lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000001c2d099$bfa46170$0201a8c0@fosi>
From: steve.wray at paradise.net.nz (Steve Wray)
Subject: SQL Slammer - lessons learned (fwd)

So demonstrate to your ISP that you are competent.
Whats wrong with that?

And if someone isn't competent and doesn't get an
open pipe internet connection and doesn't get their
IIS server infected with nimda WOOOO HOOO FANTASTIC!

> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com 
> [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of 
> Steffen Dettmer
> Sent: Monday, 10 February 2003 12:53 p.m.
> To: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] SQL Slammer - lessons learned (fwd)
> 
> 
> * yossarian wrote on Sun, Feb 09, 2003 at 19:52 +0100:
> > My question - must my ISP know all types of traffic legit 
> to me, in order to
> > service me? 
> 
> I don't think they can. Maybe they can serve AOL customers
> without any requirements except high color depth, but for people
> that work with the net, they cannot.
> 
> > can not setup a FW that suits me 100%, since it has other 
> companies /
> > customers with different needs on the same local loop.
> 
> Yep, and the same applies to standard software. Usually I expect
> my software to be highly customizable, I want to define what key
> does what action, but many people just consume solutions suited
> for different requirements in some strange way. Well, so let them
> do, but they let me do my business. And so I don't expect
> government or anybody to get to deep into my business. In
> germany, it's now illegal to serve sex pages in the afternoon I
> heard, but despite the fact that this is technical impossible I
> don't see a valid reason for it. 
> 
> And if someone think about some "whitelists", this is also
> impossible, since I also feel free to apply strong cryptography
> whereever I want - I do nothing illegal, but I still may be
> interested in keeping my love letters private.
> 
> > So even if my ISP were to block most of the dangerous traffic,
> > I still would need a FW, since it cannot block all. 
> 
> Well, a packet filter helps nothing, so the ISPs need content
> filters. And content filters don't work for me as long as there
> is a single false positive.
> 
> > And since an ISP must make profit, having them doing MY
> > firewall be probably be a lot more expensive than if I do it
> > myself.
> 
> Well, I don't think that this is neccesarily true, at least if it
> concerns non-professional non-security people. You are able to do
> it in a short time, but most users are not educated to deploy
> usable security I think. So having experts for security, isn't
> bad in my opinion, but it's me, the user, that have to do the
> specification.
> 
> I work a little in this business, and when I start to promise I
> protect anybody against anythink, I'm lying, even with best-made
> firewalling. All we do is risk management. So when requiring
> impossible things, the ISPs would have the problem: they cannot
> do technically, noone will pay it, so noone should require it.
> 
> oki,
> 
> Steffen
> 
> -- 
> Dieses Schreiben wurde maschinell erstellt,
> es tr?gt daher weder Unterschrift noch Siegel.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