[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

MrB jadeba at gmail.com
Fri Jun 17 20:06:25 MDT 2011


I see validity in both sides. Nobody wants to see the Internet
regulated and for the "priviledged few" only. But I do maintain that
you need to remain responsible for your actions.

If you are negligent and leave your SMTP server wide open (actually a
bigger burden than Windows zombies in terms of cost to the industry,
it's just that it's constant) and it's used to damage or deny company
or municiple services, then you should expect to be sued. I would and
I would encourage my clients to. Just like if you were negligent with
your car in terms of what you do with it and how you maintain it, and
someone gets hurt because of it, you'd expect the same. If you've
taken resonable steps to maintain your corner of cyberspace (updates,
non-essential services closed etc) and bad stuff still happens then
that's life. You shouldn't be held responsible.

The same works on the other side though. If my electricity supplier is
negligent with its IT services (poorly configured firewall, unecessary
services connected to the web) and they get taken down then they
should be ready to dish out the compensation. The big questions then
become; what is negligent and what is reasonable? I hate to fuel the
lawyers and I know the law is grey (and the international factor
complicates it further) but it's compromise we're going to be stuck
with I feel.

Chris


On 6/18/11, Robert Edwards <bob at cs.anu.edu.au> wrote:
> On 18/06/11 09:14, Craig Small wrote:
>> On Fri, Jun 17, 2011 at 06:21:34PM +1000, Sam Couter wrote:
>>> Jason<j.lee.nielsen at gmail.com>  wrote:
>>>> Banking and stock markets are vulnerable I can see that because they
>>>> need interaction with humans all over the world but really why is
>>>> anything to do with water or electricity supply on the internet?
>>> I imagine for the same reason anything else is hooked up to the
>>> internet: Easy and convenient remote access. Some water and electricity
>>> infrastructure is remote enough and in tough enough terrain that it's
>>> difficult (expensive) to physically get to on a regular basis.
>>
>> I would argue that in the case of an essential service that the people
>> responsible are not doing their job properly.  Almost anywhere you can
>> get internet, you can get a non-internet private IP service.  It may run
>> over the same wires, but it is (to some extent) isolated.
>>
>> There would be some places for unsual reasons this doesn't apply, but
>> they would be extremely rare.  We're now talking about a place where you
>> can get internet, but not get a private network. It's probably more likely
>> they person involved didn't think of all the threats through or they were
>> overruled by the bean-counters.
>>
>> Whenever I see this threat being mentioned on the tellie it always
>> frustrates me. I read it as shoddy network engineering. Getting a little
>> back on track, the equipment still should be secured because you've only
>> removed one attack vector out of many.
>>
>>   - Craig
>
> A bit like a hypothetic electricity authority securing all their
> switchrooms with brand-X padlocks, then discovering that the bad-guys
> can use paperclips to pick brand-X padlocks. Solution: shutdown anyone
> who manufactures paperclips and ban their private ownership, because
> they have just become "weapons" (my example is slightly hyperbolic).
>
> Or some genius decides to use WiFi to control their 100T crane remotely.
> Then discovers that bad guys can use a bunch of laptops and PDAs etc. to
> DDoS their crane - solution: ban all laptops and PDAs etc. because they
> have just become "weapons" lying around for the bad guys to point at
> innocent crane operators. (slightly less hyperbolic example).
>
> Or what about banning pushbikes from the road, because, you know, some
> people transport highly flammable and toxic materials on the road and
> the bad guys _could_ use a flock of pushbikes to cause a traffic delay
> that _could_ cause the highly toxic materials to burst into flames. I
> wouldn't want to be the one living next to the road when that happened..
>
> Private cars can be used in ram-raids...
>
> The list goes on and on...
>
> The guys who operate the big sites being targetted by DDoS attacks need
> to work out how to harden their infrastructure against such attacks.
> There are a variety of (costly) technical mechanisms that can help.
>
> I would like to see some stats, but the big problems being reported in
> this thread are not caused by Internet-facing web servers at home.
>
> Lets face it, DDoS attacks are pre-dominantly caused by people running
> Windows on their home PCs. If you want to make the Internet "safer",
> banning Windows machines from the Internet is going to get you a lot
> closer to the utopia you desire than dissuading people with a certain
> desire to DIY (most on this list) from running their own Internet-
> facing web servers at home. Those who stand to gain are those who
> run, or work for, commercial web-hosting services (and I know that
> there are a number of those people, possibly with a slightly different
> agenda, on this list).
>
> Cheers,
>
> Bob Edwards.
>
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>

-- 
Sent from my mobile device

Jade Barton
Mobile: 0419938569
http://www.gredil.net/


More information about the linux mailing list