[120053] in North American Network Operators' Group
Re: Breaking the internet (hotels, guestnet style)
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Dec 8 16:07:08 2009
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <g3d42pcsgn.fsf@nsa.vix.com>
Date: Tue, 8 Dec 2009 16:05:44 -0500
To: Paul Vixie <vixie@isc.org>
Cc: nanog@merit.edu
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:
> Steven Bellovin <smb@cs.columbia.edu> writes:
>=20
>> It's why I run an ssh server on 443 somewhere -- and as needed, I
>> ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL =
connections
>> as I really need...
>=20
> me too, more or less. but steve, if we were only trying to build =
digital
> infrastructure for people who know how to do that, then we'd all still =
be
> using Usenet over modems. we're trying to build digital =
infrastructure for
> all of humanity, and that means stuff like the above has to be =
unnecessary.
> --=20
Right -- which means that we need a *good* solution. "Good" has to =
encompass not just technical cleanliness, but also operational reality, =
which includes things like slow software update rates -- both on clients =
and the hotel infrastructures -- the very wide variety of client =
platforms out there.
The problems we're talking about, though, are both competence and =
policy. There's no intrinsic reason why hotels have to block some =
ports, especially given that many others do not. They've chosen to, for =
whatever misguided reason. (Aside: my local library blocks everything =
but 80 and 443 outbound. I complained to the director; he cited =
"security". I tried explaining that I knew something about Internet =
security; he told me that the firm that had installed the system had =
"done most of the libraries in the county". I translate that as "most =
of the libraries in the county have broken security policies".)
And competence? Again, we've all seen many different ways certain =
things are done. I once had to boot into Windows to get a lease because =
NetBSD just wouldn't deal with the broken DNS packets necessary for the =
sign-up procedure. After that, I rebooted into NetBSD and configured a =
static address and route.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
