On Mon, Nov 15, 2004 at 10:51:11PM +1100, Dmitri Nikulin wrote:
> Simon Hitzemann wrote:
> 
> >Most people unfortunately think that no answer means that there is
> >nothing here. That's wrong. If there is no answer on a SYN request or
> >UDP packet, it means there is some packetfilter dropping packets. If
> >that port was nonexistent as in there is no machine, then the router
> >before that machine would have to answer.
> >
> > 
> >
> Oh... crud. Well so much for my theories. This is what you get for 
> listening to Steve Gibson (grc.com)
> 
> >Other ideas like randomizing things are ok but not really urgent.
> >I am also a bit indifferent about TTY snooping, privacy vs security is
> >always a hard decision if you want to keep your users productive.
> > 
> >
> If they object to it, turn it off. I don't see why implementing a 
> potentially life-saving feature that can be used to invade privacy (what 
> work would users have to hide anyway?) is really such a problem. It can 

Oh well, you can ps(1), find out the PID of a user, and attach yourself via
gdb/ktrace . I don't see a point in a privacy discussion. This is a unix system
with one god (0:0) and some users. 

> >Maybe it would be more interesting to implement ACLs for UFS2 as those
> >would have a larger impact on security in my opinion.
> > 
> >
> ACLs are useful if you know what you're doing, of course, but I wouldn't 
> call them a boost in security on their own. They open up paths to big 
> mistakes.
> 

yeah, but ACLs still have a point. Real-Life situations don't bind "groups" so
strict that you can always work with "u"ser, "g"roup and "o"thers.
Of course you can f up things.. you are /root, you are allowed to. :)
After some years of discussion we'll surely point out that a stupid admin on
OpenBSD makes the system more open then a good admin on DOS ( insert $your_OS
here).


SR