[190404] in North American Network Operators' Group
RE: IPv6 deployment excuses
daemon@ATHENA.MIT.EDU (Keith Medcalf)
Sat Jul 2 15:05:47 2016
X-Original-To: nanog@nanog.org
Date: Sat, 02 Jul 2016 13:05:41 -0600
In-Reply-To: <1214617199.8674.1467484972312.JavaMail.mhammett@ThunderFuck>
From: "Keith Medcalf" <kmedcalf@dessus.com>
To: "nanog list" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
This is a non sequitur.
In what way is the blocking of incoming unsolicited connections not a "prop=
er security measure"?
What gives you (or anyone else) the right to "disable" security measures wh=
ich you (or anyone else) consider "too strict"?
How do you arrive at the conclusion that disabling unsolicited incoming con=
nections to software that does not require it (and which you do not want to=
accept such unsolicited incoming connections) is "far less effective" than=
"proper security measures" (and what are those alleged "proper security me=
asures)?
Explain especially in light of built-in crapware which cannot otherwise be =
removed from the system because it has been "integrated" by scattering its =
parts (with no purpose other than to make the crapware non-removeable) into=
critical components so as to prevent removal without breaking the system?
Please explain how expecting firewall setting to remain set as they have be=
en deliberately set makes one a "security zealot"?
If the ACLs on your Cisco router suddenly decided to change all by themselv=
es because Cisco had decided they did not like the way you had set them, I =
am quite sure that you take an entirely different position!
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Mike Hammett
> Sent: Saturday, 2 July, 2016 12:43
> Cc: nanog list
> Subject: Re: IPv6 deployment excuses
>
> Security that is too strict will be disabled and be far less effective
> than proper security measures. Security zealots are often blind to that.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> ----- Original Message -----
>
> From: "Keith Medcalf" <kmedcalf@dessus.com>
> To: "nanog list" <nanog@nanog.org>
> Sent: Saturday, July 2, 2016 11:41:48 AM
> Subject: RE: IPv6 deployment excuses
>
>
> Yes, the default is "on". An exception is added for EVERY SINGLE PIECE of
> Microsoft Crapware, whether it is needed or not (and in every single case=
,
> it is not). And if you turn those exceptions "off", then they are turned
> back on by Microsoft and their NSA partners for you, without your
> permission, whenever automatic updates run (and also at other times that =
I
> have not determined the trigger). You must continuously check that the
> firewall (although ON) remains configured as you configured it, or if
> Microsoft (and their NSA partners) have changed the configuration without
> your permission.
>
> Of course, most people do not bother configuring the firewall and do not
> wonder why every piece of Crapware has in incoming exception, and do not
> bother to turn those off (including some on this list apparently). So the=
y
> will never notice these nefarious doings which have been a hotbed of
> discussion on the Internet for many years.
>
> And this is on the latest distribution of Windows 10 including the
> upcoming anniversary edition and has been that way since at least the
> first version of Windows 8.
>
> Whether or not Windows 7 also behaves the same way I do not know because =
I
> never ran it.
>
> > -----Original Message-----
> > From: Spencer Ryan [mailto:sryan@arbor.net]
> > Sent: Saturday, 2 July, 2016 10:08
> > To: Keith Medcalf
> > Cc: North American Network Operators' Group
> > Subject: RE: IPv6 deployment excuses
> >
> > Windows 8 and 10 with the most recent service packs default the firewal=
l
> > to on with very few inbound exemptions.
> >
> >
> > On Jul 2, 2016 11:38 AM, "Keith Medcalf" <kmedcalf@dessus.com> wrote:
> >
> >
> >
> > > There is no difference between IPv4 and IPv6 when it comes to
> > > firewalls and reachability. It is worth noting that hosts which
> > > support IPv6 are typically a lot more secure than older IPv4-only
> > > hosts. As an example every version of Windows that ships with IPv6
> > > support also ships with the firewall turned on by default.
> >
> > Just because the firewall is turned on does not mean that it is
> > configured properly.
> >
> > Every version of Windows that ships with IPv6 support also ships
> > with the Firewall configured in such a fashion that you may as well hav=
e
> > it turned off.
> >
> > This is especially true in Windows 8 and later where the firewall is
> > reconfigured without your permission by Microsoft every time you instal=
l
> > any update whatsoever back to the "totally insecure" default state --
> and
> > there is absolutely no way to fix this other than to check, every singl=
e
> > minute, that the firewall is still configured as you configured it, and
> > not as Microsoft (and their NSA partners) choose to configure it.
> >
> > All versions of Windows 8 and later whether using IPv4 or IPv6 are
> > completely unsuitable for use on a network attached to the Internet by
> any
> > means (whether using NAT or not) that does not include an external (to
> > Windows) -- ie, in network -- statefull firewall over which Windows,
> > Microsoft, (and their NSA partners) have no automatic means of control.
> > If you allow UPnP control of the external statefull firewall from
> Windows
> > version 8 or later, you may as well not bother having any firewall at
> all
> > because it is not under your control.
> >
> >
> >
> >
> >
>
>
>
>
