Re: A story and some advice.
On Wed, Apr 25, 2001 at 01:57:14PM -0400, Brad Maxwell wrote: OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. First, (I'm not certain but) I think the poster of the above is not the person who originally posted about having been compromised, and I wanted to acknowledge that. So the YOU below refers to the generic or hypothetical YOU -- any and all of us who have systems connected directly to the Internet. I'm sorry if this sounds harsh, but the above comment really is just plain wrong. The attack was on your machine. Your machine was compromised. Your machine has the weakness, and ONLY YOU have the means to protect it from such an attack, particularly given that it is connected directly to the Internet with no perimeter protection (such as a firewall) in place. MediaOne or other provider really CAN'T reasonably filter out connections on any given port, because (especially in the Windows world) network software can and often does use any port, including so-called well-known ones. They do not and can not have any idea what software you might be running, nor whether or not those connections on port 12354 to your system are legitimate or from some trojan program. It's up to YOU to determine that. It's YOUR system, used by YOU. Not them. To borrow another of Bruce Schneier's often borrowed quotes: Security is a chain; it is only as strong as its weakest link. In this case, YOU are the weakest link. YOU knew that your machine was broken into, and admitted publicly that you failed to react accordingly. YOU did not visit your vendor's website and download their latest security patches. Though these two measures will not foil a talented and dedicated attacker, often doing just these things is enough to keep your system from getting trashed. YOU did not even take these minimalist measures. If you were sued for damage caused by an attacker using your machine, odds are probably good you'd be found at least partially liable through negligence. The #1 weakness in the vast majority of security systems is the people who use and/or manage them. If my comments are harsh, it is not with the intent of making you or anyone feel small or stupid, so I appologize if I've offended anyone. It isn't reasonable to think that everyone will be network security experts, nor do I think that. However, my intent is to attempt to drive home very un-subtly this extremely important point: The message that folks like Kenny and myself have been trying to get across for some time now, for the benefit of you and for everyone here, IF YOU HAVE A SYSTEM CONNECTED DIRECTLY TO THE INTERNET, AND YOU DO NOT TAKE STEPS TO SAFEGUARD IT, YOU *WILL* BE BURNED, AND YOU *WILL* PAY THE PRICE. It is only a queston of when, not if, and of what your price will be. In your case, it was your high-speed access. For others, it may only be a re-install of your system, and for still others, there is the very real (though perhaps much less likely) threat of law suits or even imprisonment. THIS IS NOT A JOKE. Given the number of people who have posted regarding being compromised just in the past month or so, I should hope this would be self-evident by now. My ridiculously long sig is particularly poigniant: -- I have written this book partly to correct a mistake... A colleage of mine once told me that the world was full of bad security systems designed by people who read Applied Cryptograpy. Since writing the book, I have made a living as a cryptography consultant: designing and analyzing security systems. To my initial surprise, I found that the weak points had nothing to do with the mathematics. They were in the hardware, the software, the networks, and the people. Beautiful pices of mathematics were made irrelevant through bad programming, a lousy operating system, or someone's bad password choice. I learned to look beyond the cryptography, at the entire system, to find weaknesses. I started repeating a couple of sentiments you'll find throughout this book: 'Security is a chain; it's only as secure as the weakest link.' 'Security is a process, not a product.' --Bruce Schneier, from Secrets Lies --- Derek Martin | Unix/Linux geek [EMAIL PROTECTED]| GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Alex Hewitt USG [EMAIL PROTECTED] writes: Greg, the best advice that you will get from me and others who frequent this group is to invest in a firewall/router box. I use the LinkSys BEFSR41 which has 4 10/100 ports but there are several other manufacturers of these devices. They cost around $150 or so but allow you to share up to 4 systems on your cable-modem connection and as far as I know are impervious to hackers/script kiddies. Well worth the piece of mind! Is there an analogous turnkey firewall solution for dialup access? - Jim Van Zandt ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
On Wed, Apr 25, 2001 at 12:13:43PM -0500, Mansur, Warren wrote: I suppose everyone has a different opinion on this, so I figure I might as well share mine :-) If a thief breaks into my car, and then uses it to run over and kill 10 people, am I responsible for the death of those 10 people? The police may at first suspect me because my car was used, but as soon as they find out my car was stolen and someone else did the killing, I will be absolved of all charges. This analogy is nice to a point, but it breaks down because the governing body of law is not the same. Similarly, if someone breaks into my computer, and then uses it to hack into other systems, scan other systems, spread viruses, etc . . . , am I responible for the hacking, scanning, or viruses? YES. Or, maybe, depending on the computer crime laws where you live, or where the victims live, or on the mood of the judge or jury, or the shade of blue of the suit you wear to the trial. The law is a funny thing. According to an FBI supervisor who attended the SANS conference I went to, there are cases where those who have been hacked have been held responsible. Do you want to risk it? Nothing works this way in life. If I own a hammer, and someone uses my hammer to kill somebody, am I a murderer? If I own a crowbar, and someone uses my crowbar to break into a house, do I become a thief? If I own a computer, and someone uses my computer to hack into other systems, do I become a hacker? A better analogy might be, if a criminal breaks into your house, and trips over a faulty board in your staircase, might you be found liable for the burglar's injuries? The answer, absurd as it may be, is often YES. And in those cases, you are guilty of negligence or similar. Much as you are in not taking measures to secure your system. Therefore it is my opinion that ATT cannot say that you are a hacker based only on the fact that your computer has been involved in some illegal activities, and their policy to permanently turn off your service is basically ridiculous. Except that they don't care if you are a hacker. Their network is being used for illegal computer crime, and you are the account holder and owner of the machine in question. Remember my question about wanting to take the risk? MediaOne has a LOT more to lose than you do, and they obviously have decided they don't want to risk it. I like M1 as little as many people here, but on this I'm on their side 100%. If it were my network, I'd kick you off too. -- --- Derek Martin | Unix/Linux geek [EMAIL PROTECTED]| GnuPG Key ID: 0x81CFE75D Retrieve my public key at http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Hey, I'm in. Just give me some warning and I'll cancel all business trips. Hey, I'll even be happy to talk about what NOT to do :-) Mark Komarinski wrote: Another vote. I can demonstrate Coyote Linux (single floppy Linux firewall) and maybe bring along my SMC Barricade box for demo as well. -Mark Bill Sconce wrote: [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: The box isn't really more secure than Linux, its just that there's fewer things to go wrong - and if someone does have an exploit for a firmware bug, its usually fixed with the next powercycle. It would be an equivalent to running something like the Linux Router Project (which is a bootable floppy with a dedicated firewall). That sounds like a great meeting. Let the new users know what a firewall is, what it can, can't do, a brief how-to set up a Linux firewall. Another vote for such a meeting. Precautions for exposing your Linux system to the 'net... This entire thread has been an education; one of those yeah, I sorta knew there was an issue there, but indicative of an area where I needed to do a whole lot more thinking. 