Re: [Sheflug] GUI vs. text & sysadmin issues.

[Alex Hudson <nospam [at] york.ac.uk>]

On Tue, 13 Jun 2000, Stephen J. Turnbull wrote:
> However, I'm mostly interested in sys admin issues here.  From the
> point of view of a general user, configuring ppp is like fixing a car,
> and they don't wanna know.  And they shouldn't have to.  But for the
> sys admin, the proper analogy is _driving_ the car.  This entails
> certain responsibilities, enforced on drivers by licensing
> requirements.

This is an extremely interesting aspect. In terms of Guis & sysadmins, I
have to say I still believe that GUI sysadmin tools should be better than
their text-mode equivilents, but in the sysadmin area this is not
clear-cut at all, and I imagine a lot of sysadmins, if not most, would not
agree.

> intermittent dial-up.  What happens when people who _don't_ install
> port sentries start getting cable and DSL?

This is a subject I find quite worrying. I personally want xDSL, and I
want it within two years. I don't want to keep having to use hosting
services, etc. I expect a lot of other people feel the same. I think once
people get a taste of always-on internet, they'll become almost addicted -
it is incredibly useful, even for home users. 

Potentially more worrying than insecure linux boxes will be the number of
Windows boxes out there. I think the solution for DSL users is that
they're going to have to be behind a (ISP provided) firewall; there's no
other way. I imagine this is done already.

I think the pertinent questions are: who is writing the software? and who
is the sysadmin? For a major server, running for a business or some other
large organisation for example, it *needs* a clued-in sysadmin, who knows
what they are doing, GUI utils or not. But for the home user, it's
slightly different: the author of the software is also, to a large extent,
the sysadmin.

I acknowledge your point about GUI writers; yes, usually GUI-driven
software is feature-driven, and often security is an afterthough.
Although, to an extent this is present in all cases. A recent example: I
was asked by a friend to evaluate a certain C library which provided a CGI
interface, so that cgibins could be written in C; you didn't need to
decode the input, read the environment, write out, handle headers, etc.
This (unnamed) library was at a stable version above 1. The number of
security fixes was grotesque. At (a verision above 1) the author realised
that there was a serious buffer over-run hole in the software after it was
pointed out on BugTraq. In my book, anyone writing software for cgi, or
any other server-type task, should be aware of basic exploits such as
buffer breaking, and that this author obviously didn't worried me greatly.
This was also software that was being sold commercially.

I particularly like the example set by OpenBSD. I believe it's been three
years since a remote exploit in the default install? I don't see why
security can't be set up by the software as default (and here I begin to
deviate from the actual, I grant you). I don't like the way software comes
sans warranty, and I don't like the idea of hundreds, thousands, possibly
millions of connected computers with large security holes (Windows ;).
And, although you may not agree, the sysadmin is, to all extents and
purposes, the designers of the distro and the authors of the software. I
believe it's possible to write easy to use software (with a GUI perhaps?
;) that hides details from the user, yet is still secure to the degree
needed to fend off the majority of attacks. And I further think it has to
happen, because otherwise we're going to be in major trouble a few years
down the road...

Cheers,

Alex.


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.