On Wed, Apr 25, 2001 at 01:57:14PM -0400, Brad Maxwell wrote:
> OK, I'm not just "an innocent victim" and I'm responsible for
> putting my high performance sports car on the net but M1/AT&T owns
> the highway and they certainly have capabilities and facilities that
> far outstrip what I have on my Linux Firewall.
First, (I'm not certain but) I think the poster of the above is not
the person who originally posted about having been compromised, and I
wanted to acknowledge that. So the "YOU" below refers to the generic
or hypothetical "YOU" -- any and all of us who have systems connected
directly to the Internet.
I'm sorry if this sounds harsh, but the above comment really is just
plain wrong. The attack was on your machine. Your machine was
compromised. Your machine has the weakness, and ONLY YOU have the
means to protect it from such an attack, particularly given that it is
connected directly to the Internet with no perimeter protection (such
as a firewall) in place. MediaOne or other provider really CAN'T
reasonably filter out connections on any given port, because
(especially in the Windows world) network software can and often does
use any port, including so-called "well-known" ones. They do not and
can not have any idea what software you might be running, nor whether
or not those connections on port 12354 to your system are legitimate
or from some trojan program. It's up to YOU to determine that. It's
YOUR system, used by YOU. Not them.
To borrow another of Bruce Schneier's often borrowed quotes: "Security
is a chain; it is only as strong as its weakest link." In this case,
YOU are the weakest link. YOU knew that your machine was broken into,
and admitted publicly that you failed to react accordingly. YOU did
not visit your vendor's website and download their latest security
patches. Though these two measures will not foil a talented and
dedicated attacker, often doing just these things is enough to keep
your system from getting trashed. YOU did not even take these
minimalist measures. If you were sued for damage caused by an
attacker using your machine, odds are probably good you'd be found
at least partially liable through negligence.
The #1 weakness in the vast majority of security systems is the people
who use and/or manage them. If my comments are harsh, it is not with
the intent of making you or anyone feel small or stupid, so I
appologize if I've offended anyone. It isn't reasonable to think that
everyone will be network security experts, nor do I think that.
However, my intent is to attempt to drive home very un-subtly this
extremely important point:
The message that folks like Kenny and myself have been trying to get
across for some time now, for the benefit of you and for everyone
here, IF YOU HAVE A SYSTEM CONNECTED DIRECTLY TO THE INTERNET, AND YOU
DO NOT TAKE STEPS TO SAFEGUARD IT, YOU *WILL* BE BURNED, AND YOU
*WILL* PAY THE PRICE.
It is only a queston of when, not if, and of what your price will be.
In your case, it was your high-speed access. For others, it may only
be a re-install of your system, and for still others, there is the
very real (though perhaps much less likely) threat of law suits or
even imprisonment. THIS IS NOT A JOKE.
Given the number of people who have posted regarding being compromised
just in the past month or so, I should hope this would be self-evident
by now.
My ridiculously long sig is particularly poigniant:
--
"I have written this book partly to correct a mistake... A colleage of
mine once told me that the world was full of bad security systems
designed by people who read Applied Cryptograpy.
"Since writing the book, I have made a living as a cryptography
consultant: designing and analyzing security systems. To my initial
surprise, I found that the weak points had nothing to do with the
mathematics. They were in the hardware, the software, the networks,
and the people. Beautiful pices of mathematics were made irrelevant
through bad programming, a lousy operating system, or someone's bad
password choice. I learned to look beyond the cryptography, at the
entire system, to find weaknesses. I started repeating a couple of
sentiments you'll find throughout this book: 'Security is a chain;
it's only as secure as the weakest link.' 'Security is a process, not
a product.'"
--Bruce Schneier, from "Secrets & Lies"
---------------------------------------------------
Derek Martin | Unix/Linux geek
[EMAIL PROTECTED] | GnuPG Key ID: 0x81CFE75D
Retrieve my public key at http://pgp.mit.edu
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