1. You're responsible for what you allow your system to do to the 'net. Hmmm. 2. Your ISP will be mad at YOU when you get cracked. Hmmm. 3. Installing Linux can give crackers a more powerful tool than installing WinXXX. Hmmm. A big thank you to Greg for sharing this painful story with us. Sometimes security discussions remind me of flying, where we try hard to learn from mistakes. An old pilots' aphorism says: Good decisions come from experience. Experience comes from bad decisions. -Bill -- Mark Komarinski - Senior Systems Engineer - VA Linux Systems (cell) 978-697-2228 (email) [EMAIL PROTECTED] Have one day pleasant - Babelfish ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Mansur, Warren wrote: I suppose everyone has a different opinion on this, so I figure I might as well share mine :-) If a thief breaks into my car, and then uses it to run over and kill 10 people, am I responsible for the death of those 10 people? The police may at first suspect me because my car was used, but as soon as they find out my car was stolen and someone else did the killing, I will be absolved of all charges. Similarly, if someone breaks into my computer, and then uses it to hack into other systems, scan other systems, spread viruses, etc . . . , am I responible for the hacking, scanning, or viruses? Again, your internet provider may at first suspect you because it was your computer that committed the crimes. But, as soon as they find out it wasn't you, how can they say it's your fault? Nothing works this way in life. If I own a hammer, and someone uses my hammer to kill somebody, am I a murderer? If I own a crowbar, and someone uses my crowbar to break into a house, do I become a thief? If I own a computer, and someone uses my computer to hack into other systems, do I become a hacker? The obvious answer is no way. Ownership by itself does not imply guilt. Therefore it is my opinion that ATT cannot say that you are a hacker based only on the fact that your computer has been involved in some illegal activities, and their policy to permanently turn off your service is basically ridiculous. There are other alternatives such as tracking down the hacker or providing help with some type of firewall service. That's my opinion. I'm sure there are 50 others :-) -Warren -Original Message- From: Greg Kettmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 25, 2001 12:42 PM To: David Roberts Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: A story and some advice. Folks: First, I really appreciate all the feedback. Most has been excellent. About the only area that I fundamentally disagree with is sort of the combination it's my fault / M1 - ATT is doing OK. Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. That said, my brother is a reporter and I can either get published or he can get published. M1/ATT is a monopoly and I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate behavior. So please, any suggestions for writing to cover M1's responsibility in all this? They're the only game in town and they're a major player on the Internet. Are they really taking the most appropriate actions and doing all they can to make the Internet safe for everyone? Clearly I'm biased and I'm mad right now. But it really bothers me that M1 can have so little corporate responsibility for solving these problems. Yes, they can just kick anyone off that get's caught port scanning but we all know that this is not a permanent solution. The cracker will just crack another box and nothing will have been done to correct the core problem. Finally, I'm very concerned about the perception here that Linux is bad for the Internet. True Windows is a brick and Linux a Porsche but people buying stuff at Best Buy don't care about that. They just want to browse the web. Remember the saying guns don't kill people, people do (FLAMES OFF, this was not a political statement, merely an analogy). If a Linux box is more capable of doing damage on the web then this is a PR or a perception issue that must be addressed and yes, in my current job capacity that's exactly the types of things I worry about. The perception here is that Linux is a loose cannon on the Internet, if not properly bolted down and yet the average user has no idea how to bolt it down, therefore Linux is inappropriate for the aveage user. I don't know. Please feel free to comment away. I'll post what I write before I send it to my brother. Thanks for all your help. ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** the problem persists that you equipment could be seized until evidence concludes that the quilty party
Re: A story and some advice.
If you leave your car unlocked and the thief can take the car three times, I'm sure the police and/or your insurance company will want to have a chat with you. -Mark Mansur, Warren wrote: I suppose everyone has a different opinion on this, so I figure I might as well share mine :-) If a thief breaks into my car, and then uses it to run over and kill 10 people, am I responsible for the death of those 10 people? The police may at first suspect me because my car was used, but as soon as they find out my car was stolen and someone else did the killing, I will be absolved of all charges. Similarly, if someone breaks into my computer, and then uses it to hack into other systems, scan other systems, spread viruses, etc . . . , am I responible for the hacking, scanning, or viruses? Again, your internet provider may at first suspect you because it was your computer that committed the crimes. But, as soon as they find out it wasn't you, how can they say it's your fault? Nothing works this way in life. If I own a hammer, and someone uses my hammer to kill somebody, am I a murderer? If I own a crowbar, and someone uses my crowbar to break into a house, do I become a thief? If I own a computer, and someone uses my computer to hack into other systems, do I become a hacker? The obvious answer is no way. Ownership by itself does not imply guilt. Therefore it is my opinion that ATT cannot say that you are a hacker based only on the fact that your computer has been involved in some illegal activities, and their policy to permanently turn off your service is basically ridiculous. There are other alternatives such as tracking down the hacker or providing help with some type of firewall service. That's my opinion. I'm sure there are 50 others :-) -Warren -Original Message- From: Greg Kettmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 25, 2001 12:42 PM To: David Roberts Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: A story and some advice. Folks: First, I really appreciate all the feedback. Most has been excellent. About the only area that I fundamentally disagree with is sort of the combination it's my fault / M1 - ATT is doing OK. Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. That said, my brother is a reporter and I can either get published or he can get published. M1/ATT is a monopoly and I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate behavior. So please, any suggestions for writing to cover M1's responsibility in all this? They're the only game in town and they're a major player on the Internet. Are they really taking the most appropriate actions and doing all they can to make the Internet safe for everyone? Clearly I'm biased and I'm mad right now. But it really bothers me that M1 can have so little corporate responsibility for solving these problems. Yes, they can just kick anyone off that get's caught port scanning but we all know that this is not a permanent solution. The cracker will just crack another box and nothing will have been done to correct the core problem. Finally, I'm very concerned about the perception here that Linux is bad for the Internet. True Windows is a brick and Linux a Porsche but people buying stuff at Best Buy don't care about that. They just want to browse the web. Remember the saying guns don't kill people, people do (FLAMES OFF, this was not a political statement, merely an analogy). If a Linux box is more capable of doing damage on the web then this is a PR or a perception issue that must be addressed and yes, in my current job capacity that's exactly the types of things I worry about. The perception here is that Linux is a loose cannon on the Internet, if not properly bolted down and yet the average user has no idea how to bolt it down, therefore Linux is inappropriate for the aveage user. I don't know. Please feel free to comment away. I'll post what I write before I send it to my brother. Thanks for all your help. ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line
Re: A story and some advice.
