Re: SQL Slammer - lessons learned

[Helmut Springer <delta () FaVeVe Uni-Stuttgart de>]

On 09 Feb 2003 at 21:53 +0100, Schmehl, Paul L wrote:
> This analogy is false.

For sure it is not 100% true, as all analogies aren't.


> Your phone calls do not affect my ability to connect to the
> telephone company, nor to do they take down my phone system.

If I'm attacking your line or telco equipment or that of you carrier
they will.  Limited resources and vulnerable systems, actually this
will become more of an issue as medias converge.


> Furthermore, while the phone company doesn't decide the topics you
> can discuss, they most *certainly* control what you can and cannot
> transmit across their lines.

They do?  As long as I stick to the transmission standards (as in
"ip" for the internet) I dare to doubt this.  A good friend spent
some years teaching telco people how to build and run phone
networks, so I happen to have little insight here.


> Finally, ISPs are not phone companies.  They are companies that
> contract with customers to provide them with a connection to the
> Internet.

Right, they sell the ability to send and receive ip packets, as
already said.  Everything else is add on I personally either don't
care or will order (e.g. DoS handling at upstreams or whatever kind
of service I as a customer would like to have for my site).  They
might take emergency measures as temporary exceptions to deal with
emergency situations.


> > Internet is the ability to send ip packets from one node to
> > another.
>
> No, it's not.

Actually it is, the most basic definition.


> It's much more than that.  It's the ability to communicate through
> multiple means and methods.  And much more.  It is not simply a
> connection from one node to another.  If it *was*, you wouldn't be
> concerned about blocking ports.

Actually I'm not, you want to do so.  I want to be able to send and
receive ip packets according to the standards for this, that's it.


> However, when your system affects mine, then I am involved.

Yes, when they do so.  As long as they don't they are simply none of
your business.  So don't tell me what ports I should be able to use
on my side, feel free to filter to your needs on your side.


> Just as you can do anything in the privacy of your own home, but
> some things will get you arrested in public, you can do anything
> on your own network, but when you get on the Internet you are in
> public, and the public has a right to demand certain behaviors
> from you and inflict certain consequences on you if you fail to
> comply.

That's liability for things done, as everywhere, no problem.


> Paul Schmehl (pauls () utdallas edu)
> Adjunct Information Security Officer
> The University of Texas at Dallas

Protect your constituency and make sure it doesn't attack others.
If you find some spare time, try to understand internet.  But don't
try to force others to join a limited network you want to be in.

-- 
MfG/Best regards,                   "A Feature you cannot disable is
helmut springer                      considered a bug"  comp.os.unix
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html