Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Comments

top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:No Excuse really these days. (336 comments)

Do you mean the position that we need firewalls?

Yes, was curious to understand reasoning behind position.

I would have thought that that the need for firewalls was self evident.

The industry is full of bad ultimately harmful ideas which see widespread adoption for locally optimal reasons. It is far from self-evident to me firewalls do not fall squarely into this category.

The smart devices we use today all tend to have a variation on mainstream OS's. All of which come with some form of host based firewall. Thus the management of these devices from a firewall perspective is even easier. So much so that it is now possible for most marginally technical people to ensure they are properly configured at least at the time of device activation / installation.

I think today anything claiming to be a "smart device" needs no firewall because it accepts no incoming connections. It operates by calling home to the vendor. If you want to access your "smart device" you connect to the vendors server and ask nicely to please access your own gear. A mega ultra cloud firewall...!!1!!!!1!

More generally would be interested in understanding why a device with a specific purpose is more secure when it listens for commands through an internal firewall vs the same listener without? Is a bluetooth headset more secure behind a Bluetooth firewall? Perhaps a concrete example...

How many times have we heard stories about POS terminals at places like McDonald's being compromised and the bad guys scoop tons of customer data. Far too many is the answer. These devices had little to no protection at all from would be bad guys. Simple protections put in place like firewalls go a long way to addressing these vulnerabilities. Are they perfect. Of course not. But they are a lot better than having nothing. Today these protections can be implemented in a manor that has almost no impact on how people do business. Which means that when implemented correctly they will not cause any additional labor on the part of the end user in order to ensure that they remain secure.

Since it cause none or very little impact on the way you do business why wouldn't you implement these simple safe guards?

Data breaches and losses are a significant threat to companies. Small one more so than the large ones. Small companies fold when bad things happen. It's a trivial insurance policy that shockingly very few actually implement.

Why do you feel firewalls are effective? There seems to be an implicit assumption that firewalls are effective... what makes that true?

What if all the worlds firewalls were thrown in the trash heap and in their place systems were configured to accept only Authenticated, Authorized, Integrity protected, Encrypted inquiries from acceptable locations?

Would that world have better or worse security outcomes than todays world? I think no question it would be better.

No more making security decisions by ports and trivially spoofed address headers or checking worthless boxes on a compliance chart only to have the whole house of cards collapse when Debbie in accounting clicks on the wrong untrusted email message with spoofed from header.

Instead of administrators configuring ports and addresses in firewalls what if they instead spent that same time managing the only thing that means squat in a secure system ... TRUST

It is not like the technology does not exist. People ignore it because it is easier to hide behind their precious firewalls. So they allow it and by extension allow their suppliers to continue to supply them with crap.

2 hours ago
top

Grad Student Rigs Cheap Alternative To $1,000 Air Purifiers In Smoggy China

WaffleMonster Re:Lots of people criticize this for its obviousne (133 comments)

A lot of ideas are obvious once somebody announces what the idea actually is.

In this case it's just plain obvious. Try doing a google image search for air filter fan.

4 hours ago
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:Protection against security bugs. (336 comments)

The bug could be deep into the kernel, making almost any magic possible from the application point of view. Having only a few ports open is not enough to protect against this, as the kernel structure and notion of port could be corrupted.

The above can be read as a perfectly sound explanation why firewalls can themselves be dangerous with plenty of CVEs having already been logged against several popular choices.

You now have to worry about two separate kernels being corrupted by low level packet wizardry with dire consequences arising from compromise of either.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:No Excuse really these days. (336 comments)

If a vendor is disabling the firewall then they should absolutely be approached. If the clown you are talking to says that's the way it's done then go over his head. Tell your boss.

Be gently of course. Doing the run around my hair is on fire dance is not going to win any one over.

You can even help the vendor. There are a ton of tools for all OS's that will help you determine the port that need to be open. Simply run up the software and scan the open ports. Tada you have a simple set of fire wall rules at least. Are they perfect? Of course not they can be improved on. But it's something at the very least. I'm not overly a fan of point to point rules in firewalls as they are self defeating in the long run. ( This is a longer story )

So yes host firewalls should always be enabled. And the rules you use better be documented.

Why? What is supporting reasoning for your position?

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:PCI-DSS or Tokenization (336 comments)

You need to look at the PCI-DSS requirements because this is what dictates the security standards of your network if you are storing credit card information.

Handling credit card information is closer to reality than "storing".

A better option for a cheap client is to not store any customer data and use a tokenized system. Authorize.Net will store all sensitive data for an extra $10/mo and allow you to skirt PCI-DSS regulations. You should still run a firewall though and be as close to PCI-DSS as possible though

This is the biggest PCI related farce on the planet. If you don't handle credit card numbers either directly or by proxy then and only then does PCI not apply to you.

