"Brian Sydney Jathanna" <[EMAIL PROTECTED]> writes: > Wellllllll........ > I don't know what makes you flame so hard with a simple suggestion of > mine.
I am not, by the traditional meaning of the term, "flaming" you here, though I will grant you that I am not working hard to be being especially nice about it. Because this /is/ important, let me explain why: > I've tested PortKnock, I like it and I feel comfortable with it. Great. The problem is that while you like it, and feel comfortable with it, you don't really /understand/ it, especially not in the bigger picture of security, do you? Port Knocking is complicated, but it isn't any more secure than a wide range of alternatives, including the CGI option I mentioned -- in my opinion. One of the consistent lessons in security is that complexity is an invitation to failure -- you are more secure with the simplest solution that works, and adding complexity often *reduces* the protection you get. On the other hand, the reason that I asked you to define how it was more secure, or to detail how it protected from threats, was to give you a chance to prove my assumptions wrong. Perhaps you /had/ thought about and understood the wider security picture, or perhaps you could cite something other than personal feeling as a basis for believing that Port Knocking was a secure option. What you are advocating is that someone else *feel* secure without *being* secure. This is like advising them to put a magic crystal on their dashboard and forget about seatbelts -- it works just fine, until it actually matters, at which point it turns out to have added no value at all. > Since Phill had asked an open question for alternative approaches to > secure his network, I made a simple suggestion. Yup. > I don't know why you take it so personally to prove your point better > than mine and start an all out war with it, or is it the technical > supremacy ego that kicks in at times... This isn't about winning -- I have nothing to gain from beating you, personally, or being more "right" here. If this was just a "matter of opinion" question, like the best distribution, or which text editor to use, and we disagreed like this I would shrug and accept that -- each person is different and all that. > Mate, we all don't know everything, but we're here to learn and share > with others... I'm sure you have more knowledge and experience than > me and I respect you for that. And I'm sure your CGI script or some > other approach would do the trick just fine, but what I learnt along > the way I thought of sharing in this space.... am I wrong for it, you > be the judge. I hope that the explanation above helps explain why I am reluctant to let this go -- why I have been asking you to explain why you are correct, even if I don't believe you. Finally, a large part of the problem is not my views -- I know that I have done enough in the security area to keep my systems secure, and to tell the difference between snake oil and security, most of the time. What I worry about are the people out there who don't have that experience, but see you advocating something that will leave them at risk -- and follow through, then end up burned by it. To me, this is like airport security: I am all in favour of securing air travel. I am not in favour of doing things that make people *feel* secure without actually doing a damn thing. Regards, Daniel -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html