[70249] in North American Network Operators' Group
Re: Worms versus Bots
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu May 6 11:09:26 2004
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: North American Noise and Off-topic Gripes <nanog@merit.edu>
In-Reply-To: Your message of "Thu, 06 May 2004 11:45:23 +0200."
<189C3B5F-9F42-11D8-BE01-000A95CD987A@muada.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 06 May 2004 11:08:42 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_937439654P
Content-Type: text/plain; charset=us-ascii
On Thu, 06 May 2004 11:45:23 +0200, Iljitsch van Beijnum said:
> I object to the idea that requiring a software firewall inside a host
> is a reasonable thing to do. Why on earth would I want to run an
> insecure service and then have a filter to keep it from being used?
You object to it, I object to it... but the fact remains that 95% of the
user-accessible CPUs (not counting the embedded market) are running software
that you have to do unreasonable things in order to make it anywhere near safe
to use....
> Either I really want to run the service, and then the firewall gets in
> the way, or I don't need the service to be reachable, so I shouldn't
> run it. System services should only be available over the loopback
> address. Now obviously this is way too simple for some OS builders, but
> we shouldn't accept their ugly hacks as best current practice.
"Best Current Practice" is *so* divergent from "Currently Deployed Practice"
that there's little or no common ground.
--==_Exmh_937439654P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAmlT6cC3lWbTT17ARAu+EAJwLsiuiPuFfzL7ZKTTsdnQ0ZdjvWQCg+mvU
XjSkwpSwNrEM3jC3BogTT40=
=3GHe
-----END PGP SIGNATURE-----
--==_Exmh_937439654P--
