The magic security CD disc Re: HTTP proxies
Steven M. Bellovin
smb at research.att.com
Mon Dec 9 04:29:09 UTC 2002
In message <Pine.GSO.4.44.0212082230200.11579-100000 at clifden.donelan.com>, Sean
Donelan writes:
>On Sun, 8 Dec 2002, Steven M. Bellovin wrote:
>> I forget which of the Rainbow Series of books said it -- the Yellow
>> Book, I think -- but one of them noted that the same LAN that was
>> insecure in an office might be quite secure in a submerged submarine
>> with a highly-cleared crew aboard.
>
>As far as I know, we don't have a big problem with zombie computers on
>submarines DOSing the Internet.
Well, no...
>
>It takes a lot of time to talk individual users through fixing their
>computers. Especially when they didn't break it. They just plugged
>the computer in, and didn't spend 4 hours "hardening" it. Most of the
>time we're not talking about very complex server configurations, with
>full-time system administrators. The "magic" CD would be for people who
>don't know they are sharing their computers with the Internet. When
>they find out (or someone else reports it), they don't want to share
>their computers with everyone the Internet. They just want it fixed.
>
Right. The problem (and the point I was making) is that "secure" is
context-dependent. In some sense, the easy way to "secure" machines is
to pull the network jack. That's a serious DoS attack on yourself.
Microsoft et al. could -- and should -- ship with all services off,
but of course those services exist because they provide some
functionality that some people want. Are those services safe? Well,
maybe -- it depends on your environment and your clue. Ssh to a Cisco
router is a reasonable thing to do, but not if the login password is
trivial.
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com ("Firewalls" book)
More information about the NANOG
mailing list