how-to block ads
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Bottom up security
Fact, it is impossible to totally secure the internet. OS manufacturers, software companies, ISP, etc can only do so much to secure the internet (before any of you Mac, Linux or open source guys figure your vendor/solution is the holy grail of security read US-Cert's summary of security items from March 3 to March 16th for example as it appears you have security problems just like everyone else so there is no need to get into a p*ssing match over open source, vendors etc as it appears we are all in the same boat here), so a top down approach to securing the internet is only going to get so far, and that is a reality that we have to deal with.
So the question is how to make up on this gap in internet security? Well as we have been saying here for years, users have to be responsible for at least some of their own security, bottom up security. This is similar to security for your physical home. It is impossible to put police on every doorstep to ensure the security of your home (top down) so you as a responsible home owner put locks on your doors, and ensure your windows are secure etc (bottom up). Users on the internet just have to accept that some security is their responsibility and start using AntiVirus, firewalls and safe hex (when you go to work, do you leave the doors open at home). Now granted even with some bottom up security the internet will never be totally secure just as your home is never totally secure, but there will come a point, as there has with home security, that a balance occurs between costs and risks and that will happen on the internet as well, but right now I don't think that balance exists now. Worse, I don't think most people understand how out of balance internet security is.
Of course the problem here is I'm preaching to the choir, but somehow we need to be to communicate to others that internet security is a problem, but there are some easy solutions that provide reasonable security at a reasonable. This has been one of my goals for reporting and showing attacks here as I hope that it helps people to understand that attacks are real and that they are seeing them too if they bothered to take a look at their traffic or logs (communication is key to the solution). Being an intrusion sort of guy (meaning I tend not to report on email attacks, as those are AV and user education problems and are fixable and there are people here who cover those better then I could), every attack I've reported here would have been defeated with the proper use of a firewall. Fact, script kiddies don't know how to get past firewalls, most hackers know they can't get past firewalls, so why not run a firewall?
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
dg2
Premium
join:2004-01-22
Lowell, AR
·Cox HSI
| I agree with your premise, but would like to pitch in the following thought (previously posted in the Cox HSI forum, but seems relevant here.)
When we signed up for DSL at the office, we had an option of receiving a DSL modem or a combined DSL modem/router. Similar devices exist for Cable.
If we're having all these problems with people who aren't behind a firewall (in this case a NAT router), why not require them to take the combination modem/router? The idea is this -- when you sign up, the ISP asks "Do you currently have a router?" If no, then they automatically get the combo unit. If yes, and the ISP can be satisfied with it, they get the modem only.
I know there are details which would have to be worked out, but why wouldn't this help? | |
dadkins
Living on a Blu Planet
Premium,MVM
join:2003-09-26
Hercules, CA
·Comcast
| reply to Link Logger
"(before any of you Mac, Linux or open source guys figure your vendor/solution is the holy grail of security read US-Cert's summary of security items from March 3 to March 16th for example as it appears you have security problems just like everyone else so there is no need to get into a p*ssing match over open source, vendors etc as it appears we are all in the same boat here)"
 | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
Sorry my bad, I should have mentioned that I'm including NAT routers in my definition of a firewall (ya I know its not really a firewall, but it functions like one for inbound traffic at least). They might not be as good, but they still stop script kiddies cold as well as most hackers. Sure, people talk tough, but as I've asked before, does anyone here know how to whack even the cheapest of NAT routers available today? I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu. So based on bang for the buck, NAT routers are not that bad, so please don't think I'm suggesting that you have to have the most expensive firewall on the planet to be reasonably safe.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
B
Premium,MVM
join:2000-10-28
| said by Link Logger  :
Sure, people talk tough, but as I've asked before, does anyone here know how to whack even the cheapest of NAT routers available today? I'd be happy to put up a cheap NAT router on a network here for a demonstration of how to whack it, if anyone would like to demonstrate their kung fu.
Yes! Thanks for talking straight, Blake, against a a sea of leet hacker FUD.
Vive le cheapo NAT router! It does the job.
-- B
--
In a realm outside causality and function | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to dg2
I have wondered this myself as to why can't I have one unit that combines my cable modem and router/firewall it only makes sense and certainly reduces the amount of cabling and such (network cable from modem to firewall and one power cable as well, likely save a bit on the power bill as well). I know some ISPs are moving in this direction, but the more the better.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
B
Premium,MVM
join:2000-10-28
|
Well, yeah, IF they continue to allow the users fine-grained control of that built in NAT service. Otherwise, if they were to start locking that NAT in place, it's a slippery slope towards a "Port 25 and Port 80/443 Outbound Only" world.
-- B
--
In a realm outside causality and function | |
antiserious
The Future ain't what it used to be
Premium
join:2001-12-12
Scranton, PA
| reply to dg2
said by dg2 :
When we signed up for DSL at the office, we had an option of receiving a DSL modem or a combined DSL modem/router. Similar devices exist for Cable.