On Wed, 25 Apr 2001, Greg Kettmann wrote: Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. What do you suggest they do? What makes you think they have the resources? They are a data provider, not an information security firm. Serious questions, both. I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate behavior. I think their policy is a little unforgiving, in that you basically have two strikes, and then you are banned for life. On the other hand, look at it from their point of view: You were violating their terms of service. They told you to stop. You ignored them. They terminated your service. I think it is important to see *all* sides of the story here. So please, any suggestions for writing to cover M1's responsibility in all this? I suggest attacking it from the angle that HSISPs (High Speed Internet Service Providers) are selling a service without informing their customers of the dangers inherent in connecting to a public network (regardless of OS). If they want to wash their hands of all responsibility, that is their right -- but that should be made crystal clear up front. To continue the car analogy: HSISPs are selling Formula One race cars without letting people know such cars are not as safe as the family Volvo station wagon. The other thing I would focus on is the monopoly aspect of Cable Internet providers. There is no possibility of another company coming in and offering data services *and* information security services, i.e., a safe Internet connection. American Capitalism depends on competition to force corporate change. Cable monopolies have no incentive to improve things. Are they really taking the most appropriate actions and doing all they can to make the Internet safe for everyone? (This is really starting to turn into a political argument, but what the hell...) Is it their responsibility to make sure the Internet is safe for everyone? But it really bothers me that M1 can have so little corporate responsibility for solving these problems. I don't expect this to make you feel any better, but I've discovered that corporate responsibility is an oxymoron. Finally, I'm very concerned about the perception here that Linux is bad for the Internet. The Internet is bad for the Internet. True Windows is a brick and Linux a Porsche but people buying stuff at Best Buy don't care about that. They just want to browse the web. If they just want to browse the web, then it really doesn't matter what they buy. Indeed, they are probably better off with a $600 Windows PC that can run all the silly gags and tricks that people forward around in email. If it gets virused, they wipe the drive with the restore CD and pick-up where they left off. If a Linux box is more capable of doing damage on the web ... It is simply that Linux is cheaper. With Windows, you have to pay and pay and pay every time you want to do something. Linux includes it all for free. You can do all this from Windows, the user just has to pay tens of thousands in software licenses to do it. The perception here is that Linux is a loose cannon on the Internet ... One could take that view. But it would be rather like blaming Media One for one's system getting cracked. ;-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: The box isn't really more secure than Linux, its just that there's fewer things to go wrong - and if someone does have an exploit for a firmware bug, its usually fixed with the next powercycle. It would be an equivalent to running something like the Linux Router Project (which is a bootable floppy with a dedicated firewall). That sounds like a great meeting. Let the new users know what a firewall is, what it can, can't do, a brief how-to set up a Linux firewall. This would include examples using the 2.4 kernel, which everyone will soon be using, theoretically, I think. Does the Linux Router Project use 2.4 yet? Since Bruce did the Feb. meeting, I won't put him on the spot. Who wants to step up to the plate? Bob Sparks Never attribute to malice, that which can be explained by stupidity. Never attribute to stupidity, that which can be explained by lack of information. [... snip ...] This is an excellent idea!!! I wish I were qualified to do the presentation, but sadly I'm still not quite there yet... I could probably use some more education on the topic though! soapbox If we keep telling people about the virtues of Linux (all these same people who run Windows-9x and have had no security problems other than the usual mail viruses etc.), we also need to inform them of the importance of, and how to harden their systems. If we get a person to actually go thru the install/setup process, and then they are up for only a few hours before being being compromised WE HAVE FAILED THEM. It's like me handing my 12-year old the keys to my motorcycle and telling him it is better than his 10-speed and then blaming him for smacking the tree at the end of my street. I gave him the keys without giving him the knowledge of how to use the bike properly. We are doing the same thing with our install fests and Linux hype - and yes, I have to admit, I'm guilty of this as well. :\ /soapbox Just my $.02 worth... I'm now running for the fallout shelter in expectation of all the hate mail this will probably stir up... D. Roberts -- The day Microsoft makes a product that doesn't suck is the day they start making vacuum cleaners. -- As seen on the 'net begin:vcard n:Roberts;David tel;pager:NOPE - MobilCOMM soured me, too unreliable tel;cell:NOPE - Too much like a leash... tel;fax:978-256-4778 tel;home:UNLISTED - Take a guess (it's in NH) tel;work:978-256-0052 x1393 x-mozilla-html:FALSE url:http://www.mc.com/ org:Mercury Computer Systems, Inc.;Hardware Support Engineering adr:;;199 Riverneck Road;Chelmsford;MA;01824;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Senior Hardware (Software actually) Engineer x-mozilla-cpt:;13504 fn:David Roberts end:vcard
Re: A story and some advice.
