Re: Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote: >... >When NTFS came out an ordinary user could not write the system directory >tree Hence most users are running as Administrator or equivalent so that >they can write into the system tree. This was a bad design decision by >MS _and_ application developers. This _is_ fixable by MS by simply not >allowing apps to write into the system tree. This of course is a "small >matter of programming" but it would really improve the overall security >posture of Windows. > >Now there are well written applications which do install their DLL's into >their own tree these apps can usually be recognized by _not_ requiring a >reboot after installation. >... Actually, it's more of an issue in the registry than the file system; older apps tend to want to write the global HKLM, rather than the user-specific HKCU. But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. You can't really have it both ways; if you can install apps, you can install viruses and trojans. I don't see this being much different regardless of the OS you run. And until you have earned some battle scars, you're not afraid of the pretty toys. It would be nice, though, if there were a legitimate 'su' analog in Windows -- sorry, "runas" doesn't cut it. Makes it hard to normally run restricted, and explicitly enable temporary privs sometimes... /kenw Ken Wallewein K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
Determining ownership of Internet routing problems
I am a little hesitant to post this here, as it comes from the perspective of a user (albeit not a lay user). However, I believe the issue is very much one for service providers. Although it has been previously discussed on comp.protocols.tcp-ip, I have yet to determine whether there is a clear answer, let alone what it is. If I am posting inappropriately, feel free to tell me so. -- I had an... "interesting" problem a little while ago. I couldn't reach my mail server, and I couldn't tell who was responsible. The problem appeared to be a routing loop somewhere between my connectivity ISP and my hosting ISP. I talked to the connectivity ISP, and they said the router was outside of their network and run by someone they had no contract with. The hosting ISP said essentially the same thing. Now, I realize that dynamic routing means that there's no real way to predict the path a given packet will take. But I had somehow thought that the contractual arrangements between ISPs and their backbone providers would mean that there must be service agreements between everyone on the path between two points, and that if a link failed, there was a path of contractual responsibility. E.g. [backbone provider] / \ [intermediate A] [intermediate B] / \ [ISP A] [ISP B] where (say) ISP A is the connectivity provider, and ISP B is the hosting provider. So if I can't reach ISP B, either ISP A or B should be able to talk to his upstream provider and get it fixed. Now I'm wondering if that is even a valid assumption. Maybe the truth is more like this: [backbone provider A] [backbone provider B] / \ /\ [intermediate A] [intermediate C] [intermediate B] / \ [ISP A] [ISP B] and if the problems is with intermediate C, I'm probably SOL. Clearly, I would want my ISP to insist that his upstream providers not allow such unreliable topologies to be used. So, my questions are, am I asking too much? Am I misunderstanding the real world of the Internet? And am I posting in the wrong forum? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
Re: Santa Fe city government computers knocked out by worm
On Mon, 17 Nov 2003 06:26:50 -0500 (EST), you wrote: > >> >No explaination why Sante Fe officials had not patched the city's >> >computers in the three months since Microsoft announced the vulnerability >> >and released the software updates. Nor why Sante Fe didn't have up to >> >date anti-virus programs running on its computers. >> >> Nor why they were using such rubbish software for a mission- >> critical system. >> >Because for people outside our little industry the software is a tool to get >a JOB done, not the job itself. > >Alex A perceptive comment, but not actionable. This incident is what happens when non-tool oriented people must use tools. Our responsibility is to teach; theirs is to learn. Some people spend too much time sharpening their tools. Others too little. Neither is innocent when the job fails to get done. /kenw
Re: ISPs' willingness to take action