If we're having all these problems with people who aren't behind a firewall (in this case a NAT router), why not require them to take the combination modem/router? The idea is this -- when you sign up, the ISP asks "Do you currently have a router?" If no, then they automatically get the combo unit. If yes, and the ISP can be satisfied with it, they get the modem only.
I know there are details which would have to be worked out, but why wouldn't this help?
... Verizon offers the Westell 2000 in some areas, which has simple firewall capabilities, but they don't recommend using that feature, nor do they support it ... they also told me Westell doesn't 'support' it either (as if I could get through to westell to ask) ... so that diminishes its effectiveness ... I activated it anyway (simple 'low' setting, no rules), and ZoneAlarm Pro went silent - which is lovely - but I'm having some small issues and there's nobody available to help ... so a good idea, poorly formed ... as Verizon tech support said to me, they can only work with their network, and even though THEY supplied this equipment they don't feel this is under their support umbrella ...
.... while your idea has merit, as does Link Logger's, where would the support come from? ... I'm trying to learn as much as I can, but I'm reluctant to muck around with the equipment and settings (and I LOVE to muck around) with no backup ...
... f w i w ...
--
... "I don't wanna go Uptown, baby ... all the friends I got are Downtown anyway" ... william topley | |
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to Link Logger
As I have sayed before, people who cause trouble to other people should be made pay for it. If someones computer gets infected with trojan that spams me, well... If that person would have to pay me, he would have some motivation to LEARN about computer security and do something about it. Ofcourse, they cant ever be 100% safe, but come on... As long as people who create havoc to the net dont have to pay, they dont care. Its as simple as that.
Nobody thinks that people who dont know how to drive should drive car, because they can and will damage other people and cause problems. Everybody can agree, that if they do it anyway, atleast they should pay for the damages they cause.
For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. | |
B
Premium,MVM
join:2000-10-28
|
Except that the necessary political structures required to police the licensing of Internet users are exactly those structures that would have inhibited the growth of the Internet, not to mention most of your security hobby!
-- B
--
In a realm outside causality and function | |
anthrorules
Premium
join:2003-09-14
Rollinsville, CO
 ·Qwest.net
 ·IonSKY
| reply to jansson_mark
For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.
I think that "intention" needs to be added into the mix. I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others. Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.
--
Earthlink/Direcway SRS - DW4000 | ver. 4.2.1.10 | Proxy/Port 83 | G4R | 970 | Dell Dimension 4550 - WinXP Pro SP1 - 768MB Ram |ZA+ 4.5 | AVG 7.0 - Resident | Bit Defender 7.1 Free - On-Demand |TDS-3 | Ad-Aware | SpyBot S&D | MailWasher Pro | |
gkweb
join:2003-06-09
76800
| reply to Link Logger
Great post 
As you said, communication is the key.
Personally i would imagine that Computer sciences and Security could be learned at school, like languages or maths, i think that to learn early to young users how to secure them would be a great improvment in global Internet security. | |
anthrorules
Premium
join:2003-09-14
Rollinsville, CO
·Qwest.net
·IonSKY
| Computer Science is already taught in the Elementary through High School level in the United States, not wide-spread, but there are quite a few school districts that do integrate computer technology in the classroom, not only as a peripheral teaching tool, but as another skill learning process. However, I don't know of any school district that explicitly teaches "computer security" or "internet security".
I agree that Internet security needs to start early, and not only the use in filtering technologies, which doesn't really instruct young minds about safe computing methods and practices.
--
Earthlink/Direcway SRS - DW4000 | ver. 4.2.1.10 | Proxy/Port 83 | G4R | 970 | Dell Dimension 4550 - WinXP Pro SP1 - 768MB Ram |ZA+ 4.5 | AVG 7.0 - Resident | Bit Defender 7.1 Free - On-Demand |TDS-3 | Ad-Aware | SpyBot S&D | MailWasher Pro | |
B
Premium,MVM
join:2000-10-28
| Except that most people, possibly including me, expect us IT geek priests to handle the "security thing", making it as transparent as possible.
Our gripes notwithstanding, I really don't see that attitude changing any time soon...
It's not exactly the same as teaching safe driving -- there are only so many ways a truck can "come out of nowhere". By contrast, Internet threats are ALWAYS evolving into new forms.
It's more like asking that everyone be trained in basic CDC pathogen identification and prevention. Not a bad idea, come to think of it. But it's not gonna happen. I'm not sure it should.
-- B
--
In a realm outside causality and function | |
Bobby_Peru
Premium
join:2003-06-16
edit:
March 19th, @01:21PM
| reply to anthrorules
said by jansson_mark :
For some strange reason, this same logic does NOT go with internet. People who dont know how to use computers and net use them anyway. And when they cause problems to other people, they dont have to pay for it.
said by anthrorules :
I think that "intention" needs to be added into the mix. I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others. Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.