In a message dated: Wed, 25 Apr 2001 12:13:43 CDT Mansur, Warren said: If a thief breaks into my car, and then uses it to run over and kill 10 people, am I responsible for the death of those 10 people? The police may at first suspect me because my car was used, but as soon as they find out my car was stolen and someone else did the killing, I will be absolved of all charges. Depends, you can easily be held accountable for accessory to the crime, aiding and abetting, wrongful death, etc. The police may not charge you, but if it is discovered that the windows were down and the keys were in it, something else usable by the prosecution, get ready for a civil lawsuit brought on by the families of the victims... Similarly, if someone breaks into my computer, and then uses it to hack into other systems, scan other systems, spread viruses, etc . . . , am I responible for the hacking, scanning, or viruses? Again, your internet provider may at first suspect you because it was your computer that committed the crimes. But, as soon as they find out it wasn't you, how can they say it's your fault? You enabled the perpetrator by allowing access to the weapon. Nothing works this way in life. If I own a hammer, and someone uses my hammer to kill somebody, am I a murderer? If I own a crowbar, and someone uses my crowbar to break into a house, do I become a thief? If I own a computer, and someone uses my computer to hack into other systems, do I become a hacker? No, you are not the hacker or the thief, but you did enable them to carry out their crimes. In the case of the computer, if you did not perform your due diligence of constantly upgrading your systems to protect from malicios individuals, you are guitly through negligence. It's the same as if some one broke into your house and found your gun not locked in a safe and that gun was then used to kill someone. Ownership by itself does not imply guilt. We're not saying anyone is guilty of committing the crime in questions. We are saying that you are guilty of enabling, aiding and abetting, and accessory to the crime via negligence. Therefore it is my opinion that ATT cannot say that you are a hacker based only on the fact that your computer has been involved in some illegal activities, and their policy to permanently turn off your service is basically ridiculous. There are other alternatives such as tracking down the hacker or providing help with some type of firewall service. That's my opinion. I'm sure there are 50 others :-) ATT is not saying that he is a hacker. They are saying that through his negligence, he has enabled others to disrupt their service and therefore, he is being held accountable for his negligence *and* for ignoring their warnings. -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
[EMAIL PROTECTED] wrote: [EMAIL PROTECTED] writes: The box isn't really more secure than Linux, its just that there's fewer things to go wrong - and if someone does have an exploit for a firmware bug, its usually fixed with the next powercycle. It would be an equivalent to running something like the Linux Router Project (which is a bootable floppy with a dedicated firewall). That sounds like a great meeting. Let the new users know what a firewall is, what it can, can't do, a brief how-to set up a Linux firewall. Another vote for such a meeting. Precautions for exposing your Linux system to the 'net... This entire thread has been an education; one of those yeah, I sorta knew there was an issue there, but indicative of an area where I needed to do a whole lot more thinking. 1. You're responsible for what you allow your system to do to the 'net. Hmmm. 2. Your ISP will be mad at YOU when you get cracked. Hmmm. 3. Installing Linux can give crackers a more powerful tool than installing WinXXX. Hmmm. A big thank you to Greg for sharing this painful story with us. Sometimes security discussions remind me of flying, where we try hard to learn from mistakes. An old pilots' aphorism says: Good decisions come from experience. Experience comes from bad decisions. -Bill -- We have to make a management decision Jerry Mason, Morton Thiokol, Inc. 27 January 1986 ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
On Wed, 25 Apr 2001, mike ledoux wrote: can and you keep on top of it. If you don't want your salami to be used to bludgeon someone to death, make sure people with the malicious intnet can't at it. So lock up your salami dammit :) Salami wants to be free. Open Source salami? I dunno, I don't think I *want* to know what goes into salami... ;-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
RE: A story and some advice.
To begin, don't think I'm happy offering any defense to M1. In fact, I am VERY anti-M1. Every couple months they alter my basic ($8.50) channel line up, pulling another real channel out of the mix and giving me more shopping/religious/ethnic channels. I have no say in this change. It is being done for the single reason of getting people to upgrade basic service (their next cheapest package is almost $30/month). And because of the monopoly situation of cable I cannot go elsewhere. I have no reason to look at satellite because I am trying to get a decent CHEAP package...I only watch a maximum of 3 hours of tv / week...I just liked being able to select some of that viewing time from Discover / History / TLC, etc. That said, I don't think that M1's steps in this situation are anything less than should be expected. Let me shine a different light on Warren's example: A thief steals your car because you left it parked on the street, unlocked and with keys in ignition (the best analogy I can think of for an out-of-the box Linux install connected to the net). The thief uses your car as a getaway vehicle for a bank robbery (more analogous to the computer crime than manslaughter is). You are initially questioned, but determined that you are not responsible. The next week, that thief comes back and takes your car again because you STILL have it parked on the street, you STILL have the doors unlocked, and you STILL leave the keys in the ignition. The car is again used to commit a crime. You are not responsible for the crime but the police will probably determine that you are responsible for SOMETHING. After all, who's to say you were not good friends w/ the thief and left your car available in exchange for a cut of the loot. Likewise, how does M1 know that you are not purposefully leaving your system sitting ready w/ all tools open so that a friend of yours can use it as a cracking base-of-operations and if it gets tracked back, you can claim It's not my fault...my system was cracked! 0.02 -Larry -Original Message- From: Mansur, Warren [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, April 25, 2001 1:14 PM To: Greg Kettmann; David Roberts Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: A story and some advice. I suppose everyone has a different opinion on this, so I figure I might as well share mine :-) If a thief breaks into my car, and then uses it to run over and kill 10 people, am I responsible for the death of those 10 people? The police may at first suspect me because my car was used, but as soon as they find out my car was stolen and someone else did the killing, I will be absolved of all charges. Similarly, if someone breaks into my computer, and then uses it to hack into other systems, scan other systems, spread viruses, etc . . . , am I responible for the hacking, scanning, or viruses? Again, your internet provider may at first suspect you because it was your computer that committed the crimes. But, as soon as they find out it wasn't you, how can they say it's your fault? Nothing works this way in life. If I own a hammer, and someone uses my hammer to kill somebody, am I a murderer? If I own a crowbar, and someone uses my crowbar to break into a house, do I become a thief? If I own a computer, and someone uses my computer to hack into other systems, do I become a hacker? The obvious answer is no way. Ownership by itself does not imply guilt. Therefore it is my opinion that ATT cannot say that you are a hacker based only on the fact that your computer has been involved in some illegal activities, and their policy to permanently turn off your service is basically ridiculous. There are other alternatives such as tracking down the hacker or providing help with some type of firewall service. That's my opinion. I'm sure there are 50 others :-) -Warren -Original Message- From: Greg Kettmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 25, 2001 12:42 PM To: David Roberts Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: A story and some advice. Folks: First, I really appreciate all the feedback. Most has been excellent. About the only area that I fundamentally disagree with is sort of the combination it's my fault / M1 - ATT is doing OK. Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. That said, my brother is a reporter and I can either get published or he can get published. M1/ATT is a monopoly and I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate
OT: Safe Salami [ was Re: A story and some advice.]
