[geeks] root equivalent user

Greg A. Woods woods at weird.com
Fri Oct 25 12:00:24 CDT 2002 

[ On Friday, October 25, 2002 at 09:32:31 (-0400), Kurt Huhn wrote: ]
> Subject: Re: [geeks] root equivalent user
>
> See, that's what you should have done the first time - instead of telling
> someone that what they use is stupid, or the procedure wrong, or the policy
> flawed.  Contribute to the discussion, man.  Until you offer *constructive*
> critisism and helpful suggestions, you'll simply be labeled as a self
> rightous and arrogant bastard.

Telling people not to use what are obviously bad tools and techniques
_is_ constructive -- it could _prevent_ serious damage.  If people want
to know the reasons why they shouldn't use bad tools and techniques as
security solutions then they can easily enough ask or do their own
research.  It is enough for me to initially warn of the problems and I
only did that because I know damn well that these issues are generally
so poorly misunderstood that most average people will follow the pied
piper right over the brink.  I'm not participating in this discussion
just to hold everyone's hand and babysit.  If y'all want to have a
meaningful discussion about something like this then that's fine, and if
I find it interesting and if I have the time to spare then I'll
participate.  However when all that's happening is bad answers to
questions popping out of the blue, then I'm only going to jump in with
quick corrections out of the blue.

I.e. if the questions have obviously had as much time and effort and
thought put into them as I put into my previous reply then I will find
the discussion a whole lot more engaging and I'm likely to give more
detailed and interesting replies.  Now I don't want to put too much of a
personal attack against the originator of this thread because _everyone_
does the same thing all too regularly, but in this case I suspect if
even a small amount of extra effort in background research had been used
before posting the question then the right answer might have been
obvious.  Of course in this case there are a couple of key and
fundamental concepts that are a lot harder to learn, such as the unix
security model and the concept of the superuser and how that all fits
together.  There's lots of information about all this stuff readily
available on the WWW and in many books and magazines, but of course as
with every subject, especially on the WWW, not all of this info is good
and correct.

> Also, keep in mind that your method is not the appropriate one for all
> situations.  Keep an open mind.  For instance, for a company of less than a
> certain size, the method you describe above is extremely time consuming for
> little benefit.  In cases such as this, "good enough" is usally good enough.

If "good enough" is good enough then there would not have been a
question in the first place because the answer would have been glaringly
obvious to even a non-techie.  However there was a question and people
started answering with what I've called "stupid", and perhaps damaging,
and definitely totally inappropriate advice:  technical approaches to a
relationship problem, and technical approaches that create more problems
than they could ever solve.

Perhaps you don't understand just how critical good systems security is
in _all_ cases where _any_ level of security is necessary.  I would
recommend that anyone wondering what I'm talking about read and _re-read_
Bruce Schneier's "Secrets & Lies", cover-to-cover, twice at least.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods at ieee.org>;           <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list