On Tuesday 19 September 2006 22:28, Omer Zak wrote: > On Tue, 2006-09-19 at 18:28 +0300, Nadav Har'El wrote: > > a > > general Debian or Fedora system (with automatic updates, firewall, and > > other things required to keep that secure) is a more sensible choice than > > a home-grown everything-must-be-chrooted system. > > This is an argument in favor of monocultural system configuration. > To be secure Hamakor's server should have sufficiently unorthodox > configurations that if someone breaks into the system, it will be > difficult for him to find his way in the system. >
Omer, we had this discussion before on iglu-web: http://www.mail-archive.com/iglu-web%40iglu.org.il/msg01367.html Right now I'd like to note that there are two types of "security by obstacles": 1. Security by Hurdles - you create obstacles that are not impossible to overcome, just as a hurdle can be jumped over. 2. Security by Walls - you create obstacles that are imposssible to overcome, just as it is impossible to jump over a whole. As I noted the problem with creating an unorthodox configuration, is that people who are used to orthodox configurations will need to maintain it. And we may need to train newer administrators with this configuration. And being used to "orthodox" configurations, these people will make mistakes with the unorthodox configuration. And these mistakes can be destructive. > If this means chrooting, then I am in favor of chrooting. > If Debian or Fedora do not support this style of working, then it may be > a good idea for the person maintaining the system to develop > improvements to the packaging systems and offer them as patches. > Do you volunteer to maintain these patches? > I too want to differentiate my stock Debian Sarge installation and make > it difficult for viruses, worms and Trojan horses find their way around > my system. > --- Omer Regards, Shlomi Fish --------------------------------------------------------------------- Shlomi Fish [EMAIL PROTECTED] Homepage: http://www.shlomifish.org/ Chuck Norris wrote a complete Perl 6 implementation in a day but then destroyed all evidence with his bare hands, so no one will know his secrets. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