In a message dated: Wed, 25 Apr 2001 14:23:26 EDT Tilly, Lawrence said: Ok...WAY out of context, but I think THAT would make for an interesting bumper sticker Lock up your salami, dammit! I knew that statement would get some attention, any one .sig'ed me yet ;) -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Folks: First, I really appreciate all the feedback. Most has been excellent. About the only area that I fundamentally disagree with is sort of the combination it's my fault / M1 - ATT is doing OK. Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. That said, my brother is a reporter and I can either get published or he can get published. M1/ATT is a monopoly and I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate behavior. So please, any suggestions for writing to cover M1's responsibility in all this? They're the only game in town and they're a major player on the Internet. Are they really taking the most appropriate actions and doing all they can to make the Internet safe for everyone? Clearly I'm biased and I'm mad right now. But it really bothers me that M1 can have so little corporate responsibility for solving these problems. Yes, they can just kick anyone off that get's caught port scanning but we all know that this is not a permanent solution. The cracker will just crack another box and nothing will have been done to correct the core problem. Finally, I'm very concerned about the perception here that Linux is bad for the Internet. True Windows is a brick and Linux a Porsche but people buying stuff at Best Buy don't care about that. They just want to browse the web. Remember the saying guns don't kill people, people do (FLAMES OFF, this was not a political statement, merely an analogy). If a Linux box is more capable of doing damage on the web then this is a PR or a perception issue that must be addressed and yes, in my current job capacity that's exactly the types of things I worry about. The perception here is that Linux is a loose cannon on the Internet, if not properly bolted down and yet the average user has no idea how to bolt it down, therefore Linux is inappropriate for the aveage user. I don't know. Please feel free to comment away. I'll post what I write before I send it to my brother. Thanks for all your help. ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
I'm confused here. Isn't that what Linux is supposed to do with IP* (name of the month)? Yes. Why is this box more secure than Linux? Not necessarily so. It's less complex than linux. It is not actually running any services, with the exception of an embedded web browser if you allow management from specified external addresses. There's nothing at the router to attack using conventional stack-crash and crowbar techniques. New techniques will evolve but they're not here yet. What are they doing that Linux isn't? IPSec for one - that's the thing that actually pushed me over the edge. I was doing a host-based system. Then my wife came home with some Nortel VPN thingy and the amount of futzing I was going to have to do to patch in an IPSec tunnel was the straw that broke the camel's back. The real question is what aren't I doing once I've installed this thing?. The answer is getting all balled up the complexity of configuring ipchains/iptables and keeping it all up to date. With the appliance I plugged it in, changed the IP address of my Linux box so that it would be on the default network for the box (192.168.123), pointed a web browser at 192.168.123.254:80, and told it to forward a very small number of ports to my Linux box. I then told it to allocate 192.168.123.128 through 192.169.123.253 as DHCP space for wired and wireless clients and set up my WEP settings. Boom! Almost done. Had to reconfigure my TZO (dynamic DNS) agent to go through a different port so that it would properly sense the address of the gateway, not my host. Firmware upgrades appear regularly. I hit the config page on the device, select update, it pops a dialog box with a file picker, it uploads, updates and reboots. My box is a cable/DSL router with packet filtering (it can also filter outbound traffic by port by up to 3 groups of machines), a 3 port fast ethernet switch, an 803.11b wireless basestation with 64-bit WEP, an LPD print server with parallel port and a serial port for autodial failover to dialup if my cable connection goes dark. It's a DHCP server and client, I can clone my MAC addr onto it's outbound side, it does PPPoE, PPTP and IPSec. It allows the configuration of a DMZ host or permits the direct forward of up to 10 ports to inside addresses. It understands funky multiport applications like game services. It's fast, it's silent and it lets me focus my Linux security efforts on traffic to exactly FOUR daemons on my Linux box. And it lets me read my email on the back deck ;-). This was for $340, 20 minute setup and 20 minutes a week maintenance. And yeah, it has no fans... Or what aren't they doing that Linux is? Linux as a host-based router is unsurpassed in it's power and flexibility. I would want to do it on a machine that's used for nothing but firewalling and preferably without any accessible permanent storage at run time. For home use this means powering a full PC carcass to run something like an LRP floppy NAT/firewall system. For home use where space and time are at a premium I'm just not into it. Now at the enterprise level, given a choice between a Linux-based solution and some Cisco thing I'd take the Linux solution. I'd go through the extra hair of getting the IPSec MASQ working and I'd build in a nice tight integration of packet filtering, proxy services and monitoring. And I'd get paid to do it. ;-) In Greg's case I think it's a no-brainer. Learn firewalling in a place where ATT isn't breathing down your neck. While I was writing somebody at db.desicom.de tried to tickle my nameserver and was dutifully repulsed. ccb -- Charles C. Bennett, Jr. VA LiNUX Systems Systems Engineer, Northeast US 25 Burlington Mall Rd., Suite 300 +1 617 543-6513 Burlington, MA 01803-4145 [EMAIL PROTECTED] www.valinux.com ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
On Wed, 25 Apr 2001, Mark Komarinski wrote: I can demonstrate Coyote Linux (single floppy Linux firewall) ... This I would be more interested in. I can get a dedicated SOHO firewall at Staples. Finding the time to check out something like Coyote is harder. :-) -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
[EMAIL PROTECTED] writes: The box isn't really more secure than Linux, its just that there's fewer things to go wrong - and if someone does have an exploit for a firmware bug, its usually fixed with the next powercycle. It would be an equivalent to running something like the Linux Router Project (which is a bootable floppy with a dedicated firewall). That sounds like a great meeting. Let the new users know what a firewall is, what it can, can't do, a brief how-to set up a Linux firewall. This would include examples using the 2.4 kernel, which everyone will soon be using, theoretically, I think. Does the Linux Router Project use 2.4 yet? Since Bruce did the Feb. meeting, I won't put him on the spot. Who wants to step up to the plate? Bob Sparks Never attribute to malice, that which can be explained by stupidity. Never attribute to stupidity, that which can be explained by lack of information. ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
RE: A story and some advice.
OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. rant to follow This, once again, raises the analogy between the highways ( a publicly funded and governmentally policed piece of infrastructure) and the internet ( a collection of private and public networks that interopperate so long as they can agree on some protocol which is not centrally funded or policed as yet). The problem with this analogy is particularly obvious in this case. A publicly funded (through tax dollars) piece of infrastructure should be equally available to all taxpayers. Usage can reasonably be lisenced and lisences can be reasonably be revoked by the government. In the case of the internet your service provider is a private business and is not subject to the interests of the taxpayers but rather the shareholders. The legal liabilities of the government for creating roads is vastly different from the legal liabilities of the ISV for providing connectivity. The nature of the damage that can be done by a bad netizen is different from that which can be done by a driver on the road. The efficiency and welcomness of policing against this type of harm is non-existant on the internet and in cases overwhelming on the highways. It might be better if the internet were government owned and policed (or not 8-)) but it isn't and this makes a large difference. Do you want M1/ ATT or the government policing your data stream to ensure that you don't get hacked? Think about what that means. If they have the ability to actually monitor the datastream for improper activities as described by (pick your big-brother organization) I am not sure that I want them to do that. What else will they do with the information that they pickup along the way while they are looking for the Bad-Guys? When will they retro-actively decide to change the description of improper activities and use thier log files to come and get me or your because of our anti-american, commi, linux-loving freedom activities? If you want the privileges that come with participating in a relatively free society then accept the responsibility of being self policing. If we won't police ourselves we will be policed. BTW: if you live in Nashua and you want physical connectivity to Boston you only have one high-bandwidth provider - Rte 3. doesn't that suck. And yes you can have your lisence and registration permanently revoked for misbehaving there as well. One definate difference is that you can't be banned from driving for what is done by your car when it is stolen. But, of course, the bartender can go to jail because you left his establisment and crashed your car into the minivan full of MADD mothers. so is this really any different. We unfortunately live in a society which is frantically striving to avoid anything that smacks of personal responsibility and / or ethics, as such you are often more at-risk legally for the actions of others than for your own (which you can usually blame on someone else). rant over -Original Message- From: Greg Kettmann [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 25, 2001 12:42 PM To: David Roberts Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: A story and some advice. Folks: First, I really appreciate all the feedback. Most has been excellent. About the only area that I fundamentally disagree with is sort of the combination it's my fault / M1 - ATT is doing OK. Yes, I accept my share of the responsibility but I really, REALLY think that M1/ATT, who have the resources, should be doing something to try to actually go after the crackers. OK, I'm not just an innocent victim and I'm responsible for putting my high performance sports car on the net but M1/ATT owns the highway and they certainly have capabilities and facilities that far outstrip what I have on my Linux Firewall. That said, my brother is a reporter and I can either get published or he can get published. M1/ATT is a monopoly and I think simply discontinuing someones service forever and ignoring the cracker is not an appropriate behavior. So please, any suggestions for writing to cover M1's responsibility in all this? They're the only game in town and they're a major player on the Internet. Are they really taking the most appropriate actions and doing all they can to make the Internet safe for everyone? Clearly I'm biased and I'm mad right now. But it really bothers me that M1 can have so little corporate responsibility for solving these problems. Yes, they can just kick anyone off that get's caught port scanning but we all know that this is not a permanent solution. The cracker will just crack another box and nothing will have been done to correct the core problem. Finally, I'm very concerned about the perception here that Linux is bad for the Internet
Re: A story and some advice.
