💾 Archived View for hyperborea.org › log › 2004-08-18-security-perspectives.gmi captured on 2022-04-28 at 18:07:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2022-01-08)
-=-=-=-=-=-=-
by Kelson Vibber, 2004-08-18
When I worked at a computer lab in college, the main security focus was preventing lab visitors from screwing around too much with the computers. We just ran Windows NT and locked it down as hard as possible. The worst network-based threat I remember facing was WinNuke, and that was just as likely to be another lab tech. Some of the early email viruses started circulating while I was there, but since it was a public lab, we didn’t provide any email programs; people would telnet into the mail server and use Pine. (This was pre-Hotmail, too.)
In my wired-for-ethernet campus housing, however, all bets were off. I watched people remotely controlling each others’ computers as pranks, or discovering hackers had gotten onto their systems from halfway across the planet, and figured it was safer to use Linux most of the time. This actually got me in trouble with the network admin at one point, who decided I must be running a server and shut off my port. It did at least teach me to disable services that were turned on by default, though I saw no indication that anything on there was actually being abused.*
Then there were firewalled environments. Still back in college, we rigged up my parents’ house for a home network. My brother put together a Linux box to dial into the Internet and act as a gateway, and effectively everything inside the network was safe from direct attacks. No point in internal firewalls, and since everyone was savvy enough to avoid the really nasty stuff (which was easier at the time), virus scanners were only a precaution, rather than a necessity.
For the past few years I’ve mainly worked with firewalled or NAT environments. It’s like having a wall around the city, with a guard at the gate. Miscreants can’t wander in, so they have to try to bluff their way past the guard. “Look, I’m just an ActiveX control on a web page!” “Hey, I’m an e-mail attachment!” “Relax, I’m just an MP3! I know my file extension ends in .exe, but trust me!” So it’s all about keeping the pull traffic secure – the web and email clients, watching what you download, etc. Virus scanners help, but they should be your last line of defense, not your first.
Wireless changes everything, though. You’ve noticed modern cities don’t have walls? There are two reasons for that: The first is the rise of large nations. The walls are at national borders, not city limits (and they’re more likely to be fences or just guards than physical walls). The second: flight. Enemies can jump in an airplane, fly over your walls, and drop bombs anywhere inside until you shoot them down.
Similarly, a wireless access point makes it possible to fly right over that elaborate firewall on your Internet connection — indeed, right past the walls of your building — so it’s critical to secure a wireless network. The first time I turned on AirPort I spotted at least three access points!
So it’s back to treating the network as (potentially) hostile. Keep the patches up, of course — always keep the patches up — but install local firewalls. Turn off unused services. Limit or disable remote logins. And again, secure your wireless network! (See the previous link for some good resources, particularly “Securing Your Wireless Access Point: What Do All Those Settings Mean Anyways?” ) Mac OS X, most Linux distributions, and now Windows XP Service Pack 2 include built-in firewalls (but you have to turn them on), or you can install a product like ZoneAlarm. These days an unpatched Windows system hooked straight up to the Internet is broken into within an average of 20 minutes. This is what firewalls — whether network-level or computer-level — are for!
C|Net: Unpatched PCs compromised in 20 minutes
Just remember: Keeping your computer safe is like defending yourself against the dark arts:
Constant Vigilance!
* Actually there was one instance, but it involved Windows-style file sharing, and since I was actually running Samba under Linux, I was able to use settings that prevented them from really exploiting it. So not only could it have happened on a Windows box, it would have been far worse if it had.
Early in the year, figuring some sort of file-sharing was useful within the house, I set up two public shares, one read-only and one write-only. A folder where I could post things and a dropbox. Within a few months I’d forgotten about the dropbox. Sometime the following year I was cleaning up the system and stumbled across the folder. Embarrassingly, I discovered two very large MPEG files containing Entrapment. Apparently someone had found a writable share, uploaded it with the intent to transfer it somewhere else, and discovered they couldn’t get the file back. (This was exactly why I made it write-only in the first place — so it couldn’t be used as a transfer point). I told my brother about this, and he laughed and said, “At the very least they could have pirated a good movie!”
Next: Jedi vs. Sith, Order vs. Chaos