Anybody use Linux? For old hardware, which distro?
in [Setup]
|
From: David Brown on 4 Jun 2010 03:14 On 03/06/2010 23:01, Keith Keller wrote: > On 2010-06-03, David Brown<david.brown(a)hesbynett.removethisbit.no> wrote: >> Keith Keller wrote: >>> >>> ...such as keeping up with security updates. >> >> Somebody has been living too long with Windows, and even then with the >> myths perpetuated by "security" software vendors. > > You are reading *way* too much into my post. I did not say "install > every single update that the vendor distributes". I mean more or less > what you do: keep an eye on the updates that are issued, and install the > ones you deem to be important. But if your distro no longer distributes > security patches, you have to choose whether to give up on them > altogether, patch the relevant software yourself, or upgrade/switch to a > current distribution. Many people will choose the third option. > Perhaps I did read too much into your post. I guess it accidentally triggered one of my pet hates - the myth that to keep a system secure you need the latest software with the latest patches and updates on everything, along with anti-virus, software firewalls, anti-spyware programs, etc. I have spent far more time helping people who have had problems with windows add-on "security" programs than I have spent chasing down or removing malware. Note also that if the system in question is not in a vulnerable position (such as being accessible only from a secure network), then there are no need for /any/ security patches. When there is no risk of attack, effort spent on defence is wasted. I've got a couple of Linux servers on our network that are more than 5 years old, and an NT 4.0 server. They don't get updated or patched at all, because they are not vulnerable.
From: Keith Keller on 4 Jun 2010 12:56 On 2010-06-04, David Brown <david(a)westcontrol.removethisbit.com> wrote: > > Perhaps I did read too much into your post. I guess it accidentally > triggered one of my pet hates - the myth that to keep a system secure > you need the latest software with the latest patches and updates on > everything, along with anti-virus, software firewalls, anti-spyware > programs, etc. I have spent far more time helping people who have had > problems with windows add-on "security" programs than I have spent > chasing down or removing malware. I always thought Norton, Symantec, McAfee, et. al. were malware. ;-) I have had minimal contact with Windows for such a long time, I must have gotten rid of the implicit assumption that one ''must'' keep the system up to date all the time. I promise I didn't mean to set you off! > Note also that if the system in question is not in a vulnerable position > (such as being accessible only from a secure network), then there are no > need for /any/ security patches. How would you obtain them anyway? :) This is probably 99% true. But if, for example, you have untrusted users with local login privileges (or on the LAN), you might wish to install patches for applicable exploits. One possible situation: you run a compute cluster, and while the nodes are only accessible from the head node, a user could submit a job to a node that (accidentally or intentionally) tickles a hole in some subsystem on the node. I think how paranoid to be will vary wildly by scenario. > When there is no risk of attack, > effort spent on defence is wasted. Don't forget unintentional attacks! A user could very easily unintentionally write code with a bug that happens to hit a problem (beyond the obvious unintentional DoS ''attacks'' like eating all the machine's memory). > I've got a couple of Linux servers > on our network that are more than 5 years old, and an NT 4.0 server. > They don't get updated or patched at all, because they are not vulnerable. I'm a firm believer in never believing that a particular system is *completely* invulnerable. Let's say that their vulnerability is negligible--greater than zero, but so small it's not worth any effort to patch. --keith -- kkeller-usenet(a)wombat.san-francisco.ca.us (try just my userid to email me) AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt see X- headers for PGP signature information
From: David Brown on 5 Jun 2010 10:48 Keith Keller wrote: > On 2010-06-04, David Brown <david(a)westcontrol.removethisbit.com> wrote: >> Perhaps I did read too much into your post. I guess it accidentally >> triggered one of my pet hates - the myth that to keep a system secure >> you need the latest software with the latest patches and updates on >> everything, along with anti-virus, software firewalls, anti-spyware >> programs, etc. I have spent far more time helping people who have had >> problems with windows add-on "security" programs than I have spent >> chasing down or removing malware. > > I always thought Norton, Symantec, McAfee, et. al. were malware. ;-) > > I have had minimal contact with Windows for such a long time, I must > have gotten rid of the implicit assumption that one ''must'' keep the > system up to date all the time. I promise I didn't mean to set you off! > >> Note also that if the system in question is not in a vulnerable position >> (such as being accessible only from a secure network), then there are no >> need for /any/ security patches. > > How would you obtain them anyway? :) > > This is probably 99% true. But if, for example, you have untrusted > users with local login privileges (or on the LAN), you might wish to > install patches for applicable exploits. One possible situation: you > run a compute cluster, and while the nodes are only accessible from the > head node, a user could submit a job to a node that (accidentally or > intentionally) tickles a hole in some subsystem on the node. I think > how paranoid to be will vary wildly by scenario. > I think if you have users like this, then your system is in a vulnerable position, and then needs the extra effort to prevent exploits. Then your level of paranoia should match the competence of the users, and the likelihood of them intentionally doing something naughty. >> When there is no risk of attack, >> effort spent on defence is wasted. > > Don't forget unintentional attacks! A user could very easily > unintentionally write code with a bug that happens to hit a problem > (beyond the obvious unintentional DoS ''attacks'' like eating all the > machine's memory). > I think the most common unintentional "attack" is loss of data because someone deletes or overwrites the wrong file, and most of such "attacks" are actually suicidal. But you are correct that you have to protect against such problems (balancing the risk of them occurring, the consequences of them, and the cost of protection). Outside of this and the DoS's you mentioned, I think the risk of accidentally triggering exploits is very low these days. If you are worried about that sort of thing, virtual machines are cheap and give very good protection - there are plenty of options. >> I've got a couple of Linux servers >> on our network that are more than 5 years old, and an NT 4.0 server. >> They don't get updated or patched at all, because they are not vulnerable. > > I'm a firm believer in never believing that a particular system is > *completely* invulnerable. Let's say that their vulnerability is > negligible--greater than zero, but so small it's not worth any effort to > patch. > I agree entirely with that - I was using lazy terms. I like to think that once your computer is so secure that the biggest risk is someone breaking into the building and stealing it, then there is little point in putting more time or effort into securing it more. Security is a process, not an absolute state of the system, and so is vulnerability.
From: William Poaster on 6 Jun 2010 10:08
Nico Kadel-Garcia wrote: > On Jun 4, 11:56�am, RayLopez99 <raylope...(a)gmail.com> wrote: <snip> >> Just an update: �I don't badmouth things unless they are usually >> really bad, unless I'm just trolling, in which case anybody with half >> a brain can figure out when that is. Which is ALL the damn time. > > That's a "curses" based interface. They used to be quite common for > the open source and free software tools on which Linux is based: it's > still popular for software in very small Linux releases, or for boot > installation systems. While it harkens back to the days of 2400 baud > modems, it's a very lightweight way to do interfaces and I highly > recommend it for small tasks, tasks that would only be burdened by > having too many buttons and keys. It's also ridiculously stable: I > recently ported some 15 year old code from an old UNIX to a modern > Linux, and the curses material worked just fine. (There was one weird > old bug, actually a bug in ncurses, but it was addressed with the next > release.) -- FreeBSD 8.0 64-bit Kubuntu 10.04 64-bit Mandriva 2010 64-bit |