@rcxb1
If you think that I'm just talking about programs with privilege, then you don't understand either the problem, or the tools that are available on a normal UNIX like system.
For instance, that out-of-favor tool telnet, which is installed in almost all base installs of UNIX and UNIX-like systems, can be used to probe IP addresses and ports, and is not privileged. Similarly, wget, and if they were installed, netcat (or nc), nmap, wireshark, lsof, and maybe going as far as restricting netstat, ifcconfig, arp, ip, traceroute, dig, nslookup, tcpdump and I could go on and on. UNIX and UNIX-like operating systems have a very rich set of commands for those who know how to use them.
Like I said, if I had my way, Java, Perl and Python (and most other high function scripting languages), which pretty much allow you to write internet capable programs as scripts without needing any compilation, would be banned from these systems. They just make it too easy once you have even a non-privileged process, to create your own internet capable services, like IP and port scanners, packet forwarders, and almost anything that you could write a program in C to do.
It used to be the case that making sure a compilation system was not installed on a system meant that it would be more difficult to use it as intrusion tool, but this has changed with high function scripting languages.
Even basic access commands like ssh (using privately run sshd processes with crafted config files) can be subverted to act as VPN servers. I've actually built packet and session forwarders to bypass firewalls using just back-to-back or nested ssh client sessions as well, but I have to admit i needed accounts on all of the systems involved.
Dropping binaries on a system can be made difficult. If you don't let any user write to any directory, even their home directory, have /tmp and /usr/tmp mounted with the noexec flag, and remove all the tools that allow you to receive any files, you can limit an intruder to just use what they find on a system.
Most of the experienced UNIX admins I know already know this. If you have only come across mediocre UNIX admins, then I think you must be late to the party.
As a contrast, I know many Windows admins who never think outside of the pretty, handheld menu systems that seem to be favored by Microsoft, and never even consider how IP and basic networks function, and never get as far as even considering what a firewall does and how it does it.
I do know other Windows admins who are very capable, but many of them have actually learned by working outside of the Windows environment to gain the extra experience that the basic Windows courses teach.
Biting the hand that feeds IT
