59% of dweebs suffer from 'False Authority Syndrome (Re: If you have nothing to hide)
(warning, not for the humor impaired) In the interest of spewing even more non-op traffic on this list, see 59% of dweebs suffer from 'False Authority Syndrome at http://vmyths.com/rant.cfm?id=501page=4 and make sure you listen to the mp3 version, it's so much better than the written words. (it's hilarious actually) It's particularly apt for these so-called-experts spreading all the FUD trying to turn a national tragedy into either shameless self promotion (Hello everyone who attended Defcon), or who want to use that as an agenda to take over the internet.. (yeah, right turn an M$ computer security expert into a White House security expert, hahahah) Len
Re: If you have nothing to hide
Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check) dragon - No apologies needed.. Gerardo Gregory - Original Message - From: [EMAIL PROTECTED] To: Steven M. Bellovin [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, August 08, 2002 10:51 PM Subject: Re: If you have nothing to hide See section 3.2.1.8c of RFC 1122: snip processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a snip --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check)
[lamour@mail.argfrp.us.uu.net: Fwd: Re: If you have nothing to hide]
In message [EMAIL PROTECTED], [EMAIL PROTECTED] et writes: I was not aware that responses to source-routed packets were themselves source-routed. I also don't believe it is the case, but am open to being contradicted. If the responses aren't source-routed, then the packets would only return through your network if your network was the path back to the spoofed source. A friend of mine directed me to this thread. Source routed packets can indeed be used to spoof IP connections, and I've written a tool to do it. It's available at http://www.synacklabs.net/projects/lsrtunnel If you simply want to check host behaviour to see if you can spoof connections, I've written a scanner at http://www.synacklabs.net/projects/lsrscan Short story is Solaris 8 will reverse source routes by default, and Windows boxes will reverse source routes by default. The BSDs and Linuces I've tested mostly block source routed packets by default. Todd
Re: If you have nothing to hide
See section 3.2.1.8c of RFC 1122: snip processing). This recorded route will be reversed and used to form a return source route for reply datagrams (see discussion of IP Options in Section 4). When a snip --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com (Firewalls book) Tickle me contradicted, my apologies for doubting whomever it was (it is late, and I'm too tired and lazy to check)
Re: If you have nothing to hide
[EMAIL PROTECTED] (Sean Donelan) writes: ISPs to step up Internet service providers also have to be more security conscious, Clarke said. By selling broadband connectivity to home users without making security a priority, telecommunications companies, cable providers and ISPs have not only opened the nation's homes to attack, but also created a host of computers with fast connections that have hardly any security. Public network operators are very security conscious, about the public network operators network. Should public network operators do things, common in private corporate networks, such as block access to Hotmail, Instant Messenger, Peer-to-peer file sharing, and other potentially risky activities? Should it be official government policy for public network operators to prohibit customers from running their own servers by blocking access with firewalls? Don't dismiss this concern. We know why multipath (core) RPF is hard and why most BGP speakers don't do it yet. But unipath (edge) RPF has been easy for five years and possible for ten, and yet it is in use almost nowhere. The blame for that lays squarely, 100%, no excuses, with the edge ISP's. Whether Microsoft or the rest of the people CERT has named over the years with various buffer overflows are also to blame for making hosts vulnerable is debatable. But whether edge ISP's are grossly negligent for not doing edge RPF since at least 1996 is not debatable. Cut Mr. Clark *that* slack, even if you must (righteously, I might add) blast him on other issues. -- Paul Vixie
Re: If you have nothing to hide
I encourage network operators (or IX operators, DNS operators, etc) to let the government know what you think. Mr. Clarke's crew is writing the plan, and taking input from many sources. If you think RPF (or some other source address validation) is a solution let them know. If you think S-BGP is a solution, let them know. If you think network operator managed firewalls on every DSL/Cable modem is a solution, let them know. On the other hand, if to think some of those things are not a solution (or a really bad idea), tell them that. I have my opinion, and I've told the government what I think. But I'm certainly not smart enough to get everything right (or even most things right). Its not a matter of cutting Mr. Clark some slack, but getting good information from (many?) network operators. On 4 Aug 2002, Paul Vixie wrote: Don't dismiss this concern. We know why multipath (core) RPF is hard and why most BGP speakers don't do it yet. But unipath (edge) RPF has been easy for five years and possible for ten, and yet it is in use almost nowhere. The blame for that lays squarely, 100%, no excuses, with the edge ISP's. Whether Microsoft or the rest of the people CERT has named over the years with various buffer overflows are also to blame for making hosts vulnerable is debatable. But whether edge ISP's are grossly negligent for not doing edge RPF since at least 1996 is not debatable. Cut Mr. Clark *that* slack, even if you must (righteously, I might add) blast him on other issues.
