Perhaps coincidence, perhaps not... A little while after the last email I sent about CVS security, somebody tried to crack me (and may very well have succeeded), repeatedly trying to connect to the SSH port on my home machine that once was used to port forward X between my home machine and school. The crack was so flagrant that I suspect it was just a "Kilroy was here" -- I would not be at all surprised if the cracker did not succeed in some less flagrant way. If this was somebody from the CVS mailing list, trying to show that my setup is insecure, that AFS can be just as easily cracked as CVS pserver, I don't think what you were doing proves anything: (0) I *know* my home system is insecure. It's vanilla NT 4 server. I probably haven't kept up on service packs. I am pretty sure that I have not disabled all of the ^$##%@@$!@!!! server deamons that Microsoft leaves running by default, 99% of which do not need to be running on my system. Frankly, I haven't wanted to learn enough about (gag) NT to do so. I don't have a software firewall running at the moment, and I took down my LINUX system firewall a little while back. (1) The basic problem is that leaving anything listening to a port is bad, unless you know exactly what the server that is listening does, unless you trust the server to authenticate incoming requests and/or not do anything damaging, and unless you trust the server not to have bugs. I can't say that any of these statements are true about NT. I could potentially go and read LINUX source code, but probably never to the point of confidence. (2) Since confidence is the key point, I think that this sort of attack highlights the attraction of network filesystem based security: it's a single set of ports, a single protocol, a single set of code that you need to feel confident about - either by reading it yourself, or by trusting the people who have. If the network filesystem were the only network service you had to worry about, it would be much, much, easier to keep a secure system. If it was not one of the info-cvs readers cracking me, well, it only emphasizes my point.