Greg Kettmann wrote: Well, I talked to their legal department, a million times better than their security department and it appears we can work something out. So, my purpose here is two things. One, to vent a little (thanks :-) ) and two to ask about known vulnerabilities. My machine is a reformatted RH 6.2 installation. I intend (downloading the kernel from a modem really stinks) to upgrade to 2.2.18 (any reason to go to .19?) because I heard there was some fix there. There is a very good reason for going to 2.2.19. It fixes the security holes that are in 2.2.16-2.2.18. Since you don't have time to really work on this much, I suggest grabbing a copy of Bastille-Linux to do some system hardening. It will also probably teach you a thing or two while it works. Additionally I am going to get the latest BIND to fix that exploit. I'm going to run a fairly tight IPCHAINS script. I don't run an HTTP server on the firewall, nor any other services. If you aren't running any services, then I would take that to mean that you aren't running a DNS server. If you aren't running a DNS server, then you don't need BIND *at all*. If you don't need to run a DNS server, which you probably don't unless you are running a domain, then I wouldn't even have BIND installed. If it's not installed, then it can't be exploited. I will have SSH and FTP open. Other than that I will open only things for my Masquerading machines inside to get out. (POP, SMTP, HTTP, Time (13), Probably IRC and IDENTD (needed for many IRC's), FTP, etc pretty much the standard list. Could one of you really good Network If you are running SSH, then why do you need FTP? FTP is a bad idea for several reasons: 1) username and password will be passed in clear text (see SSH suggestion) 2) There are usually a few vulnerabilities found in wu-ftpd on a monthly basis. Since you're running SSH anyway, just use SCP in it's place. If you want to run FTP despite all of the badness, then I would suggest using public/private keypairs for SSH. If someone sniffs your username and password from an FTP connection, and you are using the same username and password for SSH, then the *crackers* will have access to the system (but in a very secure manor ;-). As for outgoing/MASQ traffic, you should be careful. There are vulnerabilities in NTP clients and IRC clients. I would also restrict the mail ports to specific servers (ie only allow smtp to and from smtp.ne.mediaone.net and POP3 to/from pop.ne.mediaone.net). That limits the risk of the opening. For the ipchains script, you can use Bastille to fashion one for you, sort of, or you can build it yourself. However, and I *HAVE* to say this, please don't use Rob Zeiglers utility. You'll only lose your M1 account again in a week or two ;-) Admin guys tell me if I'm on the right track? Any other suggestions? Thanks. You seem to be on the right track. Basically, allow all traffic originating on the internal network out, but don't let anything in. Use the `! -y` option. A LOT! Use a `default deny` policy. And log log log log log. Log everything. Heck, set up an internal syslog server so that you can have a good view of everything. Look into things like portsentry and snort, but don't count on IDS's to protect you. There is no substitute for reviewing logs. Also, one other vent. I wish those jerks at M1, instead of pulling the plug on my account, would first trace the darn thing and go try to catch the bad guy instead of harassing their customers. Then they can pull the plug and give me a chance to fix it. These procedures of theirs are doing nothing to fix the problem and just punishing the victims. Rather like punishing someone because their car was stolen. Argh. It's not their job. Not to mention, Linux is unsupported. Oh, and have you ever had your car stolen? The police do the same thing ;-) C-Ya, Kenny -- - Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID 0xD71DF198 Public key available @ http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
I don't know about that. I seem to remember a certain ADSL company saying that their ADSL routers were impervious to penetration. Until about two weeks ago, that is ;-) Besides, why spend the money when it can all be done for free, and an added advantage is that you can learn a little bit about security at the same time. This way, the next time he designs a system, he can design a secure one ;-) Oh, and on top of that, it doesn't take that long to review logs. Use something like logcheck and have the program e-mail the logs to you every hour or so. It takes two minutes to scan the e-mail for problem areas. Yes, hardening a system is an on-going process, but it is one that you learn from. What more can you ask for? You do the work, and the instant reward is education. Unless you're management, education is always a good thing ;-) C-Ya, Kenny Alex Hewitt USG wrote: Greg, the best advice that you will get from me and others who frequent this group is to invest in a firewall/router box. I use the LinkSys BEFSR41 which has 4 10/100 ports but there are several other manufacturers of these devices. They cost around $150 or so but allow you to share up to 4 systems on your cable-modem connection and as far as I know are impervious to hackers/script kiddies. Well worth the piece of mind! -Alex P.S. Unless you have a lot of time on your hands, I think you will find that hardening a system is an on-going chore that you probably don't have the time for. Just reading the logs would be time consuming. Wirth's Law: Software gets slower faster than Hardware gets faster! On the side of the software box, in the 'System Requirements' section, it said 'Requires Windows 95 or better'. So I installed Linux. - Anonymous ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** -- - Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID 0xD71DF198 Public key available @ http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
For someone like Greg that isn't going to ride herd on his environment nightly, I'd recommend dropping a whopping $125 on an appliance from LinkSys, SMC, DLink or NetGear. Filter out everything and check your vendor's web site weekly for updates. I did my own IPMasq/IPChains Linux box for a while and it was a great learning experience but I'd rather spend the time with my kids than being a second-rate Cliff Stoll. ccb ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Hi Greg, Check out Smoothwall (www.smoothwall.org). It's built for doing firewalling, and has web interfaces for setting everything up. Firewalls don't need to be all that powerful, so a lightweight firewall config is going to be best for you. -Mark Greg Kettmann wrote: I'm an Architect, which means I design computer solutions. Once upon a time I was a network administrator but my hands on skills are not what I'd like them to be, certainly not in the Linux space. This is sort of an apology for asking potentially dumb questions. Recently my Linux Firewall, connected to MediaOne, was cracked. I'm absolutely furious about the way M1/ ATT handled the situation. I knew my firewall wasn't tightened down very well, but it's just my house and I kept procrastinating. So last week I get a nastygram from M1 saying my machine had been caught port scanning and that this activity was in violation of the Terms and Conditions for use. This was a slap on the wrist and the next time they'd permanently pull my account. Well, being on the road more often than not, I was only able to tighten up the machine, not reformat and rebuild. Besides, I checked out the logs and there were tracks everywhere. The idiot even built themselves an account. I thought it was juvenile, amateur script kiddy stuff. The following Sunday, about the only time I have time to work on anything, was Easter and family comes first. So, on Friday, I was in New York City, Times Square and I get a call from my kids, very upset. It seems that tightening up my firewall wasn't enough and they'd left a back door. My machine had again been cracked and had been port scanning again. Oops, my bad, I should have formatted the darn thing. So, M1 says, goodbye...forever. Man am I mad at them. I REALLY hate monopolies now. Well, I talked to their legal department, a million times better than their security department and it appears we can work something out. So, my purpose here is two things. One, to vent a little (thanks :-) ) and two to ask about known vulnerabilities. My machine is a reformatted RH 6.2 installation. I intend (downloading the kernel from a modem really stinks) to upgrade to 2.2.18 (any reason to go to .19?) because I heard there was some fix there. Additionally I am going to get the latest BIND to fix that exploit. I'm going to run a fairly tight IPCHAINS script. I don't run an HTTP server on the firewall, nor any other services. I will have SSH and FTP open. Other than that I will open only things for my Masquerading machines inside to get out. (POP, SMTP, HTTP, Time (13), Probably IRC and IDENTD (needed for many IRC's), FTP, etc pretty much the standard list. Could one of you really good Network Admin guys tell me if I'm on the right track? Any other suggestions? Thanks. Also, one other vent. I wish those jerks at M1, instead of pulling the plug on my account, would first trace the darn thing and go try to catch the bad guy instead of harassing their customers. Then they can pull the plug and give me a chance to fix it. These procedures of theirs are doing nothing to fix the problem and just punishing the victims. Rather like punishing someone because their car was stolen. Argh. ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** -- Mark Komarinski - Senior Systems Engineer - VA Linux Systems (cell) 978-697-2228 (email) [EMAIL PROTECTED] Have one day pleasant - Babelfish ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
RE: A story and some advice.
