From: Ross Dmochowski (rossd_at_cns.me.berkeley.edu)
Date: Tue Aug 05 2003 - 00:45:41 PDT
On Mon, 2003-08-04 at 16:09, Igor Ruderman wrote:
> As Craig said this will not fix the problem. Neither will it fix
> future similar problems with the same ports (or any other for that
> matter).
Craig-
I respect your position. I really do. The staff, faculty and students
for whom I work hard to keep productive, warm my heart with how much
they make me feel needed too. :-)
No one is claiming this is a fix.
And how can you consider it a knee-jerk reaction, when this is not the
first of the multiple times we have been faced with this problem?
The roots of the problem go deep.
The inadequacies of the TCP/IP suite of protocols goes beyond this
arena of discussion. I think even the most far-seeing of pre-Internet
visionaries marvel at how pervasive distributed computing is. Many
thousands more users than the original foreseen user-base of what is now
the Internet put our shared network environment to uses for which it was
not originally intended, nor designed (online banking, rich streaming
media, secure authentication and identification services, et alii). This
is the situation as we know it today.
The inadequacies of Microsoft's software architecture, and their
failure to address this problem pro-actively, is, again, not something
that we in this forum can address. This has been a recurrent theme over
the past several years, and Windows is _infamous_ for its lack of
attention in matters of security. It is literally almost _daily_ that
Windows vulnerabilities are announced. And in numerous instances, the
vulnerabilities and exploits were known in the wild BEFORE Microsoft was
able to release a fix.
High minded philosophical positions about the Internet's end-to-end
connectivity, or the free-speech implication of requiring users to use
more secure means of utilizing computing resources (like using ssh
versus telnet), do not address the very real, very immediate, and very
tangible threats our users and their data face. They trust us to keep
abreast of these issues, and make informed decisions for them on these
issues that are, quite frankly, outside their ken. To wit, if a
Mechanical Engineering student were interested in computer security,
they would be studying information technologies, not studying fluid
dynamics, robotics, heat propagation, et alii.
I think the real debate is this: Is the convenience for a handful of
users (and we are really talking about a _very_ small percentage of
campus computer users actually using this Microsoft networking ability
from off-campus) worth putting thousands of users and their data at
risk, and affect the operational abilities of every computer user,
regardless of which operating system they use?
I do not think it is.
I think that host-based security is only part of the solution. For the
hosts I directly control, this is done, and I have not had one of my own
machines compromised. Updating machines, and keeping abreast of new
security threats is something about which I remind users often, much to
their dismay given the average person's signal-to-noise ratio tolerance.
In many places, I have been able to install firewalling devices to
protect multiple computers. Our shared, antediluvian 10Mb AUI topology
is very limiting, and for some users, this solution does not work. And,
sadly, these devices introduce new problems, as it is another device to
manage, provides for another point of failure, often lacks distributed
management capabilities, et alii.
I am proposing that permanently blocking certain known problematic
Windows ports at the borders to campus adds to the arsenal used to
combat this recurring, very real problem. I think if you were to poll
those of us technical support personnel on the front-lines of this
issue, you wold find, overwhelmingly, that a well-communicated,
well-planned, staged/gradual plan to phase out off-campus support for
these ports would be supported,
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Tue Aug 05 2003 - 00:54:18 PDT