[ILUG] Security: Was Naive ADSL/WiFi questions (long (sorry!))?
watty at eircom.net
Sat Jun 23 09:37:20 IST 2007
Josh Glover wrote:
> On 23/06/07, Rick Moen <rick at linuxmafia.com> wrote:
>> Quoting Josh Glover (jmglov at wmalumni.com):
>> > http://www.itsecurity.com/interviews/interview-bruice-schneier-051607/
>> > http://www.schneier.com/blog/archives/2007/06/nonsecurity_con_1.html
> Interesting that you quote Marcus Ranum, as he and Bruce Schneier have
> an ongoing "feud". ;)
Iv'e run a firewall since 1995. For about ten years I installed Small
Office systems with a separate firewall.
My conclusions about security :
1) Physical Access. If there is physical access all bets are off.
2) Users have to be allowed access to their own PCs, unfortunately, so
they need training. Works better than AV software.
3) External Access. Don't allow unknown providence SW to be run.
Floppy, CD, or Internet. Why almost every PC supplied had Floppy left
as default boot device? Disable all network bindings and services not
4) Don't run AV software as (a) Gives users a false sense of security so
they won't bother with lessons in (2) and (b) It doesn't really work
5) Be 110% expert in configuring any service / device connected to Internet.
6) Only patch for real threats. In 2 years of being responsible for one
office's IIS /NT4.0 server on the actual Web via firewall one patch was
needed to protect against a DOS attack. Everything else was a
question of configuration.
6) Have a mail server that eats anything executable and mail clients
address to block any internet content.
7) If in doubt use an non-AV tool that detects unwelcome visitors, when
8) Block all webmail so the mail server is filtering.
I ran a NT4.0 based firewall proxy for 10 years at home with only the
main NT SP updates, no patches, hotfixes or AV.
I use silentrunners.org to occasionally check any XP system I'm
The offices I managed never had any viruses or Trojans.
My experience is that with a properly configured Firewall almost 100% of
malware is self inflicted via ignorance and that almost all the security
warnings are irrelevant if you have a firewall and not running any
So for last couple of years I don't host any service on Internet unless
it is setup with username, password and a white list of IPs to connect
(say stream my own video source or VNC) and it's known to be securable.
My Mailserver no longer uses SMTP to recieve mail, it picks it all up
I use hosted Web, FTP, Mailserver etc with 200G monthly cap and an
annual cost less than typical ISP connection now for last couple of
years. Pick a hosting company that keeps those secure and have your own
backups. Self hosting even for a moderate sized buisness should be history.
All my kids have had Internet on their own PCs as they got old enough to
use a PC since 1995 (own PCs since about 1992). Even with 2 students
working on the from home based Multimedia business etc, we never have
had a single virus or trojan. Linux has been an off & on "minority
sport" in the house since 1998 with the kids.
Traditionally people had to be fairly expert to install and use Unixes
at all. I've always maintained that, that is where the security came
from. Most IT "professionals" and vendors appear to know less about MS
configuration than Linux Endusers know about Linux. Even Microsoft
seems to think Vista is Win98 and appears to have forgotten why most of
the stuff they inherited from IBM OS/2 and DEC VMS was in NT3.1 I had an
NT 3.5 server on 12M RAM and 386 20MHz CPU that worked fine. I had RH6.0
on 486-66MHz with 32M of RAM.
When you see the software bloat, C++ compilers being used to write bad C
and the spec of HW needed, I can't but feel we are going backwards from
what was known in 1985 - 1986 when I worked on C++ compiler, Occam,
Modula-2, Parallel processing, Provably correct SW, Object
Orientated SW etc. About the only step forward seems to be able to have
a real SQL server for data on a Laptop instead of brain dead CP/80
type solutions like DbaseII and Access etc.
Linux might be getting more user friendly and more driver support, but
it's heading down the same one way street that NT has got to with Vista.
Vista is definately NT's ME. It's hard to see given how big it is now
and bloated that MS hasn't gone over the event horizon. An NT4.0 based
server will still run with file, print and Mail with about 24M of RAM
utilised on a P90. Even Embedded Linux OS on Kernel 2.4 now seems to
need a higher spec.
Bloat means less secure & reliable SW as no one can understand it.
More information about the ILUG