From owner-freebsd-security  Wed Feb  3 04:23:34 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id EAA23388
          for freebsd-security-outgoing; Wed, 3 Feb 1999 04:23:34 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id EAA23371
          for <security@FreeBSD.ORG>; Wed, 3 Feb 1999 04:23:26 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id NAA18362;
	Wed, 3 Feb 1999 13:23:22 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id NAA18941;
	Wed, 3 Feb 1999 13:23:22 +0100 (MET)
Date: Wed, 3 Feb 1999 13:23:21 +0100
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: Michael Richards <026809r@dragon.acadiau.ca>,
        "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, security@FreeBSD.ORG
Subject: Re: tcpdump
Message-ID: <19990203132321.K8749@bitbox.follo.net>
References: <Pine.GSO.4.05.9902030015490.7728-100000@dragon> <Pine.BSF.3.96.990203004346.21838E-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.95.1i
In-Reply-To: <Pine.BSF.3.96.990203004346.21838E-100000@fledge.watson.org>; from Robert Watson on Wed, Feb 03, 1999 at 12:48:34AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Feb 03, 1999 at 12:48:34AM -0500, Robert Watson wrote:
> On Wed, 3 Feb 1999, Michael Richards wrote:
> 
> > On Tue, 2 Feb 1999, Jordan K. Hubbard wrote:
> > 
> > > OK, time to raise this topic again.  What to people think about
> > > enabling bpfilter by default in GENERIC?
> >
> > I would think that the majority of us do not use the bpfilter by default.
> > My personal opinion (whether correct or not) is that it is more secure
> > this way. Many kiddiez have scripts to automate tcpdumping for passwords
> > and other such nasties and having to compile a bpf module and load it is
> > beyond many people. (I admit I'd have to go find some instructions)
> 
> Security by obscurity in that form works only until the first
> script-author writes script-kiddie-script-#20 which automates the process.
> And it's not such a complicated task that some bored hacker won't write it
> into tomorrow's rootkit.

This is not correct.  Having BPF support in the kernel also add code
to the drivers to support it.  It is not possible to compile up as a
module without also replacing the drivers.

Don't take this as me being against 'pseudo-device bpfilter' in
GENERIC; I'm agnostic on that issue.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message