Olympus-OM
[Top] [All Lists]

[OM] Re: OT - firewire

Subject: [OM] Re: OT - firewire
From: David Thatcher <davidt@xxxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Dec 2007 22:33:45 +1030
On Tue, Dec 25, 2007 at 12:33:07AM -0800, Jan Steinman wrote:
> Harrumph. It "failed" me because ssh and kerberos ports were detected.  
> My email server (IMAP/SMTP) is kerberized and I can run a virtual  
> desktop through an ssh tunnel anywhere on the Internet, but I still  
> flunk the test.
> ssh and kerberos are turned off "out of the box" on Macs, which might  
> explain Bob's results. But it's kind of scary that they seem to have  
> no idea about the difference between secure and insecure connections.  

Jan,

This is not awfully unexpected... OpenSSL (the kind that runs on Macs
(and FreeBSD)) has had quite a few known vulnerabilities in the past, &
almost certainly will again - it isn't alone in this!. I would expect
the kerberos libraries you use (no doubt basically the same ones I use)
are in the same boat. 

>From a security perspective, it's not about IF one gets hacked, but
WHEN. Thus if you absolutely MUST allow remote access, then the sensible
(i.e. paranoid :D ) approach is to filter/limit access to known/trusted
IP addresses, & reset all others as if the ports are not open. Still not
100% foolproof, but at least the attacker has to spoof the routing as
well as the source IP's (very difficult but not impossible if the right
options are enabled on the server).  I'd suggest a better method would
be to use (say) L2TP with a LONG IPSec pre-shared key or a digital
certificate, (or perhaps PPTP with a one-time password token as the
credentials are sent in the clear). Even then you aren't 100% safe, but
the risks reduce exponentially.

davidt

PS I trust you & yours have a safe, pleasant Christmas & a happy &
prosperous new year.








==============================================
List usage info:     http://www.zuikoholic.com
List nannies:        olympusadmin@xxxxxxxxxx
==============================================

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz