Breaking the internet (hotels, guestnet style)
smb at cs.columbia.edu
Tue Dec 8 15:05:44 CST 2009
On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:
> Steven Bellovin <smb at cs.columbia.edu> writes:
>> It's why I run an ssh server on 443 somewhere -- and as needed, I
>> ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
>> as I really need...
> me too, more or less. but steve, if we were only trying to build digital
> infrastructure for people who know how to do that, then we'd all still be
> using Usenet over modems. we're trying to build digital infrastructure for
> all of humanity, and that means stuff like the above has to be unnecessary.
Right -- which means that we need a *good* solution. "Good" has to encompass not just technical cleanliness, but also operational reality, which includes things like slow software update rates -- both on clients and the hotel infrastructures -- the very wide variety of client platforms out there.
The problems we're talking about, though, are both competence and policy. There's no intrinsic reason why hotels have to block some ports, especially given that many others do not. They've chosen to, for whatever misguided reason. (Aside: my local library blocks everything but 80 and 443 outbound. I complained to the director; he cited "security". I tried explaining that I knew something about Internet security; he told me that the firm that had installed the system had "done most of the libraries in the county". I translate that as "most of the libraries in the county have broken security policies".)
And competence? Again, we've all seen many different ways certain things are done. I once had to boot into Windows to get a lease because NetBSD just wouldn't deal with the broken DNS packets necessary for the sign-up procedure. After that, I rebooted into NetBSD and configured a static address and route.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG