[plug] Debian 2.2 security

Christian christian at amnet.net.au
Thu Aug 31 09:53:54 WST 2000


On Thu, Aug 31, 2000 at 09:43:35AM +0800, Matt Kemner wrote:
 
> He does have some good points, but I think his claim that "Debian is the
> least secure by default" is plain FUD.
> (esp after Mike O'Reilly held a talk for PLUG on what steps one needs to
>  go through to secure a default-install Red Hat system)

The only system I've seen that even approaches "secure by default" is
OpenBSD.  Debian isn't great (and, like you say, some of his points are
definitely worth fixing although they're hardly new information) but I
don't think it's any worse than any other distribution and, in many
ways, it's much better.

> It reads to me like a self-proclaimed security expert, who normally
> exclusively uses Red Hat, had a quick look at Debian and searched for
> differences and published them without looking real closely.

Self-proclaimed is pretty much spot on.  I've seen very few
*interesting* or *new* thoughts from him at all.  The closest he seems
to come are the occasional attempts as sensationalism like his "Is SSL
dead?" debacle.  His article on SRP was laughable since he plainly did
not understand the technology at all.

> He says:
> "I'm not a long time Debian user, so I am somewhat unfamiliar with it."
> So what makes him think he can authoritatively state Debian is unsecure by
> default, if he's not even taken the time to learn about the system, and
> validate his claims?

When you've got a spot writing for a reasonably prominent web site you
can say what you like.  And, if you get it wrong and there's a big
commotion, that's even better; if you don't have anything new to say
then say something controversial to boost the hits and sell more banner
ads.  Compare the recent "Linux Sucks" articles from Fred Moody.

Regards,

Christian.



More information about the plug mailing list