The only difference is your not on the hook for secure storage of PAN. **EVERYTHING** else still applies. If your website which stores nothing but handles cards is hacked it can be used to collect everything just the same. Wordsmithing around sales pitches for these systems is to say the least inaccurate.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:Firewall is a requirement, end of story (336 comments)

PCI v3 compliance *REQUIRES* a firewall. End of story. Do not pass go, do not collect $200.

It does no such thing. The requirement is only a tool to keep the whole network from falling under the PCI.

An air-gapped network or an internal only network of trusted peers can be PCI compliant without a firewall.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Re:PCI Compliance (336 comments)

As soon as they start handling credit card transactions, they will need to conform with PCI standards, which will mandate much much higher levels of protections. There are significant fines associated with non-compliance so you may want to forward them over information about this.

The real question is legal liabilities flowing from a compromise. Weigh the risks, talk to your lawyers.

PCI is not backed by law and as such is rather harmless in and of itself.

yesterday
top

Ask Slashdot: Is Running Mission-Critical Servers Without a Firewall Common?

WaffleMonster Firewalls are stupid (336 comments)

This whole "network security" meme is a failed experiment needing to be called out as the ridiculous farce that it is. Firewalls are the equivalent of mounting castle defense against an airforce. It does not work and never has. The opportunity cost of squandering resources on castle building vs standing up an opposing airforce is both high and sad.

Host-based firewalls are even more amusing. They come enabled by default. High probability any application installed needing to listen() is going to automatically punch a hole to do so as vendors have zero interest in dealing with firewall support nightmares. This begs the obvious.. what is the effective difference between listen() and firewalled-listen() ?

If you really want a secure internal system then lock down services/listeners and configure each system to use only secure communication protocols. If this is not possible set IPsec = required and secure the transport E2E only.

The further away from application domain you apply security the increasingly worthless that security is.

yesterday
top

The Misleading Fliers Comcast Used To Kill Off a Local Internet Competitor

WaffleMonster Nonstop comcast rate hikes (248 comments)

The only broadband nightmare I have is the reality of continuous non-stop rate hikes of 10-15% every 6 months. No other "utility" even comes close.

3 days ago
top

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

WaffleMonster Re:All software is full of bugs (145 comments)

For that matter, all of everything constructed by human beings...is full of defects, or potential defects, or security vulnerabilities. Your house, for example. You have a lock on your front door, but it takes a thief just a few seconds to kick the door in. Or your car...a thief can break into it in seconds, even if you have electronic theft protection. I'd call those "security vulnerabilities."

So what do we do? We improve security until it becomes "just secure enough" that we can live with the risks, and move on.

Who cares about the security of an untrusted and untrustworthy app in the first place?

What difference does it make if it was written by the most competent team of programmers in the world if while operating as designed still treats the end user with contempt?

3 days ago
top

Popular Android Apps Full of Bugs: Researchers Blame Recycling of Code

WaffleMonster Ignorance is bliss (145 comments)

TFA is being much nicer than Google and many app vendors deserve.

The whole ecosystem system is engineered to reward bad behavior /w complete lack of usable access controls speaking for itself.

They need only do the minimum required to keep all hell from breaking loose and too many people bailing on the platform as a result.

3 days ago
top

Wikipedia Blocks 'Disruptive' Edits From US Congress

WaffleMonster Re:Maybe it's a bot? (165 comments)

Is it impossible for a congressional computer which is obviously connected to the public Internet to be a botnet slave?

Maybe your a botnet slave? How would we know if you weren't?

For all we know someone else outside of congress controls this computer/router/whatever

It's controlled by a Gremlin in the Kremlin. Mothra Russ1a p0wn3 a11.

about a week ago
top

Wikipedia Blocks 'Disruptive' Edits From US Congress

WaffleMonster Re:I wonder who is doing the actual posting. (165 comments)

Bahahahahahhaa.... lol... like actual Congress-people would know how to edit wiki pages.

They obviously don't.. hence need for bracketbot to clean up their mess.

about a week ago
top

One Trillion Bq Released By Nuclear Debris Removal At Fukushima So Far

WaffleMonster Re:Bq? (190 comments)

Can you name one person who died at Fukushima due to radiation poisoning or cancer? Just one will do, thanks.

If you can't name a specific person does this mean something important?

about a week ago
top

Man Booted From Southwest Flight and Threatened With Arrest After Critical Tweet

WaffleMonster Re:Obligatory Slashdot knee jerk (889 comments)

I don't give a shit about "bad publicity" or either of these two idiots -- the gate agent or the passenger.

