[geeks] root equivalent user

Mike Hebel nimitz at speakeasy.net
Fri Oct 25 13:20:42 CDT 2002 

Greg A. Woods wrote:
> [ On Friday, October 25, 2002 at 09:32:31 (-0400), Kurt Huhn wrote: ]
> Telling people not to use what are obviously bad tools and techniques
> _is_ constructive -- it could _prevent_ serious damage.  If people want
> to know the reasons why they shouldn't use bad tools and techniques as
> security solutions then they can easily enough ask or do their own
> research.  It is enough for me to initially warn of the problems and I
> only did that because I know damn well that these issues are generally
> so poorly misunderstood that most average people will follow the pied
> piper right over the brink.  

Then as Kurt so kindly stated - point them in the right direction.  I 
personally _know_ I don't know enough which is why I ask for help on 
things occasionally.  People who don't know need not be told they are 
wrong - they already know that probability.  It is far better to tell 
someone "Do this instead for these reasons." and _then_ explain why what 
they want to do won't work than just telling them "You're wrong.  Don't 
do it that way!"

> I'm not participating in this discussion
> just to hold everyone's hand and babysit.  If y'all want to have a
> meaningful discussion about something like this then that's fine, and if
> I find it interesting and if I have the time to spare then I'll
> participate.  However when all that's happening is bad answers to
> questions popping out of the blue, then I'm only going to jump in with
> quick corrections out of the blue.

I'm personally not questioning your information I'm questioning the way 
it is presented.  Even quick corrections - _especially_ quick 
corrections - need explanation.  Not doing so gives the impression of 
supreme knowledge and emotionless response.  I.E. that arrogance that 
Kurt mentioned.  People do not respond well to that.

> I.e. if the questions have obviously had as much time and effort and
> thought put into them as I put into my previous reply then I will find
> the discussion a whole lot more engaging and I'm likely to give more
> detailed and interesting replies.  Now I don't want to put too much of a
> personal attack against the originator of this thread because _everyone_
> does the same thing all too regularly, but in this case I suspect if
> even a small amount of extra effort in background research had been used
> before posting the question then the right answer might have been
> obvious.  Of course in this case there are a couple of key and
> fundamental concepts that are a lot harder to learn, such as the unix
> security model and the concept of the superuser and how that all fits
> together.  There's lots of information about all this stuff readily
> available on the WWW and in many books and magazines, but of course as
> with every subject, especially on the WWW, not all of this info is good
> and correct.

So because we do not have supreme knowledge and because we do not have 
extreme experience then our answers are garbage.  As for the "research" 
issue - how would one know _what_ to research without asking the question?

> If "good enough" is good enough then there would not have been a
> question in the first place because the answer would have been glaringly
> obvious to even a non-techie.  However there was a question and people
> started answering with what I've called "stupid", and perhaps damaging,
> and definitely totally inappropriate advice:  technical approaches to a
> relationship problem, and technical approaches that create more problems
> than they could ever solve.

I feel you're being a little extreme here Greg.  Not all situations 
require the same policies that you employ.  And, from a personal 
standpoint, calling someone's answer "stupid" is particularly 
imflammatory.  Besides - even if the advice is "bad" and even if the 
person takes and implements the advice, the person will at least be 
learning how to handle the situation.  As far as I'm concerned it's more 
than normal to occasionally break things or mis-configure things in the 
process of learning and growing.  I don't think there's a person on the 
list who will not admit to breaking _something_ in the process of 
learning to understand it.

> Perhaps you don't understand just how critical good systems security is
> in _all_ cases where _any_ level of security is necessary.  I would
> recommend that anyone wondering what I'm talking about read and _re-read_
> Bruce Schneier's "Secrets & Lies", cover-to-cover, twice at least.

Security scales with th size/complexity of the network Greg.  In most 
cases a four-machine network does not need Kerberos, heavy encrypted 
passwords, 80 day password changes, or biometric identification 
technology.  _Each_ _security_ _solution_ _is_ _custom_ _for_ _the_ 
_network_ _in_ _question_.  You have to balance security with ease of 
use.  If you do not and max-out the security you will have more service 
calls to user desktops than you can handle.  The users will be more 
frustrated and break more things - many of them not related to your 
security.  Happy users, and a happy admin, make a happy network.
(Yes I know I've blown my possible alt.sysadmin.recovery standing by 
stating the unthinkable but it's more true than you ever will believe.)

Mike Hebel

More information about the geeks mailing list