On Sat, 2007-17-03 at 00:12 +0900, Arwyn Hainsworth wrote: > On 16/03/07, Peter Whittaker <[EMAIL PROTECTED]> wrote: > > > > UC3: Fritz is setting up a classroom or other contained environment, > > > > UC4: Barbara is a security researcher setting up a honeypot. > > I fail to see why UC[34] would require unauthenticated access.
In Barbara's case, unauthenticated access is required because she *wants* the box to be vulnerable, at least via this vector: She is setting up a honeypot, she wants attackers to get in (at least part way). Given she's a security researcher, she can probably hack the code to do what she wants, so UC4 may be off the table. In Fritz's case, it is common in training groups to enable a classroom using crash-and-burn all-access-allowed machines: You image the machines from disk, let the class have at 'em, then re-image them when the class is over. Yes, completely open access means the students can mess around, but there is little risk to this because a) the machines are being re-imaged after class, and b) whose time are they wasting by messing around? They have better things to do. (My experience in this area is mostly with corporate training: the students - professionals who have chosen to take the training or been voluntold - are too busy doing what they are there to do to play hacker.) Sure, there is some risk of a wannabe disrupting things, but it's low and would tend to be caught by the other students. In general, I run my machines at a higher level of security than most people: I'm cynical, paranoid and a security consultant*. I'm also absolutely opposed to being told what to do and how to use my machine. So I'm ethically inclined to UC3, because it is somewhat paternalistic to be otherwise. Somewhat... ...there is always the question of whether or not one wishes to give someone enough rope to hang themselves. Me, I believe in education: "This is a really bad idea, most of the time. Are you sure? Click Yes to disable authentication, click No to leave things as they are (recommended), click Here to learn more...." That said, UC3 is a wishlist item, and the person doing the work has to be convinced of its value.... (*) As a consultant, my role is tell people what the threats and risks are, and to let them make the decision - mitigate or accept. My role is never to hector, never to badger, and always to believe, fundamentally, that my clients are willing and able to make rational, informed decisions. pww
signature.asc
Description: This is a digitally signed message part
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
