RE: SQL Slammer - lessons learned

["Schmehl, Paul L" <pauls () utdallas edu>]

-----Original Message-----
From: Helmut Springer [mailto:delta () FaVeVe Uni-Stuttgart de] 
Sent: Sunday, February 09, 2003 2:30 PM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] SQL Slammer - lessons learned

> It is not the part of the phone company to decide what topics 
> can be discussed in a phone call.  Neither is it the part of 
> ISP to decide what traffic their customers are able to transmit.

This analogy is false.  Your phone calls do not affect my ability to
connect to the telephone company, nor to do they take down my phone
system.  The worst you could do is to hope that you can congest the
system to the point that I have to use alternative means to communicate.
Furthermore, while the phone company doesn't decide the topics you can
discuss, they most *certainly* control what you can and cannot transmit
across their lines.  They control the entire network.

Finally, ISPs are not phone companies.  They are companies that contract
with customers to provide them with a connection to the Internet.  While
*some* ISPs may also be phone companies the two businesses are
independent of each other.  (Indeed some would argue that for a phone
company to act as an ISP as well is a conflict of interest that harms
the consumer.)

> Internet is the ability to send ip packets from one node to another.

No, it's not.  It's much more than that.  It's the ability to
communicate through multiple means and methods.  And much more.  It is
not simply a connection from one node to another.  If it *was*, you
wouldn't be concerned about blocking ports.

> At is not your part to decide if my system at home is secure or not.

However, when your system affects mine, then I am involved.  Just as you
can do anything in the privacy of your own home, but some things will
get you arrested in public, you can do anything on your own network, but
when you get on the Internet you are in public, and the public has a
right to demand certain behaviors from you and inflict certain
consequences on you if you fail to comply.

> Of course.  Otherwise shut down all telephone lines immediately, 
> there are overwhelming odds planned, organized and conducted over
those.

Again, a false analogy.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html