lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200301311709.h0VH95U0030271@mailserver3.hushmail.com>
From: futureshoks at hushmail.com (futureshoks@...hmail.com)
Subject: The worm author finally revealed!

-----BEGIN PGP SIGNED MESSAGE-----

(Again no personal attacks: I respect what you guys have to say).


[Paul Said:]
Firewall?  DMZ?  What makes you think everybody has those?  How 'bout an
even more esoteric question?  Why do the tier 1 providers (like UUNET)
allow traffic on port 1434???
[/Paul]

Because its not their call. I could write an EncryptoWidget for my company and have is using 1434/UDP - what right does my ISP or any other carrier have to decide what ports I can and can't use?

With an increase of traffic moving over TCP port 80: remote desktop control[1], SSL VPNs[2], to name a few, conventional firewalling will surely become somewhat moot. We'll all be wrapping things up as MIME-encoded HTML (and wasting a whole load of bandwidth too) just to get through the firewall. I have actually seen products advertised as "can be used from any PC with a web browser so as avoid internet firewalls".

We're just moving sideways if people think like this; Security is a hinderance to be avoided. So yes you are right about education and taking the initiative. If someone could only come up with that elusive formula that showed how increased security was directly proportional to Management bonuses we'd be laughing :)

[Mark Said:]
It also shows how many companies could give two sh!ts about
patching and firewalling important boxes internally.
[/Mark]

Whilst contacting (read 'forcing') people to patch their SQL Servers once and for all or be thrown off the network I constantly met with the same response: "but it's behind the firewall isn't it". This goes to show that even when people do recognise the security issues abound on todays Internet they don't understand the nature and technicalities of exploits. They don't know that some traffic can transverse firewalls when it's not supposed to. They don't know about VPN connections to branch offices. They don't know about firewall interfaces, DMZs, etc, etc. As long as the port is blocked to the world then we're all safe.

[Mark Said:]
This goes FAR beyond forgetting to install a simple patch, I think
it shows just how many poeple out there have no port filtering
in place and probably check off "full install" on their windows
servers without a second thought.
[/Mark]

That's because they're all textbook MCSEs without an once of noodle between them (or they're developers: I swear without developers our network security would increase ten-fold) and are more interested in getting things to work than security. Afterall IT that isn't working is just a waste of money.

________
[1] http://www.webex.com
[2] http://www.nortelnetworks.com/products/01/alteon/sslvpn/

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmAEARECACAFAj46rjIZHGZ1dHVyZXNob2tzQGh1c2htYWlsLmNvbQAKCRCz85xsvW2z
xZxgAKC2o1Wxe+EgrO0snDEtrCN7RUHfvACfbq+dEMbg+GXIHWzT5EHqoHijFL8=
=kGOH
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