On Wed, 25 Apr 2001, Greg Kettmann wrote:
> Not that I didn't stir up a hornet's nest the first time, but...
Awww, come-on, it's fun! ;-)
> This whole thing has left me with a very bad taste in my mouth.
Break-ins usually do. I've dealt with a fair number of security compromises,
and they are fairly disgusting.
> Yes, some say it's my fault and I deserve what I got. Other's are more
> supportive.
It is not that I (or anyone else here, I suspect) am not trying to be
supportive, or that you "deserved to be hacked". It is a matter of
responsibility. You took a known risk, and got exactly what you knew could
happen. Blaming your ISP just isn't right. It is not a nice situation,
unfortunately.
> Suppose I was not running firewall but instead was running just a Linux
> Workstation ... Seems to me he's vulnerable to attack, just as I was.
Correct.
> Now let's assume that the next guy, like most of the others out there,
> runs some version of Windows. Clearly he's not subject to attack, or not
> as severely, otherwise I would expect we'd be hearing about a lot more of
> these attacks.
As others have pointed out, "out of the box", Windows does next to nothing.
You cannot hack what isn't there.
Additionally, Media One (and other ISPs) take steps to protect the hordes of
unknowing Windoze users they provide services to. They often configure their
routers and firewalls to drop all traffic on ports 137-139, effectively
disabling SMB sharing. Otherwise, all those Windows users would be sharing
their files with the Internet at large.
(Other ISPs don't. Many high-speed Internet providers use a shared
broadcast network topology at the CO. I've seen entire Windows, Novell, and
AppleTalk networks on Vitts DSL circuits, for example.)
> True they'd have to worry about the "I Love You" virus, etc but that's
> just an attack on his machine, not worrying about his machine running
> rampant and trying to crack the net.
On the other hand, look at all those corporate email systems that crashed
under the load of the gazillion messages such viruses generate...
> Windows users aren't reading the security briefs and "patching" their
> systems ...
Some do, some don't. Those that don't usually end up getting nailed with a
virus or browser exploit of some kind, and reformatting their drive to fix it.
This is considered a normal part of Windows system operation. We have had
several customers lose data to this sort of thing.
> The rather strong suggestion is that if you're not going to invest some
> time into our Linux box you can expect problems ...
The problem is unknowing users combined with distributions which install
every service known to man running by default. If you did not run any
services at all, you would have been secure. The problem is, Unix, being a
true network operating system (as opposed to Windoze, which is an OS with
networking bolted onto the side), tends to need to run at least some network
services (X11 if nothing else) to get anything done.
> ... that you're effectively liable for what some cracker does if he breaks
> in.
This is true regardless of system type. Windows users are not immune.
> I'm just not seeing this problem in the Windows space ...
Try running Windows NT Server or Windows 2000 Server sometime. Be prepared
to install service packs, hotfixes, and other updates. Become best friends
with <windowsupdate.microsoft.com>. Find and fix all the wonderful security
holes in IIS and SQL Server. Believe me, Windoze suffers from the same
problems.
Example: Microsoft just last month shipped their brand new "Internet
Security and Acceleration (ISA) Server". Basically, a firewall/caching proxy
server package. It was supposedly designed "from the ground up with security
in mind", and "carefully reviewed" by independent labs.
As shipped, the package acknowledges a shutdown command on an unsecured
public IP port which anyone can access. In other words, MS ISA includes a
world-writable power switch.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do not |
| necessarily represent the views or policy of any other person, entity or |
| organization. All information is provided without warranty of any kind. |
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
