-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 19 Jan 2002, Rodd Ahrenstorff wrote:
> On Saturday 19 January 2002 10:47 pm, you wrote:
> > Actually I would rather hope AOL would alter the Red Hat build into
> > something that isn't so exploit friendly.
>
> What makes the Red Hat build so exploit friendly anyway (compared to other
> distros)..the newbie asks?

The problem isn't unique to Red Hat. To hear the honeynet folks, the
average lifespan of an un-patched Ret Hat 6.2 machine is 72 hours. Other
similar packages are also short lived. The problem is security unconscious
configuration and no particular emphasis on auditing. Red Hat may have a
vested interest in keeping their build in it's current configuration since
it is friendlier to the hobbyist. AOL has more of an interest in locking
down the system so that j-random cracker can't break their subscriber's
machine. AOL's fixes would probably include: automated patching of the
AOL-OS (this already happens to the AOL client), less system privileges to
the user, less non-home user stuff installed.

This just means that the cd probably wouldn't include any network
accessible daemons like apache, sshd, or ftpd. The current configurations
where scads of software are just shoved onto the hard drive is almost an
invitation for something to go wrong. When I said 'exploit of the week',
it's important to note that these aren't all in the same packages. If the
installer has already included all sorts of extra stuff then there is a
greater chance that the next vunerability will be impactful. This is
aggravated by some installer's prediliction for using webmin and other
network accessible administration tools. Heck, I recall LinuxConf had it's
own network stuff going on too. That's just excessive and doesn't belong
on in AOL-OS.

I would propose that AOL could do the home users a *service* by selling
them their online subscription and creating a whole client UI. That UI
should handle all the AOL client work in addition to some office apps and
the configuration panels. In essense, if AOL made AOL-OS it would be
*dirt*easy* to work with. It might be a tinkertoy of an OS but it would be
easy.

> >As long as the various Linux/GNU system exploits keep coming it makes the
> > environment undesirable for non-hobbiest/corporate settings.
>
> My point exactly.  Linux, with all it's security measures, still seems to
> have it's share of problems.  I often see the term on this list; " security
> is a process not a product".  But the average public seems to think Linux
> "the product" is more secure than Windows "the product".  Am I wrong here?
> The idea of a process completely eludes most new Linux users.  Considering
> the complexity of security measures, can the average desktop (home) user
> really be expected to provide the level of expertise necessary to secure
> his/her own PC?  People at home rely on security products, and companies
> continue to serve them.  The idea that security is a process and not a
> product is not at the forefront of a home users concerns.  They will look to
> products like Norton or Zone Alarm for protection.  Even though they may
> mistake the level of protection offered.  In the end, I really don't think
> most new users of Linux will embrace the idea of "security as a process".
> They expect the OS to be secure.  And that expectation should be fulfilled as
> much as possible.  Please not that I do believe security is an ongoing
> process and not a product solution...but thats my two cents.
>
> Heck, half the people on AOL seem to think IT is the Internet!

I think that it is possible to build a reasonably secure client OS
(AOL-OS) by implementing automatic patching, installing less stuff and
configuring it tighter. If you make a Playskool UI then you don't have to
worry about all the other things that RH (and others) install. Just remove
it and it's headaches.

Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (OpenBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE8SorDfexLsowstzcRAuhZAJoDrmJu/gmeTSeYEc8DNHYKbaD2UQCdHhjk
ftyf9c4DUpMNqN9V9y8ysmk=
=acmQ
-----END PGP SIGNATURE-----