On Tue, 13 Apr 2004, Leonid Podolny wrote:
> > The suggestion to use a dedicated router eliminates two important
> > advantages of DIY (Do It Yourself) Linux installation:
> > 1. Access to security updates under your control and at your pace.
>
> Exactly what I am talking about. He doesn't need security updates.
> (Before you punch me at the face, keep in mind, that I'm not talking
> about linux geeks like us, but about average home user).
> The average home user has one major security concern: he doesn't want to
> be attacked by all those Windows worms out there. Having NAT, it's not a
> concern. Heneeds to explicitly open the RPC (SMB, uPNP, etc, etc) port
> on the router in order to have his PC infected. 99% of home users will
> never do it. Those who will -- smart enough to be responsible for their
> actions.
While it is true that home users won't expose vulnerabilities which are
relevant to most of the security updates (bind, SMB, bind, uPNP, bind,
etc.), he must be able (with help from his sysadmin) to install security
updates to the firewall itself, should it ever be found to have a
vulnerability, unlikely this may be.
> All the linux security updates are also irrelevant here. It's not that
> the attacker will obtain shell on the router and then attack the home
> network or "execute arbitrary code" via remote vulnerablity. I doubt
> that these routers even allow remote access. Why would they?
Recently it was advertised that some models of Cisco routers have backdoor
with default passwords. I don't have the reference on hand.
> If you can scan vast ip ranges and find thousands of windows machines
> yelling "hack me!", the potential cracker won't bother looking for a
> specific openssl vulnerability in specific firmware version of a
> specific model of some taiwan company.
One day, crackers will start looking with disdain on Windows-crackers, and
admire as True Men those who crack Linux machines and idolize crackers of
OpenBSD machines. On that day, what you said will not be true anymore.
> Backdoors by whom? The manufacturer wouldn't intentionally leave
> backdoors -- he cares too much about its reputation. It must be
> relatively easy to checkwhat is in there.
In a Linux PC it is easy to check. In a close router box, it is difficult
to check what is inside. And did I mention Cisco above?
--- Omer
My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
