On Wed, 9 Feb 2005, [ISO-8859-1] Jörn Nettingsmeier wrote: > > The chance of any random joker stumbling upon a dynamically allocated IP > > and h4x0ring into a password-protected share on a SPARC64 machine running > > OpenBSD with a recent version of Samba is .... > > > > ....slim. > > maybe, but this is such an abysmal solution that you should just forget > about it. how can somebody both geeky and security-concious enough to > run openbsd on a 64bit sparc even consider letting smb traffic out on > the internet ????
Because I don't keep anything private on the share I'd be allowing out? Because I won't be flinging around private files even if I did have the private files there (and the filenames themselves contain nothing incriminating, even among my personal stuff)? Because the chance of someone sitting there with a packet sniffer between Joe Windows-using Client and my home box, watching for my personal shite is VERY slim? Because, as noted earlier, the chance of someone 0wning my SPARC64/OpenBSD box, with its recent version of Samba, REGARDLESS of how many SMB ports I open, is quite slim? Because the convenience I would gain (i.e. being able to access work-related files, MP3s, etc. without circumventing or bending ANY corporate "thou shalt not install anything" poolicies) would outweigh any miniscule risks? > > >>Spend a little time and set up a vpn endpoint on your box and just > >>forward the necessary ports over, i think openvpn is 5000. You'll be > >>much happier, sane, and protected as such. > > > > > > And I will make use of this on client machines with strict "Thou Shalt Not > > Install any Unauthorized Software" policies... how? > > wait. you have such a restrictive security policy (which you are > obviously willing to respect), and at the same time you want to bypass > the most basic security precautions by tunnelling the living shit out of > the firewall and having unprotected smb over the internet? > sorry, but this does not make sense at all. You're confusing the sides of the firewall. The restrictive security policies are on the side of the clients I work for. THEIR firewalls are often quite restrictive. The other side of the equation is my box at home, which has no such policy. > > > I've already set up zero-install Web-based telnet, zero-install Web-based > > MP3 players... I even concocted a zero-install CygWin workalike and > > keep it on my keychain USB drive... > > just keep putty and winscp on your keychain as well. Why do that, and leave suspicious entries in the run history, when you can do it right in the browser? > > > now I need a zero-install way to > > access my files via Windows machines. And that means SMB. NOT OpenVPN, > > OpenSSH, OpenVMS or any other "Open". > > talk to the guy who enforces the security policy at your site. this > should be worked out in a sane fashion, and your network admin will > benefit as well by not having to cope rogue tunnels and other weird stuff. I temp. I'm often at a client for one or two days. Not enough time to gain a rapport with the network person (who is often an idiot MCSE-type), much less to actually get him/her to work around the policy. > > i mean, you are a sysadmin too. if you say "no" to something on your > networks, you want that to mean "no", don't you? > I don't generally say "no", except where it's something possibly incriminating. > i have a policy here that people can use tunnels if they must, but i > require *notification* and want to give the users a quick run-down on > what not to do (anybody seen those funny ssh tunnels on port 25 with the > open-to-the-world switch on ? great fun indeed. "oh, i thought it's ok > since everything is encrypted, right?") > > > > -- J. L. Blank, Systems Administrator, twu.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba