"Workstation" Product defaults to wide-open firewall

Reindl Harald h.reindl at thelounge.net
Tue Dec 9 13:43:06 UTC 2014

Am 09.12.2014 um 14:32 schrieb Bastien Nocera:
>> Am 09.12.2014 um 14:23 schrieb Bastien Nocera:
>>> [1]: I haven't seen anything but arm-flailing on that issue. If somebody
>>> wants to
>>> go into details about what a server running inside the user's session would
>>> be
>>> able to do that a client wouldn't be able to, feel free.
>> you realize the difference between a open port found by a network scan
>> in a public WLAN by any other client and a active outgoing connection to
>> specific machines?
>> you realize that a security relevant bug in a service available over the
>> network may execute *any code* not intented by the running application
>> at all?
> So the solution isn't to close ports, but not run services in contexts where
> it isn't safe to do so. This is what we implemented


* you do not know what is running on a endusers machine
* you do not know when soemthing is running why it is
* you can not gurantee that just by a bug something won't run
* you can guarantee *nothing at all*

the only thing you can know is the default setup you ship

if you think your responsibility ends with what you ship as defaults the 
you can't pretend you create a operating system at all

call it appliance and anything the user does with or without 
understanding the possible impact is unsupported

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141209/8a72ab2d/attachment.sig>

More information about the devel mailing list