Am 13.02.2017 um 15:13 schrieb Ludovic Courtès: > Now, back to the “only install the required software”, I wouldn’t go as > far as you do. I generally agree with the rule, but I’m skeptical as to > what this buys you from a security perspective: users can always install > whatever they want by hand anyway, and do you have an idea as to how > much code they install via their browser?
Looks like we are talking about different systems. I'm talking about hardened systems, esp. servers, where users are not allowed to install additional software – not even browser add-on. Yes, even on these systems a skilled person can install any software he/she wants. But it is much effort and requires more skills – depending on a lot of parameters – to bring an exploit to the system as if the exploit is already there since some software including the exploit is already installed. Is stress the example with the door of your flat again: For a skilled person opening a locked door is easy even if there is a pun tumbler lock [1]. But would you use just a ward key instead, which can be opened by nearly anybody – and even lay the skeleton key [2] beside the door? And this what hardening is about: reducing the attack surface and removing as many tools as a possible. Is a GNU/Linux distribution separates components sorrowly, its easier to harden the system, which makes the distribution more attractive compared to other distributions. [1] https://en.wikipedia.org/wiki/Pin_tumbler_lock [2] https://en.wikipedia.org/wiki/Skeleton_key -- Regards Hartmut Goebel | Hartmut Goebel | h.goe...@crazy-compilers.com | | www.crazy-compilers.com | compilers which you thought are impossible |
