From owner-freebsd-questions Wed Nov 7 5:52:58 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atkielski.com (atkielski.com [161.58.232.69]) by hub.freebsd.org (Postfix) with ESMTP id D182137B41A for ; Wed, 7 Nov 2001 05:52:48 -0800 (PST) Received: from contactdish (ASt-Lambert-101-2-1-14.abo.wanadoo.fr [193.251.59.14]) by atkielski.com (8.11.6) id fA7Dq8b54993; Wed, 7 Nov 2001 14:52:09 +0100 (CET) Message-ID: <00c501c16793$7af27cd0$0a00000a@atkielski.com> From: "Anthony Atkielski" To: "Ted Mittelstaedt" , "FreeBSD Questions" References: <004d01c166c2$8063d780$1401a8c0@tedm.placo.com> Subject: Re: Lockdown of FreeBSD machine directly on Net Date: Wed, 7 Nov 2001 14:52:44 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Ted writes: > There's a number of problems here. For starters Telnet > is both an application program and a protocol. Your not > making it clear what your talking about. I was using it as a metaphor for password authentication in general, which is frequently criticized, but actually very secure, if properly implemented. > The protocol itself may be perfectly secure but what > matters when your talking about server security is not > the protocol, it's how it's implemented. If that > is done wrong then the server is screwed. Yes, but if it is done right, then even the most persistent attacker is out of luck. > But they also are not subject to the cost-benefit > reasoning, because it's real easy to show that it > takes less effort to get a job and earn money the way > your supposed to than by eeking out a living stealing > cell phones. Not for them. They probably have a much weaker résumé than you do. In fact, they probably can't read or write, which is quite an obstacle to finding any kind of decent job. So stealing cellphones yields the best cost-benefit ratio. > Sorry but this isn't true. A professional earns > money. Stealing is not earning money. Stealing is > not "making a living". Well, the police talk about "professional criminals." Does that mean that they are actually CPAs when not committing crimes, or what? > cracking is necessary because his minions have been > documented to regularly use encrypted communication, > a lot of it on the Internet. All the reports I've seen have indicated that they hardly use encryption at all, and in fact they've moved away from the Internet in general. There was no need to encrypt, since law-enforcement agencies couldn't even get their act together and track them down even when they communicated in the clear. Heck, just putting a message in Arabic concealed it better than any encryption could, since nobody in the U.S. (almost) could read Arabic. > :-) True because you can't call that piss-poor excuse > for airport security we have a "security system" :-) Nothing they carried on board would have failed even a very careful security check, as I recall. It was all legal. Only their intentions were evil, but you cannot screen for intentions at a security checkpoint. > Unless of course, his compromise kills you. Unless you're on a FreeBSD-powered respirator, there isn't much risk of that. Systems that _do_ serve that type of purpose generally _are_ completely secured. No matter what you saw in _War Games_, you can't just dial into NORAD from the outside. > Fuck everyone else and all their hundreds of hours > and thousands of dollars of blown productivity and > network time cleaning up after the spew. The guilty party is the group of spammers, not the system they attacked. > I think your attitude towards security is a great > one. We should all see more of it on the Internet. Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message