Seems like both these thoughts are correct. While it is true that ignorance is a huge problem, there must come a point past which such a lack of knowledge of even the most basic and simple facts that are all readily ascertainable (unless one is purposefully avoiding such information), a user (citizen, [edit: corporate official, corporation] elected and non-elected governmental official, armed force member, media....) is held accountable for damages resulting from his/her acts/omissions just as if they did "know better", regardless of their actual state of knowledge or intent, under the theory that to act else-wise is simply so irresponsible, and grossly recklessly endangers others, as to either imply "knowledge" and "intent", or to deem the act or omission itself a violation and not require actual "knowledge" or "intent" (intent only to go online). | |
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| reply to anthrorules
said by anthrorules :
I don't blame "ignorant" people for making "mistakes" because they do not know any better, but I do blame "stupid" people who intentionally do not secure their systems and continue in risky Internet behaviour that affects others.
Information about viruses or other computer security stuff is in the news almost every week. Its there. Most people just dont care. Its like there are reminders about terrible road accidents in the news all the time and still some people drive very fast in bad weather, drink while driving, etc. etc.
quote:
Also, those who use their computers to rave havic on the Net (i.e., Hackers and Crackers), I blame them as well and they should be held liable for their activities.
Thats pretty much as holding gun manufacturers responsible for killing that are done using guns.
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. | |
Momzilla
| reply to Link Logger
Unfortunately, I suspect that the biggest problem comes from the teen-college student age range. There are more of them online, and this is, by nature, a bulletproof age. You can preach until you're blue in the face, but God's truth ... the majority aren't equipped by nature to listen. If you can't get them to use condoms consistently in the face of HIV, Hepatitis, and pregnancy, do you really think you'll have success with preaching safe surfing?
Naturally, that doesn't excuse irresponsibility, nor does it mean that attempts at educating computer owners should be abandoned . But I think that pressure really needs to be put onto software companies and computer manufacturers to make this stuff come out of the box more secure. Most of the features that comprise the widest-open holes aren't used by the majority of casual surfers anyway. You go to websites like Symantec for help, and get really "helpful" advice like "shut down unneeded services." Great! What services do I need, and how the heck does one find and shut them down? I like to think that I'm slightly more saavy than the average owner, but the complexities are downright overwhelming. | |
dg2
Premium
join:2004-01-22
Lowell, AR
·Cox HSI
| Which is why the idea came to me:
Most of us are sitting behind some sort of firewall. In all likelihood, 50% or so of us are sitting behind a NAT router, which we purchased so we can hook multiple machines up to our broadband modem.
At the same time, there are thousands of zombies out there -- and I get the impression they're not behind any sort of firewall. So why not integrate the devices (already been done) and issue those devices (or require them) as part of the service? That puts nearly everyone who gets new broadband service behind a NAT router, which (I'm thinking) should help reduce the zombie population.
Once the device is installed, the "protection" is already in place, and requires little to no thought every time the user sits down at the machine.
Of course this is only one layer, and more are needed or helpful, but wouldn't it be better if everyone were behind at least one layer of protection?
Good discussion going here. Let's keep it up. | |
B
Premium,MVM
join:2000-10-28
|
Well, yeah, dg2, except for what I said earlier:
quote:
Well, yeah, IF they continue to allow the users fine-grained control of that built in NAT service. Otherwise, if they were to start locking that NAT in place, it's a slippery slope towards a "Port 25 and Port 80/443 Outbound Only" world.
I guess I say "well, yeah" a lot. On a less alarmist note, it's also not the greatest "standard" deployment because the NAT immediately keeps people from using many P2P networks which, like it or not, is a major reason people are buying broadband to begin with. Not to mention videoconferencing, VOIP, personal web pages, etc. Poking holes in a NAT router's not as easy as answering "Yes" to a ZoneAlarm prompt (not today anyway), so people would likely "DMZ" themselves right back into the wide open pickle they started in...
-- B
--
In a realm outside causality and function | |
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| Concerning P2P networks, they are an entirely different security problem (we don't allow any P2P here for all the obvious reasons). We all know that people like stuff for free (I guess you should enjoy it while it lasts as they are removing motivation for a number of industries and I'm not just talking about the music industry), problem is so do hackers and so P2P networks have become common infection vector for malicious code.
So if you download a copyrighted program that is infected off a P2P network, do you have a right to complain, whine or otherwise snivel about becoming infected yourself or when your ISP takes you offline for scanning/infecting other systems?
How much of a burden should the rest of society carry for people who become infected because of poor security practices? Should credit card company base the limit to how much you are personally liable for fraud on if you have a firewall and AV for example? Non smokers get a break on insurance for example, perhaps its time for a break for people who practice safe hex. ISP's could charge a higher rate for those users without firewalls so they can hire more support and security personal perhaps, or charge more for people using higher risk services like P2P networks? There are lots of options here.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel | |
|
