North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Providers removing blocks on port 135?

  • From: Petri Helenius
  • Date: Sun Sep 21 08:22:22 2003 
Iljitsch van Beijnum wrote:

But someone has to. The trouble is that access to the network has never been considered a liability, except for local ports under 1024. (Have a look at java, for example.) I believe that the only way to solve all this nonsense is to have a mechanism that is preferably outside the host, or at least deep enough inside the system to be protected against application holes and user stupidity, which controls application's access to the network. This must not only be based on application type and user rights (user www gets to run a web server that listens on port 80) but also on application version. So when a vulnerability is found the vulnerable version of the application is automatically blocked.

Go and count the Pinto�s on US101 or I-880. :-)


I don't see something like this popping up over night, though.
For this to be really effective, there needs to be an unbroken chain of authentication for code
from the author to your PC and additionally the operating system needs to change to get rid
of the notion of "superuser". As have been said multiple times on this and other lists, most
consumer users expect their stuff "just work" and unfortunately Microsoft translated this
requirement to "Always Local Administrator" which has catastrophic security consequences.

The chain above does not have to mean that there is central authority enabling the code to
run on your box, it can as well give the right to you or some place in the organization
where it makes sense.

Pete