Re: If you have nothing to hide
At 06:31 AM 8/4/2002 -0400, Sean Donelan wrote: I encourage network operators (or IX operators, DNS operators, etc) to let the government know what you think. Mr. Clarke's crew is writing the plan, and taking input from many sources. If you think RPF (or some other source address validation) is a solution let them know. If you think S-BGP is a solution, let them know. If you think network operator managed firewalls on every DSL/Cable modem is a solution, let them know. On the other hand, if to think some of those things are not a solution (or a really bad idea), tell them that. These are technical operations matters. Seems like there might be some benefit in formulating consensus views within the technical operations community. Any chance that an IETF BCP would be possible and helpful? Diverse input to a government process can be good for learning about choices, but consensus views should be helpful for making them. d -- Dave Crocker mailto:[EMAIL PROTECTED] TribalWise, Inc. http://www.tribalwise.com tel +1.408.246.8253; fax +1.408.850.1850
If you have nothing to hide
Mr. Clarke has been floating several trail ballons this week. http://news.com.com/2100-1001-947409.html Software makers and Internet service providers must share the blame for the nation's vulnerable networks, President Bush's special adviser on cyberspace security said Wednesday. http://www.computerworld.com/mobiletopics/mobile/story/0,10801,73150,00.html Why is it that companies have sold products that they know are insecure? asked Richard Clarke, President Bush's chief cybersecurity adviser. And why is it that people have bought them? We should all shut [wireless LANs] off until the technology gets better. While Mr. Clarke was identifying groups to blame for the current state of affairs, he seems to have left out the group which has historically blocked many security improvements. Gee, it seems like just last year the US Government had a policy of futzing with international standards development to block strong security (GSM), engaging in expensive legal investigations of people who wrote things like Pretty Good Privacy, prohibiting companies from exporting products with strong encryption, and generally making it a PITA for companies who wanted to make products which were more secure (forcing security research offshore or to Canada). Even attempts to include default encryption in IPv6 hit government policy roadblocks. Anyone who tried to make it more difficult to intercept communications was accused of helping child pornographers, criminals, terrorists and hackers. The refrain was if you have nothing to hide, ... It took decades of government policy to reach this point. Does Mr. Clarke's statement signal the end of the government's policy of maintaining the status quo? If we secure wireless communications, that means it will be possible for people to communicate without worrying (excesively) about evesdroppers. But that security improvement also means the government may not be able to listen in on those communications either. Has the FBI and NSA signed off on this apparent new policy of securing our networks? Finally, what role should network operators play in determining what content subscribers can have access, including unsafe content? ISPs to step up Internet service providers also have to be more security conscious, Clarke said. By selling broadband connectivity to home users without making security a priority, telecommunications companies, cable providers and ISPs have not only opened the nation's homes to attack, but also created a host of computers with fast connections that have hardly any security. Public network operators are very security conscious, about the public network operators network. Should public network operators do things, common in private corporate networks, such as block access to Hotmail, Instant Messenger, Peer-to-peer file sharing, and other potentially risky activities? Should it be official government policy for public network operators to prohibit customers from running their own servers by blocking access with firewalls?
