F21 System Wide Change: Workstation: Disable firewall

Stephen John Smoogen smooge at gmail.com
Tue Apr 22 17:14:13 UTC 2014

On 22 April 2014 05:40, Stephen Gallagher <sgallagh at redhat.com> wrote:

> Hash: SHA1
> Since you missed the link: https://www.youtube.com/watch?v=jYGgVUYjXQ8
> I too recommend that everyone gives it a look. It is very insightful
> and helpful in understanding what people really do once this gets out
> the door.
> Major points:
> 1) People turn off security features that they can't easily figure out
> how to tune.
> 2) "Hackers" are a significantly smaller security threat than managers
> ("I need it to work now, we can secure it later!")
> 3) Recovery and auditing are more important than prevention.
> Those are some of the basics, but it *really* is worth taking the 40
> minutes to watch the whole thing.

Uhm that is basic short-term outlook versus long-term outlook and seems to
miss the cost it takes to deal with security before, during and after the
effect. While the customer can take the point of view that they will turn
off stuff because it gets in their way, we as the development side do not
have that luxury. The cost of trying to get security into software or an OS
is much much higher if we have to deal with it after the fact. This was a
lesson that every OS company had to learn the hard way in the 1990's and
early 2000's. The Unix companies had to deal with this in the 1990's when
it became clear that the security threat landscape was different on a
network than it was on a phone line. Just getting firewalls into the OS was
a giant challenge and cost the companies a lot in support issues because it
wasn't designed or tested with what they had. Microsoft went through
multiple quarters of lost revenue and stock drops because they had to get a
working firewall and other security measures that weren't really tested in
the firstplace. Apple got away with it by buying an OS (NEXT) which had
already gone through the 1990's firewall security and other challenges.
They had stuff which was already designed in.

To use an example he uses in the lecture... we are building the OS immune
system. We can eat dirt during development and make it stronger or we can
deal with it later when there is a threat we didn't know about and the OS
immune system is screwed later. Saying "oh they can turn it on" misses the
fact that we never thought of how it would affect application Y which we
made crucial.

Stephen J Smoogen.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140422/92e31a6d/attachment.html>

More information about the devel mailing list