nanog mailing list archives
Re: The magic security CD disc Re: HTTP proxies
From: "Steven M. Bellovin" <smb () research att com>
Date: Sun, 08 Dec 2002 23:29:09 -0500
In message <Pine.GSO.4.44.0212082230200.11579-100000 () clifden donelan com>, Sean Donelan writes:
On Sun, 8 Dec 2002, Steven M. Bellovin wrote:I forget which of the Rainbow Series of books said it -- the Yellow Book, I think -- but one of them noted that the same LAN that was insecure in an office might be quite secure in a submerged submarine with a highly-cleared crew aboard.As far as I know, we don't have a big problem with zombie computers on submarines DOSing the Internet.
Well, no...
It takes a lot of time to talk individual users through fixing their computers. Especially when they didn't break it. They just plugged the computer in, and didn't spend 4 hours "hardening" it. Most of the time we're not talking about very complex server configurations, with full-time system administrators. The "magic" CD would be for people who don't know they are sharing their computers with the Internet. When they find out (or someone else reports it), they don't want to share their computers with everyone the Internet. They just want it fixed.
Right. The problem (and the point I was making) is that "secure" is context-dependent. In some sense, the easy way to "secure" machines is to pull the network jack. That's a serious DoS attack on yourself. Microsoft et al. could -- and should -- ship with all services off, but of course those services exist because they provide some functionality that some people want. Are those services safe? Well, maybe -- it depends on your environment and your clue. Ssh to a Cisco router is a reasonable thing to do, but not if the login password is trivial. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
Current thread:
- The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- <Possible follow-ups>
- Re: The magic security CD disc Re: HTTP proxies Steven M. Bellovin (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Alex Bligh (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Sean Donelan (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies Steven M. Bellovin (Dec 08)
- Re: The magic security CD disc Re: HTTP proxies David Howe (Dec 09)
- RE: The magic security CD disc Re: HTTP proxies Hunter Pine (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Florian Weimer (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Alex Bligh (Dec 09)
- Re: The magic security CD disc Re: HTTP proxies Scott Francis (Dec 09)