On Mon, Oct 27, 2008 at 4:01 PM, seth vidal <skvidal@xxxxxxxxxxxxxxxxx> wrote: > On Mon, 2008-10-27 at 15:29 -0600, Stephen John Smoogen wrote: >> O> >> >> I don't know what kind of desktops you're referring to but desktops are >> >> the soft-squishy inside that gets large corporate networks in deep >> >> trouble when there is an border fw breach. This is why it is important >> >> to have a multi-layered security policy/infrastructure. >> >> 1. border fw >> >> 2. host-based fw - including desktops >> >> 3. deny-all policies at the system level >> >> 4. well-audited apps that are runnable >> >> 5. restrictive policies on what can be run at all. >> >> >> >> If you want to argue that enhancing the firewall technology that we are >> >> currently using to allow a more nuanced user-interaction other than 'on' >> >> or 'off' that's fine by me - but relying on selinux to solve all >> >> network-border issues seems like the wrong tool for the job. >> > >> > You're missing the point. It makes no sense to split items 2-5. If a >> > user wants to run an application then he will sit down and reconfigure >> > all the firewalls he has control over until things work for him. (If he is not >> > capable of that then he will file a bug and cry). And hence, having >> > those four levels of defense is just pointless. A user will circumvent >> > that anyway if he wants to run his app. The firewall hence simply >> > works as an annoying extra step. It's like a message box asking you: >> > >> > "Hey, you just started application 'foo'. Are you really sure you >> > want to do that? I mean *really*?" >> > >> > And if the users says "yes", then it will show another box: >> > >> > "I don't believe you, but I will allow you to do it if you solve >> > the following difficult math problem!" >> > >> > Having desktop firewalls is security theatre. Having 20 levels of >> > false and inappropriate security is worse then having a single level >> > of security that is appropriate for the task. >> >> My guess is that having priv-sep, passwords, etc are all security >> theatre for the desktop user in this case. I mean if application X >> can't work without me being root then why not be root? If having a >> password slows me down from getting stuff done, why not remove it. For >> this level.. why are we doing anything beyond Windows 98 which seems >> to be the perfect desktop platform. >> > > Stephen, > Here's the problem. Yours and My experience of users is most likely > very different from David's or Lennart's. Our experience is of users who > need to do a finite set of tasks for work and/or education. Everything > else is either disallowed by policy and/or not supported/ignored. > > My experience of users is that if you give them a box and a set of rules > that the overwhelming majority of them will live in that box quite fine. > A handful of the folks who think of themselves as "power users" will > bitch and moan and find a way to circumvent the rules. They'll complain > to your boss to get you to change the rules just for them, they'll > disable whatever they can. That feels a lot more like the user that > Lennart and David are describing and it is NOT the users that You and I > (and most of the sysadmins all over the world) actually experience. Or > when we do experience them it is our penance of telling them no and then > telling them no, again. > > The mistake I've made is thinking that > desktop==sysadmin-maintained-desktop. > > What it seems like Lennart and David are describing is home and/or > personal laptop/desktop. It's not for users like you and I think of. > It's for people who have chosen to use linux, at home or on a machine > they are exclusively in control of. A fairly narrow market from what I > can see. Ah ok. I guess I have spent so much time working on making sure that people aren't sharing stuff on company owned systems... I forget that there would be a reason beyond a torrent during testing for wanting to do it otherwise. -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- Fedora-desktop-list mailing list Fedora-desktop-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-desktop-list