On Mon, 27 Oct 2003 10:25:36 -0500 (EST), you wrote: >... >As a non-ISP consultant, when a client asks you to configure their >Exchange server do you always conduct a top-to-bottom security analysis of >the client's entire business infrastructure and refuse to do business with >them until after they have corrected every deficiency? Or does the client >just say screw you, and hires a different consultant that will do what >the client wants? >... I said "low hanging fruit". I didn't say "top-to-bottom security analysis". >... >> 3) There was a thread a little while ago that talked about a way to cut >> down spam by simply restricting who you would accept SMTP traffic from. >> Unfortunately, I don't recall the details, but at the time it struck me as >> eminently sensible, and just required cooperation between ISPs to implement >> effectively. Does NOBODY remember that thread? >Again, look the postal mail system. One proposal required everyone mail >letters in person at the post office, and show id to the postal clerk. Straw dogs... come on! It's like saying we can't take drastic, inappropriate measures, so we can't take any at all. >... >ISPs are doing a lot to protect end-users. Some examples include > >Education campaigns >Free anti-virus software >Free personal firewall software >Port filters (port 80 anyone?) >Notification of compromised systems >Incident Response >Intrusion Detection/Intrusion Prevention >Managed Security Services And if all ISPs were doing all these thing (as you try to imply) we'd all be a lot better off, wouldn't we? >Unfortunately some of the argument is a bit like the old cries for public >payphone companies were responsible for the drug dealers in poor >neighborhoods. So they removed public payphones. The drug dealing >problem wasn't solved. "A strong conviction that something must be done is the parent of many bad measures." -- Daniel Webster So, am I advocating bad measures? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
Re: ISPs' willingness to take action
On Mon, 27 Oct 2003 08:28:22 -0500, "John Ferriby" <[EMAIL PROTECTED]> wrote: >VPN technologies are either too weak, like PPTP, too >expensive or difficult to grasp like IPsec, or too new >like the HTTPS tunnels. Dunno about HTTPS; I prefer to avoid opening _any_ inbound ports through my firewalls, since my clients are typically too small to afford good stateful inspection, and I dislike server-based firewalls. VPNs, however, are not the problem they used to be. I use Netopia R910s and 3381-ENTs, which are cheap and provide both PPTP and IPsec endpoints, with or without encryption. They're reasonably easy to configure (good documentation and good support), and work just fine with Microsoft's built-in Windows VPN clients. Yes, I know PPTP isn't as strong as IPsec. But it's certainly more than strong enough to keep out the riff-raff, and that's all we need here. This allows me to provide secure, low-cost remote network access to and between clients' LANs without any DMZs or pinholed routers. And I tell any client who really wants to provide services to the Internet at large, that they're far better off to contract the service with an ISP, who will almost certainly do the job both better and cheaper. Hey, I make good money doing this; so can you! I don't see any good justification for people to treat the Internet like their own back yard. But is bandwidth really so cheap that ISPs don't have any stake in conserving it? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
Re: ISPs' willingness to take action
On Mon, 27 Oct 2003 04:54:30 -0500, "Bob German" <[EMAIL PROTECTED]> wrote: >We implemented an IDS system. Would you mind sharing some details on this, Bob? I've been thinking about implementing IDS, but don't know the field well. /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net
ISPs' willingness to take action
I'm a little puzzled, and I hope people won't object to my asking about this. As I see it, we're experiencing an ever-increasing flood of garbage network traffic. While not all of it is easy or appropriate to target, it seems to me there's some "low hanging fruit" that could generate serious gains with relatively little investment. A few things that make sense to me (as a non-ISP network consultant) include: 1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely. So far as I can see, detection of serious abusers should pretty straightforward. It wouldn't require any pretense at spam or virus filtering, per se; just pick off the clients that are flagrant sources of the plague of the month. 2) Notwithstanding the above, would it really be so hard to trap network packets bearing clear signatures of the "plague of the month"? Sure, it would create an extra load on routers or require special filtering hardware, but wouldn't it be worth it? Again, no need to be comprehensive; just blast the ones that are easy pickings. 3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively. One problem for the average ISP would be the monitoring and updating of plague control infrastructure. It would probably be a lot easier with a bit of cooperation and sharing -- either that, or someone could get rich offering services to ISPs for a fee. By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past. So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI. Happy clients, liberated bandwidth, faster servers -- what's to loose? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 [EMAIL PROTECTED] www.kmsi.net