Re: Breaking the internet (hotels, guestnet style)

[Steven Bellovin <smb () cs columbia edu>]

On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:

> Steven Bellovin <smb () cs columbia edu> writes:
>
> > It's why I run an ssh server on 443 somewhere -- and as needed, I
> > ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
> > as I really need...
>
> me too, more or less.  but steve, if we were only trying to build digital
> infrastructure for people who know how to do that, then we'd all still be
> using Usenet over modems.  we're trying to build digital infrastructure for
> all of humanity, and that means stuff like the above has to be unnecessary.
> -- 

Right -- which means that we need a *good* solution.  "Good" has to encompass not just technical cleanliness, but also 
operational reality, which includes things like slow software update rates -- both on clients and the hotel 
infrastructures -- the very wide variety of client platforms out there.

The problems we're talking about, though, are both competence and policy.  There's no intrinsic reason why hotels have 
to block some ports, especially given that many others do not.  They've chosen to, for whatever misguided reason.  
(Aside: my local library blocks everything but 80 and 443 outbound.  I complained to the director; he cited "security". 
 I tried explaining that I knew something about Internet security; he told me that the firm that had installed the 
system had "done most of the libraries in the county".  I translate that as "most of the libraries in the county have 
broken security policies".)

And competence?  Again, we've all seen many different ways certain things are done.  I once had to boot into Windows to 
get a lease because NetBSD just wouldn't deal with the broken DNS packets necessary for the sign-up procedure.  After 
that, I rebooted into NetBSD and configured a static address and route.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb