North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: The magic security CD disc Re: HTTP proxies
In message <[email protected]>, Sean Donelan writes: >On Sun, 8 Dec 2002, Steven M. Bellovin wrote: >> I forget which of the Rainbow Series of books said it -- the Yellow >> Book, I think -- but one of them noted that the same LAN that was >> insecure in an office might be quite secure in a submerged submarine >> with a highly-cleared crew aboard. > >As far as I know, we don't have a big problem with zombie computers on >submarines DOSing the Internet. Well, no... > >It takes a lot of time to talk individual users through fixing their >computers. Especially when they didn't break it. They just plugged >the computer in, and didn't spend 4 hours "hardening" it. Most of the >time we're not talking about very complex server configurations, with >full-time system administrators. The "magic" CD would be for people who >don't know they are sharing their computers with the Internet. When >they find out (or someone else reports it), they don't want to share >their computers with everyone the Internet. They just want it fixed. > Right. The problem (and the point I was making) is that "secure" is context-dependent. In some sense, the easy way to "secure" machines is to pull the network jack. That's a serious DoS attack on yourself. Microsoft et al. could -- and should -- ship with all services off, but of course those services exist because they provide some functionality that some people want. Are those services safe? Well, maybe -- it depends on your environment and your clue. Ssh to a Cisco router is a reasonable thing to do, but not if the login password is trivial. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book)
|