[DC LoCo] nopat

[Mackenzie Morgan]

On Mon, Oct 11, 2010 at 1:02 PM, Kenneth Stailey <kstailey at yahoo.com> wrote:
> --- On Mon, 10/11/10, Mackenzie Morgan <macoafi at gmail.com> wrote:
>
>> that security-through-obscurity thing that is slowly being
>> eroded as we gain more users.
>
> I don't believe in security-through-obscurity.  It's all about trust anyway.
> I beat it into the heads of my supported users that they need to stick to installing
> via signed repositories.  Even a PPA at least leaves some breadcrumbs behind in
> the event of malware which is something you don't get when downloading from a
> random web site or other source.

GOOD, though I recommend a policy to only use PPAs that are run by the
upstream developers or Ubuntu developers.  For me, I also include the
people who are on their way to MOTU whom I trust, though in practice
I've only mentored one person.

> That and NoScript.  If you don't browse with NoScript you are oh-so-vulnerable.
> I'm not sure about NotScript for Chrome but it's a step in the right direction.

The trouble with NoScript is that the user has no idea what domains to
allow. It could be a perfectly trustworthy domain but happen to have
been cracked, and you don't know that.  Not all bad JS comes from bad
domains.  On top of that, it doesn't show you the code before you
allow it.  So, for its intended white-listing purpose, it's
practically useless.  That's not to say it lacks value.  It is useful
for two of its features that most people don't even talk about
existing:
- click-jacking detection
- cross-site-scripting detection

-- 
Mackenzie Morgan
http://ubuntulinuxtipstricks.blogspot.com
apt-get moo