lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030210005326.D3326@dx.net.de>
From: steffen at dett.de (Steffen Dettmer)
Subject: SQL Slammer - lessons learned (fwd)

* yossarian wrote on Sun, Feb 09, 2003 at 19:52 +0100:
> My question - must my ISP know all types of traffic legit to me, in order to
> service me? 

I don't think they can. Maybe they can serve AOL customers
without any requirements except high color depth, but for people
that work with the net, they cannot.

> can not setup a FW that suits me 100%, since it has other companies /
> customers with different needs on the same local loop.

Yep, and the same applies to standard software. Usually I expect
my software to be highly customizable, I want to define what key
does what action, but many people just consume solutions suited
for different requirements in some strange way. Well, so let them
do, but they let me do my business. And so I don't expect
government or anybody to get to deep into my business. In
germany, it's now illegal to serve sex pages in the afternoon I
heard, but despite the fact that this is technical impossible I
don't see a valid reason for it. 

And if someone think about some "whitelists", this is also
impossible, since I also feel free to apply strong cryptography
whereever I want - I do nothing illegal, but I still may be
interested in keeping my love letters private.

> So even if my ISP were to block most of the dangerous traffic,
> I still would need a FW, since it cannot block all. 

Well, a packet filter helps nothing, so the ISPs need content
filters. And content filters don't work for me as long as there
is a single false positive.

> And since an ISP must make profit, having them doing MY
> firewall be probably be a lot more expensive than if I do it
> myself.

Well, I don't think that this is neccesarily true, at least if it
concerns non-professional non-security people. You are able to do
it in a short time, but most users are not educated to deploy
usable security I think. So having experts for security, isn't
bad in my opinion, but it's me, the user, that have to do the
specification.

I work a little in this business, and when I start to promise I
protect anybody against anythink, I'm lying, even with best-made
firewalling. All we do is risk management. So when requiring
impossible things, the ISPs would have the problem: they cannot
do technically, noone will pay it, so noone should require it.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es tr?gt daher weder Unterschrift noch Siegel.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