On Dec 8, 2009, at 11:59 AM, Paul Vixie wrote:
> Steven Bellovin <s...@cs.columbia.edu> writes:
>
>> It's why I run an ssh server on 443 somewhere -- and as needed, I
>> ssh-tunnel http to a squid proxy, smtp, and as many IMAP/SSL connections
>> as I really need...
>
> me too, more or less. but steve, if we were only trying to build digital
> infrastructure for people who know how to do that, then we'd all still be
> using Usenet over modems. we're trying to build digital infrastructure for
> all of humanity, and that means stuff like the above has to be unnecessary.
> --
Right -- which means that we need a *good* solution. "Good" has to encompass
not just technical cleanliness, but also operational reality, which includes
things like slow software update rates -- both on clients and the hotel
infrastructures -- the very wide variety of client platforms out there.
The problems we're talking about, though, are both competence and policy.
There's no intrinsic reason why hotels have to block some ports, especially
given that many others do not. They've chosen to, for whatever misguided
reason. (Aside: my local library blocks everything but 80 and 443 outbound. I
complained to the director; he cited "security". I tried explaining that I
knew something about Internet security; he told me that the firm that had
installed the system had "done most of the libraries in the county". I
translate that as "most of the libraries in the county have broken security
policies".)
And competence? Again, we've all seen many different ways certain things are
done. I once had to boot into Windows to get a lease because NetBSD just
wouldn't deal with the broken DNS packets necessary for the sign-up procedure.
After that, I rebooted into NetBSD and configured a static address and route.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