He did say he was an Architect == PHB? ;-) -Original Message- From: Kenneth E. Lussier [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 24, 2001 4:57 PM To: Alex Hewitt USG Cc: Greg Kettmann; [EMAIL PROTECTED] Subject: Re: A story and some advice. I don't know about that. I seem to remember a certain ADSL company saying that their ADSL routers were impervious to penetration. Until about two weeks ago, that is ;-) Besides, why spend the money when it can all be done for free, and an added advantage is that you can learn a little bit about security at the same time. This way, the next time he designs a system, he can design a secure one ;-) Oh, and on top of that, it doesn't take that long to review logs. Use something like logcheck and have the program e-mail the logs to you every hour or so. It takes two minutes to scan the e-mail for problem areas. Yes, hardening a system is an on-going process, but it is one that you learn from. What more can you ask for? You do the work, and the instant reward is education. Unless you're management, education is always a good thing ;-) C-Ya, Kenny Alex Hewitt USG wrote: Greg, the best advice that you will get from me and others who frequent this group is to invest in a firewall/router box. I use the LinkSys BEFSR41 which has 4 10/100 ports but there are several other manufacturers of these devices. They cost around $150 or so but allow you to share up to 4 systems on your cable-modem connection and as far as I know are impervious to hackers/script kiddies. Well worth the piece of mind! -Alex P.S. Unless you have a lot of time on your hands, I think you will find that hardening a system is an on-going chore that you probably don't have the time for. Just reading the logs would be time consuming. Wirth's Law: Software gets slower faster than Hardware gets faster! On the side of the software box, in the 'System Requirements' section, it said 'Requires Windows 95 or better'. So I installed Linux. - Anonymous ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** -- - Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID 0xD71DF198 Public key available @ http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
In a message dated 4/24/2001 4:48:27 PM Eastern Daylight Time, [EMAIL PROTECTED] writes: Greg, the best advice that you will get from me and others who frequent this group is to invest in a firewall/router box. I use the LinkSys BEFSR41 which has 4 10/100 ports but there are several other manufacturers of these devices. They cost around $150 or so but allow you to share up to 4 systems on your cable-modem connection and as far as I know are impervious to hackers/script kiddies. Well worth the piece of mind! -Alex I'm confused here. Isn't that what Linux is supposed to do with IP* (name of the month)? Why is this box more secure than Linux? What are they doing that Linux isn't? Or what aren't they doing that Linux is? Bob Sparks Linux enthusiast / mouth / newbie / fanatic / ... ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
Greg, If you still have any, I would like to see what the logs look like. This would be a big advantage in figuring out where you went wrong the first time, and invaluable in preventing the same mistake from being made again. Kenny Greg Kettmann wrote: I'm an Architect, which means I design computer solutions. Once upon a time I was a network administrator but my hands on skills are not what I'd like them to be, certainly not in the Linux space. This is sort of an apology for asking potentially dumb questions. -- - Kenneth E. Lussier Geek by nature, Linux by choice PGP KeyID 0xD71DF198 Public key available @ http://pgp.mit.edu ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
Re: A story and some advice.
At 2:56 PM -0400 4/24/01, Greg Kettmann wrote: Also, one other vent. I wish those jerks at M1, instead of pulling the plug on my account, would first trace the darn thing and go try to catch the bad guy instead of harassing their customers. Then they can pull the plug and give me a chance to fix it. These procedures of theirs are doing nothing to fix the problem and just punishing the victims. Rather like punishing someone because their car was stolen. Argh. Perhaps a better analogy than having your car stolen is that the car was left at the top of a steep hill, in neutral, parking break was not set, and some hooligan came by and gave it a push. Yes it is a pain in the butt, but you need to react to these things quickly and swiftly. Ray -- --- Raymond Cote, President Appropriate Solutions, Inc. www.AppropriateSolutions.com [EMAIL PROTECTED] 603.924.6079(v) POB 458, Peterborough, NH 03458603.924.8668(f) ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
RE: A story and some advice.
I second the notion of using a firewall/router box. I use one at home, and since I have no need to connect from outside the home to inside the home, I just set up the router to block all ports when coming from the outside. And, as far as I know no one can crack it because it automatically drops all incoming requests! And, even if you have to connect on some ports from the outside, you can specify which machines to redirect them to and make sure those machines are as secure as possible. Best of all, it's extremely easy as it has a nice web management interface to manage all the settings (mine's a Linksys DSL/cable router but there are others available). -Warren -Original Message- From: Hewitt, Alexander Sent: Tuesday, April 24, 2001 4:48 PM To: Greg Kettmann Cc: [EMAIL PROTECTED] Subject: Re: A story and some advice. Greg, the best advice that you will get from me and others who frequent this group is to invest in a firewall/router box. I use the LinkSys BEFSR41 which has 4 10/100 ports but there are several other manufacturers of these devices. They cost around $150 or so but allow you to share up to 4 systems on your cable-modem connection and as far as I know are impervious to hackers/script kiddies. Well worth the piece of mind! -Alex P.S. Unless you have a lot of time on your hands, I think you will find that hardening a system is an on-going chore that you probably don't have the time for. Just reading the logs would be time consuming. Wirth's Law: Software gets slower faster than Hardware gets faster! On the side of the software box, in the 'System Requirements' section, it said 'Requires Windows 95 or better'. So I installed Linux. - Anonymous ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug ** ** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **
