On Thu, Mar 03, 2011 at 11:02:47AM +0100, Klaus Ethgen wrote: > Hi, > > Am Do den 3. Mär 2011 um 3:35 schrieb Chow Loong Jin: > > > A system has not to listen for any unused and unneeded services ever. A > > > firewall is to control services you _need_. > > > > > > All that zeroconf stuff is absolutely not needed and wanted. (By the > > > most users, I suppose.) > [...] > > Actually I absolutely love the <machine>.local resolution > > functionality on a network (it works much better than the NetBIOS > > crap that can never find another machine on a network when you want > > it). That, and Pidgin's Bonjour support interfaces with iChat over > > zeroconf, allowing you to chat with users (and exchange files, > > perhaps?) across a network without needing to set up a centralized > > chatting system. > > The thoughts of that makes me shiver!
Me too, but not in all cases. There are two generic types of computing environments. For lack of a better name, I'll call them the environment of the home user, and that of the corporate user, though it's not entirely accurate. Unfortunately, their requirements conflict somewhat. For a corporate user, security is more important than convenience. When an intruder breaks in to a corporate network, the repercussions could be disastrous; in the worst case, corporate spies might bring down the company. Since corporate environments are supposed to be having system administrators who can administrate whatever services would be required so as to avoid security issues that might result from convenience services, it makes sense to disable those services there and have manually-configured services instead. For a generic home user -- someone who isn't very familiar with computers -- convenience is more important than security. That's not to say such people should have completely insecure systems, but the trade-offs between security and convenience are slightly different. For instance, I wouldn't expect my parents to understand what a DNS server is, let alone how to administer it; but even if that is so, they still expect to be able to reach eachothers' laptops by using names, rather than IP addresses (if they would even know what an IP address is, which I doubt). A break-in on a home network is bad, but beyond privacy issues, the repercussions would be minimal, and therefore the security measures can be less stringent if it helps increase convenience. Of course the two overlap somewhat -- small companies' networks might look more like home networks, and geeks' home networks might look more like corporate networks -- but in general, I believe the above is true. > Trusting untreatable sources on a network for configuring local stuff > is worse ever. Either you have a trustable network then it gets > configured in a clean way and by intend. Or you have a untrusted > network you do not want to use ever or only such fare that you can > oversee it. I agree with that, but only in the 'corporate' environment as described above. > > I think those two functionalities are pretty useful to the end-user. > > Well, they might be for a mac or windows user that is not care about > security at all. But it is horror for a debian user who care at least a > bit about security. Let's just say 'end users who are not very aware of computing technology' rather than 'mac or windows user', shall we? There are several Debian users who fall in that category, too. And while I agree that disabling zeroconf should be easily possible, I think a default of 'convenience for a home user' is not a bad thing for a distribution that is used for both corporate and home environments. Such a default would include 'enabling zeroconf'. [...] > And even worse, debian is often used on server platforms where you never > ever want to have any such magically configured services. Since avahi isn't a dependency of anything you'd want to install on a server -- I personally have never installed gnome on a server, for instance -- it usually isn't. [...] -- The biometric identification system at the gates of the CIA headquarters works because there's a guard with a large gun making sure no one is trying to fool the system. http://www.schneier.com/blog/archives/2009/01/biometrics.html -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110304093130.gc29...@celtic.nixsys.be