[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
http://en.wikipedia.org/wiki/Witty_%28computer_worm%29
<-- Snip -->
> > 3.) Advocating blocking ICMP echo request (ping) packets. Again, from
> > "Shields Up": "Ping Reply: RECEIVED (FAILED) ? Your system REPLIED to
> > our Ping (ICMP Echo) requests, making it visible on the Internet. Most
> > personal firewalls can be configured to block, drop, and ignore such
> > ping requests in order to better hide systems from hackers. This is
> > highly recommended since "Ping" is among the oldest and most common
> > methods used to locate systems prior to further exploitation." RFC 1122
> > [1] specifically requires that hosts on the Internet respond to ICMP
> > echo requests with an ICMP echo reply. Misguided users might end up
> > blocking all ICMP packets (I have seen at least one consumer router with
> > an option to block all ICMP), resulting in the breaking of path MTU
> > discovery, ICMP redirection (which admittedly has its own issues), and
> > the loss of Host/Network unreachable messages. (In addition to the
> > dozens of other messages carried by ICMP.) This might also make the
> > user unable to send outbound pings, or receive their replies. (Again,
> > dropping ICMP = bad.) Even Steve himself admits[2] that this breaks the
> > way things are designed to work.
> As a home user, I've been blocking outside pings for years, as long as
> I've had broadband. It's all part of being invisible. I can't speak to
> whether the router is blocking other ICMP. I've never had any ill
> affects that I know of.
You wouldn't probably realize it. A web site takes ages to load.
Happens all the time. Sometimes it works, sometimes it doesn't,
sometimes you go elsewhere. You think it's just the net. You don't
realize you shot yourself in the foot.
> There is absolutely no reason anyone outside my
> house needs to ping me, and I have serious doubts as to whether I need
> to receive any other ICMP traffic.
No offense but that's because you obviously have no clue how the network
works. ICMP in the Internet CONTROL Message Protocol. It's used for a
lot of book keeping and management, not just ICMP ECHO (ping).
> Blocking ping, and ICMP, may break
> certain things enterprise networks expect. I don't have a problem with
> that. I don't have an enterprise network.
What you will care about is if somethings takes 30 seconds to time out
instead of telling you that a site is busy or something else is wrong.
ICMP is how network errors are reported back.
> I have a home network that I
> want to be as safe as possible and one that does what I need it to do by
> giving me access to the internet.
Well, you're going about it all wrong and breaking things and making
things unreliable along the way. But it's a self inflicted injury, so I
guess that's OK. Enjoy.
> I really don't care if that violates
> RFC 1122. Also, the internet was "designed to work" in the 60's when
> the types of security issues we face today, with millions of automated
> viruses roaming around, hadn't even been dreamed of. So, maybe the way
> it was designed to work, isn't the safest way to have it work, in the
> modern era.
<-- Snip -->
> Perhaps you could point it out in a positive manner at
> http://www.grc.com/feedback . He says he reads every post, even if he
> cannot personally reply.
Reads? Maybe. Doesn't anything about them? I'm not so sure. I'm not
convinced.
<-- Snip -->
> The consumer is going to go look at the store shelf and see "NAT Router"
> on the box. Steve has to use terminology that they'll understand. The
> consumer NAT router has NAT, firewall, and routing functionality, so it
> is a security device, whether NAT is providing the security or not. I
> think one of the Michael's said that part of doing NAT involves stateful
> packet inspection, so it seems to me that all this is pretty intertwined
> anyway. The consumer thinks, "If I have a NAT router, I have some
> security." - which is true.
And then, because of this inaccurate reasoning, they think that IPv6 is
less secure that IPv4 because it has no NAT. That is just incredibly
wrong on so many levels it's mind boggling.
> By the way, as long as we're discussing NAT, since the cable / dsl modem
> ONLY provides 1 IP on it's ethernet LAN port, as far as I know, then,
> without NAT, the customer could only put 1 PC on the LAN and connect to
> the internet. That would be unfeasible for most of us.
Yes! THAT's what NAT was created for. To address the shortcomings and
failures of IPv4 and allow the sharing of addresses, not to provide
security (it also breaks several things in IPv4 along the way as well).
That's what IPv6 does away with. That's what IPv6 fixes and is more
secure in principle to begin with. You need an IPv6 router anyways just
to route your subnet. I can replace a NAT device with three rules in a
stateful filter (which should be there by default anyways) on your
router, and we're done. You have all the security of IPv6 plus all the
security you would have on IPv4 with NAT and you have no NAT!
> > I'm not saying Steve hasn't contributed to the field of consumer
> > security, and I'm not saying that every bit of advice he gives is crap.
> > But, really, the way security is done needs to be reformed. It needs
> > to be a collaborative effort, and we need to make users understand.
> > Steve has said things that misleads users into believing that they are
> > secure when they may, in fact, still have vulnerabilities. I don't
> > think he emphasizes user education enough, and I don't believe he has
> > paid adequate attention to drive-by downloads, bundled malware, and user
> > privacy issues. Most compromises of home computers are NOT caused by
> > services on the host. Most of the compromises occur because users a)
> > download things they shouldn't, b) don't patch, c) use peer-to-peer (see
> > a.), and d) don't know better. Being stealthed doesn't fix a single one
> > of those.
> >
> >
>
> If you had listened to the last 5 years of his weekly podcast, as I
> have, you'd find that he's all about education. Everything you
> mentioned has been covered numerous numerous times, usually in great
> detail. There is far more content there than on his website. I just
> chose to point out ShieldsUp because of the discussion about routers.
> Why else would he devote 4 hours a week (3 hours prep, 1 hour talk) to
> making a podcast for over 250 weeks, all for free? He's the most
> dedicated person I know of in terms of protecting the consumer. He also
> pays his staff to transcribe each podcast so we can have better access
> to it and search it.
> No offense intended, but I found your arguments interesting, and
> somewhat valid, but overall nit picky and not compelling from the point
> of view of the consumer.
Fine. Then just don't point to him as an authority. That's like
pointing to Mister Rodgers as an expert on quantum mechanics. He may
make it popular and understandable but you, as the consumer, need to
understand that he's an approximation at best and misleading at worst.
<-- Snip -->
> My only motive in making these posts is to help other people. It
> doesn't do me any good in any other way, to sit in this chair with a
> sore back, to spend dozens of hours typing this. So, hopefully, it will
> be helpful. I do appreciate the dialog, by the way.
> Sincerely,
>
> Ron
Mike
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/451ca5f8/attachment.bin