[conspire] (forw) Re: [Smaug] recommendation request - which linux

[Rick Moen]

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Tue, 30 Aug 2011 18:10:52 -0700
From: Rick Moen <rick at linuxmafia.com>
To: smaug at lists.svlug.org
Subject: Re: [Smaug] recommendation request - which linux
Organization: If you lived here, you'd be $HOME already.

Quoting Steve Kudlak (izelatlan at yahoo.ca):

> It is alas better to have security discussions in person or small groups 
> and not on the net.

Better and worse at the same time.

You get less drive-by freakery and the benefits of interactivity and
tone/expression.  On the other hand, in-person discussion sucks for 
dealing with detail and with anything requiring careful research and
preparation before opening one's mouth.  Small groups are typically
something you must pay to benefit from, as it is called 'consulting'.
Many of us decline to get suckered, any more, into private discussions
without pay because, if we're going to indulge the time sink entailed,
it at least should be somewhere that benefits the public, e.g., a
Web-archived mailing list such as this one.

I mentioned upthread a few subtopics I intended to revisit.  One was
'the difficulty of having security discussions on an Internet filled
with gadget freaks who fundamentally do not understand security'.  The
truth is, many Linux users and the bulk of the voluble ones are
basically gadget freaks.  Therefore, their immediate instinct for pretty
much any problem is:  Throw more software at it.  Concerned about
attacks again your possibly vulnerable network daemons?  No problem!  
Just wrap them in the Holy Firewall.

The problems from gadget freakery are widespread and notorious, e.g.,
those on the MS-Windows platform resulting from people wanting active
content everywhere.  Like, hey!  There are now trojans that immediately
zombify your Windows workstation that get spread by e-mailed MS-Word and
MS-Excel documents with embedded Flash animations.  

https://krebsonsecurity.com/2011/03/adobe-attacks-on-flash-player-flaw/
https://krebsonsecurity.com/2011/04/new-adobe-flash-zero-day-being-exploited/

You might be thinking:  'Say what?  Why would it be valid to have
embedded Flash in a spreadsheet?  And why would Flash be permitted to
install 'malicious software'?  And why would such users be running Web
browsers and spreadsheets (let alone Adobe Flash) with local
Administrator authority?  Surely nobody would be that dumb.'

Oh, right, RSA Data Security, Inc. got its entire SecureID design stolen
because one of their engineers did all of those things (including having
the ActiveX/MSIE version of the buggy Adobe Flash plugin installed):
http://www.wired.com/threatlevel/2011/08/how-rsa-got-hacked/


Anyway, that also leads neatly to my other two follow-up items: 'the
hard shell with the creamy centre security model, and port 80 becoming
the sewer of the Internet'.  The entire Cult of the Holy Firewall is
based on saying 'We'll just draw a moat of port/IP filtering around our
vulnerable machines, and use them to keep The Bad Things out'.  Certain
ports and IPs, and general patterns of traffic susceptible to (say)
iptables rulemaking are declared associated with Bad People and blocked.
Consequently, if attackers are able to get any traffic pass the hard
shell (firewall), they're able to munch happily on the creamy centre
(the vulnerable machines inside the security perimetre).  Because the
boss's son wants to be able to get to Farmville, port 80/tcp is declared
associated with Good People.  Even if damned near everything else is
blocked, HTTP (80/tcp) remains sacrosanct.  Immediate result:  sewer.
It becomes a superhighway for all the garbage including Trojans
implemented in Flash inside spreadsheets.  Feel safer?


_______________________________________________
Smaug mailing list
Smaug at lists.svlug.org
http://lists.svlug.org/lists/listinfo/smaug
Smaug home page: http://www.scruz.org/

----- End forwarded message -----