Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 7 Nov 2001 14:52:44 +0100
From:      "Anthony Atkielski" <anthony@atkielski.com>
To:        "Ted Mittelstaedt" <tedm@toybox.placo.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org>
Subject:   Re: Lockdown of FreeBSD machine directly on Net
Message-ID:  <00c501c16793$7af27cd0$0a00000a@atkielski.com>
References:  <004d01c166c2$8063d780$1401a8c0@tedm.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted writes:

> There's a number of problems here.  For starters Telnet
> is both an application program and a protocol.  Your not
> making it clear what your talking about.

I was using it as a metaphor for password authentication in general, which is
frequently criticized, but actually very secure, if properly implemented.

> The protocol itself may be perfectly secure but what
> matters when your talking about server security is not
> the protocol, it's how it's implemented.  If that
> is done wrong then the server is screwed.

Yes, but if it is done right, then even the most persistent attacker is out of
luck.

> But they also are not subject to the cost-benefit
> reasoning, because it's real easy to show that it
> takes less effort to get a job and earn money the way
> your supposed to than by eeking out a living stealing
> cell phones.

Not for them.  They probably have a much weaker résumé than you do.  In fact,
they probably can't read or write, which is quite an obstacle to finding any
kind of decent job.  So stealing cellphones yields the best cost-benefit ratio.

> Sorry but this isn't true.  A professional earns
> money.  Stealing is not earning money.  Stealing is
> not "making a living".

Well, the police talk about "professional criminals."  Does that mean that they
are actually CPAs when not committing crimes, or what?

> cracking is necessary because his minions have been
> documented to regularly use encrypted communication,
> a lot of it on the Internet.

All the reports I've seen have indicated that they hardly use encryption at all,
and in fact they've moved away from the Internet in general.  There was no need
to encrypt, since law-enforcement agencies couldn't even get their act together
and track them down even when they communicated in the clear.  Heck, just
putting a message in Arabic concealed it better than any encryption could, since
nobody in the U.S. (almost) could read Arabic.

> :-)  True because you can't call that piss-poor excuse
> for airport security we have a "security system" :-)

Nothing they carried on board would have failed even a very careful security
check, as I recall.  It was all legal.  Only their intentions were evil, but you
cannot screen for intentions at a security checkpoint.

> Unless of course, his compromise kills you.

Unless you're on a FreeBSD-powered respirator, there isn't much risk of that.

Systems that _do_ serve that type of purpose generally _are_ completely secured.
No matter what you saw in _War Games_, you can't just dial into NORAD from the
outside.

> Fuck everyone else and all their hundreds of hours
> and thousands of dollars of blown productivity and
> network time cleaning up after the spew.

The guilty party is the group of spammers, not the system they attacked.

> I think your attitude towards security is a great
> one.  We should all see more of it on the Internet.

Thanks.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00c501c16793$7af27cd0$0a00000a>