[sf-lug] update from computer newbie

Sat Jul 8 01:44:24 PDT 2006

Quoting jim stockford (jim at well.com):

>     Yes, I forwarded them all to "bob" aka "jeff" and
> am begging/harassing him to join our email list

I got the impression that Jeff had sent offlist mail to Bob, which Bob
then forwarded onwards to the mailing list.  Thus the two levels of
quotation in the original posting from Bob (of Jeff's mail).

>      I think John and Asheesh and Rick have got
> it right, but here are my reasons for my contrary
> choices: it's a laptop, likely to be going here and
> there, even if not, likely to be off a lot. I like to play
> with the stuff. I install absolutely everything and
> then die a cruel death working with it all, but hey,
> I'm into cruel death. I must be or I wouldn't keep
> doing it.
>     The idea that maybe mail is needed but needn't
> be run in daemon mode is particularly right.
>     For you, Bob/Jeff, I'd follow the advice the others
> gave--if you don't know you have a need for a
> server, don't run it.

Honestly, it's really all about risk assessment, threat models, and
security policy.  (You have a _default_ security policy even if you've
near heard of the concept.)  What you want to do is guesstimate what's 
at risks and what threats are significant in your usage model.  You 
then tailor your local policy to cope with whatever risks you were able
to identify and assess.

For instance, consider hard drive failure (a risk).  Hard drives fail or
autocorrupt all the time -- and yet, what percentage of computer users 
do you think bother to make even infrequent backups of their data, let
alone test those backups, let alone store copies in locations where the
same harm (theft, fire, flood) that affects the computer doesn't destroy
the safety copy.

A long time ago, when I was the IT Department for a medium-sized
software firm, I sent offsite one set of the weekly backup tapes to a
data storage firm -- and stored a duplicate copy under my car's seat
(out of the sun), and always parked the car far enough from the building
that an earthquake couldn't make the building fall on top of my car.

Security policy means knowing what can plausibly go wrong, having a plan
for noticing, and having a plan for coping with the results.  As I said
in "Attacking Linux", a _comprehensive_ plan would require thinking at
least minimally about prevention, detection, damage reduction, defence
in depth, hardening, identification of the attackers, and recovery from
security incidents.

> Next-to-last notion: whatever you do, however you might get hacked,
> you'll almost certainly reinstall a bunch of times, so relax and enjoy
> it, as Confucius might have said.

Sadly, a lot of novices don't notice for months and months and months
that their systems have been compromised.