On Wed, Dec 29, 2010 at 04:20:58AM -0500, Omega -1911 wrote:

> > Well, let's see. My system sits behind a firewall. No external services
> > are advertised to the internet. All internal addresses are non-routable.
> > I do not use or have any wifi. The system sits in my home office. I use
> > a Debian Linux system and practice very safe computing. I often
> > investigate little-known sites before surfing to them, and never accept
> > temptations to click on ads. In fact, I have my /etc/hosts file set up
> > to block the vast majority of ad servers (I see a fraction of the ads
> > most people see). I never download content of questionable origin, nor
> > accept it from others without investigating it first. I have a root kit
> > detector installed, which I periodically use. I'm the only person who
> > uses this computer. No one who enters this space is more knowledgeable
> > than I am about computers (= not capable of hacking a computer).
> Hi Paul - I am interested in knowing how you prevent intrusion with
> your firewall when it is a known fact that post 9/11 companies that
> develop such leave ports open for "Big Brother" as required. Remember
> "Green Lantern", "Carnivore" and the like are roaming around and used
> by various agencies. Even though a firewall reports that the ports are
> blocked, they aren't.

Carnivore was an email sniffing program. I can't find a reference to
"Green Lantern" as it relates to computer hacking. As for the "well
known fact" that companies leave ports open for the government, it must
be well known to people other than me. Such claims are sometimes true,
sometimes specious. I'd have to see real evidence first. (Don't get me
wrong-- I wouldn't be surprised.) And ports which show blocked but
aren't? How does that work? Do routers use some sort of "port knocking"

Beyond all this, the context you're citing is the government snooping on
me. The government could seize my computer and have the NSA break my
best encryption in probably minutes flat. And they'd have... what? My
password to Amazon.com? My password to the Javascript mailing list?
Seriously? If the government wants my stuff, they can sit an NSA van
outside my house and read the E-M vibrations off my windows or somesuch.
I'm really not concerned for two reasons: 1) If they want my stuff, they
can get it any time wihout my permission; 2) There's not a blessed thing
I can do about it; 3) There isn't anything they'd be very interested in,
trust me. I rather doubt they're going to snag my credit card numbers
and charge a bunch of stuff at Walmart.

Also, I have it from people who know much more about network security
than I do that penetrating a LAN like mine (which is pretty standard) is
nearly or completely impossible *unless* a user on the inside does
something stupid.

> Limiting surfing to only trusted sites does limit vulnerability, but
> for the last couple of years, Google, Yahoo, Fbook, Youtube are
> compromised by hackers installing "Antivirus 2009", "Antivirus 2010",
> etc. viruses.

Antivirus 2009 and 2010 are generally not harmful when it comes to
snagging user information. That's not what they're meant to do. They are
scareware designed to get you to buy software from the company to clean
fake virus infections. If Yahoo and the like have their servers
compromised because of this software, then they're running Windows on
internet servers, which is a bone-headed move anyway. Moreover, if the
admins for these servers see warnings because of this, then they should
do research before simply believing what some software tells them about
their servers. (Although, considering the tech knowledge of a lot of
Windows server admins, anything is possible.)

And, as I mentioned, I run Linux. If I saw some silly virus warning
about my computer, I'd laugh. It's not unheard of, but generally you'd
have to do something stupid to get infected with a virus under Linux.
After laughing, I'd run a rootkit check. And yawn.

> With a long list of sites improperly setting cookies, passwords and
> usernames are easily compromised when a person visits other sites.
> Most importantly,   how do you verify that the Internet Service
> provider has not been compromised? Using SSL to pass passwords is
> still not 100 percent safe as people may think because the real
> problem lies in what and where the web site stores your information on
> the server.

How do I know my ISP isn't compromised? Well, how the hell would
*anyone* know that? You wouldn't. It's completely within the realm of
possibility that my ISP would open, decrypt and read every packet I send
through them. Like the government, I doubt my ISP is going to snag my
credit card numbers and start charging things at Walmart. Can you
imagine the PR debacle if a respected major national ISP/telephone
company was caught grabbing sensitive user information and using it for
nefarious purposes? And can you imagine what their rates with Mastercard
and Visa would go to if such breaches were found in their
infrastructure? I deal with credit card companies all the time. They
have quite strict rules in place to ensure the data my customers give me
is not compromised. And if I violate those rules, well, Mastercard and
Visa don't actually *need* my business.

Of course, any major corporation can have its data sucked and have to
inform its customers that they've been compromised. It's happened
before. And if that happens, you do what you can by changing your
passwords with that company and looking for errant charges on your
credit card statements.

We typically *trust* large ISPs and the government not to do anything
untoward with whatever information they get from us. When I give my pet
sitter the key to my house and go on vacation, I trust him not to rob me
blind while I'm away. Perhaps that trust is at times misplaced, but we
have no choice if we wish to be on the internet. Connectedness means you
have to trust *somebody*. Meanwhile, you remain just paranoid enough to
be careful and double-check things.

I don't mean to be boastful about my "safeness" from hacking. I'm by no
means an expert on security, and most people on this list probably know
more than I do about it. But I've been in this game since the CP/M days,
and I've loosely followed the trade press in that time. I know what the
typical computer user is like, and they're generally a security breach
waiting to happen. My computing habits are pristine by comparison.
Moreover, I'm much more highly *aware* of security as an issue than most
people who operate computers, which puts me 100% ahead of most computer
users. I'm sure I'm not *impervious* to hacking or breaches. But the
chances are very slim in my case. Yes, it could happen. And if it does,
I'll just have to pick up the pieces and figure out where I went wrong.

But until then, I feel pretty safe.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to