Security Basics mailing list archives
Re: Would you pay more ...
From: Charley Hamilton <chamilto () uci edu>
Date: Tue, 06 Jul 2004 05:56:52 -0700
Would you pay more to only have the following destination ports opento the internet originating from your broadband modem:
Actually, as a consumer, I'd pay less. However, I am semi-advanced (i.e. I can get into deeper trouble more creatively) and I *like* having other ports available to cycle my various connections through. Controlling the inbound/outbound ports at both my office (personal) firewall and my home firewall gives me a (somewhat miguided) sense of security through obscurity. The script kiddies who just hunt the "regular" target ports don't bother my connectivity apps. And if they do hit the right port, theirIP gets dropped by the ruleset anyway. And if it doesn't they fail the authentication....
If only "standard" ports became available, a lot of people who are unwilling to pay more for the "business" service (because we aren't abusiness!) just to get access to those other ports will be forced to either "misuse" standard ports by running nonstandard apps on them (okay misuse is probably the wrong word there) or give up connectivity options that they
already have. The danger I see to offering such "secure by design" service is that it's not actually all that much more secure and is, in the end, more a marketing ploy than anything else. Most users wouldn't know a trojan on a "standard port" from one on a random port. In fact, I will venture that most users (to some extent like me) don't really grok what a port is anyway. They just run antivirus and expect it to get everything. Including windoze patches. Would the ISP then take to scanning the approved ports for unusual activity? What's the savings of running through only those ports instead of all of them? How badly is my user-ness showing? ;-) > ALTERNATIVELY, would you like it if this was the STANDARD package and > additional ports were considered optional, and required payment. How much more do you pay? By what argument are you justifying the additional cost, given that most individuals who would actually *know* about and*want* additional ports are typically smart enough to operate some sort of firewall. It seems those who operate a firewall should be offered a
discount.... Hrm, I wonder how my ISP would react to that idea? ROTFL, I expect.I suspect that a more *useful* service would be offering a "secure configuration" service --- at a "nominal fee" --- to users where the
ISP sets up a system to auto-update (e.g. windoze) patches, configurefirwalls, etc. Make the charge cost-defraying instead of a revenue source. That will keep the extra charges low. Don't charge the users extra to make a "firewall" out of their modems. If you call it "Package 2 -- Improved security! No extra charge!", the users will think they're putting one over
on the ISP and getting something for nothing. They feel like they won, the ISP gets to restrict the ports open to the net from many subscribers, and those who know enough to be dangerous get to play with fire. As usual, just my $0.02. Charley -- Charles Hamilton, PhD EIT Faculty Fellow Department of Civil and Phone: 949.824.3752 Environmental Engineering FAX: 949.824.2117 University of California, Irvine Email: chamilto () uci edu ---------------------------------------------------------------------------Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:
- Would you pay more ... Jeff (Jul 05)
- Re: Would you pay more ... Charley Hamilton (Jul 06)
- Re: Would you pay more ... Steve (Jul 07)
- Re: Would you pay more ... John Fastabend (Jul 12)
- Re: Would you pay more ... Joe Barrett (Jul 06)
- Re: Would you pay more ... Florian Streck (Jul 06)
- Re: Would you pay more ... Harrison Gladden (Jul 07)
- Re: Would you pay more ... Dave Dearinger (Jul 07)
- Re: Would you pay more ... Calin Don (Jul 08)
- Re: Would you pay more ... Don Voss (Jul 09)
- Re: Would you pay more ... John Fastabend (Jul 12)
- Re: Would you pay more ... Don Voss (Jul 09)
- <Possible follow-ups>
- RE: Would you pay more ... Mosley, Larry (Jul 06)
(Thread continues...)
- Re: Would you pay more ... Charley Hamilton (Jul 06)