And another Ubuntu convert!
markir at paradise.net.nz
Sat Jan 24 20:45:22 UTC 2009
Derek Broughton wrote:
> Mark Kirkwood wrote:
>> Derek Broughton wrote:
>>>> - use a firewall
>>> Mostly not necessary either - if you don't have servers, you don't need a
>>> firewall. Which is why Ubuntu Desktop versions don't install one.
>> If you are using a DSL router, then most have one anyway. It is wise to
>> leave it on - another layer of security to protect you (especially if
>> you do wish to enable remote access - say from work to your machine at
>> home, you can configure the firewall to only allow connection attempts
>> from your work ip range - again, another layer of safety in case of an
>> unknown ssh vulnerability).
> That, of course, means you're operating a server of some sort - and
> absolutely you need firewalls when you do that.
Of course running connection accepting daemons means you are technically
running a server. However these days the distinction is somewhat blurred
- most people either have a web-server or openssh-server on their
workstation, so need a firewall. Unfortunately it is often the case that
folks may not be aware that they have (for example) either of these
running - either because they enabled it ages ago (temporarily!) and
forgot to disable it again, or they didn't notice that it got installed
as a dependency for some other package they installed.
So again, wise to run one - unless you are *sure* you have no server
daemons running. I recommend scanning yourself with nmap to be sure, or
visiting https://www.grc.com/x/ne.dll?bh0bkyd2 to get yourself scanned
for open ports.
>>>> - use a script blocker like noscript in your browser
>>> That's really, really, pointless. The fact is, if you turn off
>>> you lose most of the functionality of the web. Even if you just make it
>>> prompt before running scripts you'll be driven crazy. I'd far rather
>>> block specific domains (like adblock).
>> Hmm, couldn't disagree more - I was referring to a configurable blocker
>> (like Noscript in Firefix) - this is probably one of the best ways to
>> protect yourself whilst browsing. Most sites work well enough for you to
>> decide whether or not to trust them by allowing any scripts.
> Unless your browser has vulnerabilities, script isn't supposed to be able to
> do anything harmful (activex, of course, is just one huge vulnerability).
> Having a script blocker asking whether it can run scripts every time you
> come to a new site ruins the experience of the web, for little value. I
> don't _want_ to have to decide whether to trust scripts on every site, and I
> absolutely don't believe I need to.
I agree that a browser *shouldn't* be able to do anything harmful and
you *shouldn't* need to have to make decisions about site safety.
However the current state of affairs seems to be that browsers can - see:
Admittedly these get patched very quickly these days, but there is
always a window of vulnerability. So you really have to assume that the
internet is a midely hostile environment.
More information about the ubuntu-users