true security, and try to make things as secure AND easy AS YOU CAN.
"Trying to be a SMART lamer" (thanx to Merlyn ;-)