Next time, guy could just try doing as he's told by those in charge of the situation.

Perhaps once an idiot gate agent plays the "safety threat" card against you for an equally nonsensical reason you might come to develop a slightly different outlook on the situation.

about a week ago
top

Man Booted From Southwest Flight and Threatened With Arrest After Critical Tweet

WaffleMonster Punch line (889 comments)

Kept waiting for the punch line until I realized there wasn't one. Anyone who abuses their position to pull a stunt like this deserves to be fired.

about a week ago
top

Comcast Carrying 1Tbit/s of IPv6 Internet Traffic

WaffleMonster Re:Crap Traffic (146 comments)

Moving to IPv6 means more challenges. Having to retest firewalls and it's rules, making sense of the IPv6 addresses and then figuring out what looks normal and what looks like bad (generated) traffic when looking at PCAP's.

I will be happy when IPv4 is gone and the constant cheap attacks and probes to random addresses are no longer viable at least not on the scale of IPv4.

How does blocking work when everybody can have a trillion addresses? Can people have a trillion addresses? Do they have a block allocated to each user/system? Does it matter? So many questions.

In IPv6 land users are assigned prefixes rather than IP addresses so you block the prefix rather than the IP address.

about a week ago
top

Comcast Carrying 1Tbit/s of IPv6 Internet Traffic

WaffleMonster Re:Their implementation sucks. (146 comments)

Their implementation of DHCPv6-PD blows. It's incompatible with openWRT, Netgear, pfSense router firmware.

There seems to be problems with Comcast IPv6 that I can see.

Lease query is fucked up/does not work at all so if your cable modem reboots while the lease is still valid the CMTS has forgotten all about it and won't let any traffic pass until you transmit a renewal request for your PD. It seems some consumer router gear uses Ethernet/media detection to notice the link has bounced and refresh the lease...otherwise your basically SOL and have to manually do it.

I don't think it is fair to blame Comcast for a systems shitty/buggy support for DHCPv6 prefix delegation. Comcast is not doing anything magical or non-standard. Vanilla ISC DHCPv6 client has worked flawless for me.

Incidentally have maintained same IPv6 prefix for over a year now since they turned up v6.

Then this premature change of the lease will fall out of sync

To be fair if the client is fucked up and not properly renewing lease sometime before it expires I don't see how that's Comcast's fault. If you don't ask for renewal you won't get one.

With all the IPV6 address space available, why not give out a static IPV6 prefix, but no, they want to change it frequently.

Exactly they should hand out addresses or at least make them very sticky so that anything short of some kind of reorganization/renumbering does not result in a new prefix. It really sucks even if radvd is sync'd there are still implementation problems with the zero lifetime pulling and hosts if using SLAAC locally.

This is completely contrary to their IPV4 DHCP servers which will basically give you the same IP address forever until you change the MAC address on the router.

If you allow your IPv4 lease to expire good luck getting the same address back. At least on the two occasions I've had my system down long enough for it to happen and was greeted with a new address. It may very well be certain areas are configured differently and so mileages vary.

So screw Comcast's IPV6. I'll stick with my hurricane electric tunnel and it's static IPV6 prefix until my router breaks.

The HE tunnels were awesome. I was sad when I shut mine down.

about a week ago
top

Comcast Carrying 1Tbit/s of IPv6 Internet Traffic

WaffleMonster Re:Advantages? (146 comments)

So any advantages to running an IPv6 tunnel other than so say you use IPv6?

None, turn it off and get a real IPv6 connection unless you need it for something.

When content sees higher latency and lower throughput from crappy tunnels it only serves as a disincentive for continued adoption.

about a week ago
top

'Just Let Me Code!'

WaffleMonster Go work for a bigger company (368 comments)

Source control, IDEs, build systems and bug trackers... are all very ancient tools that tend to make people more productive so they can spend more time coding... leaving me puzzled and confused by TFA's point.

He seems to be saying enabling infrastructure to manage a product lifecycle is more difficult or at least non-trivial vs. problem space itself... Suppose if your one of thousands of shops churning out proverbial flashlight and fart apps this could well be the case...otherwise it is hard to understand how it can be true. While supporting infrastructure can and does become very complex for large development efforts there are usually tooling peeps on staff who specialize in each subdomain.

What makes matters worse you go on to hate DSL's, use NoSQL databases... which leaves me little choice but to assume you hate everything good and nice.

Either that or you got screwed working for some grossly understaffed rinky dink company with reams of old code nobody understands who lied when they used the word "developer" in job description...LOL.. happens...a..lot.....

about a week ago

Submissions

WaffleMonster hasn't submitted any stories.

Journals

WaffleMonster has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>