Excite@Home Claims Broadband 'Safe'

photozz writes: "Ya know it's rare when an article can get me angry, but this has managed. Cable provider Excite@Home claims that their users are 'relatively' free of attack from hackers due to DHCP, and say you should only be concerned if they are storing private information on their PC's. From the article:'The fear created in consumers' minds is actually greater than the risk that exists,' he said. 'If a customer operates the computer in a safe manner, there shouldn't be any problem.'" Perhaps not surprising that @Home would downplay the risk, but photozz is right -- the fear in broadband customers' minds ought actually be higher, not lower. BackOrifice, zombie attacks etc., ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps.

firewall software

[htmlboy]

This seems to me like an issue centered around money (as always). The less people fear broadband, the more likely they are to use it with their machines. To really make their customers feel safe, a broadband provider should at least offer a howto for installing windows security software (zonealarm comes to mind).

But even with a download link saying "this software is not supported by " a large ISP would still have to dedicate a large amount of their tech support time to help people install and configure the software. Since most large companies are cheap bastards when it comes to things like this, it's no suprise that they lie about the security of their network instead.

chris
# turn off icmp replies to confuse skript kiddiez
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Re:I use @home

[Nastard]

@Home does NOT probe/scan for people running servers proactively. In fact, when I was with them I tried to get a project approved that would allow me to do some portscans and track down the user with the rogue DHCP server that was bringing our network down. The word that was handed down from upper managment was a very emphatic *NO*.

Apparantly they not only didn't scan the network, but they were so against it that they would rather see the network down than invade users privacy(My best guess at reasoning. Another reason may be that they were suit-monkeys and had no clue what it was other than "bad").

Mod this guy up!

[AKAImBatman]

Thank you for furthering my point.

@Home's TOS try to enfoce security

[wkurdzio]

I have a few friends that use @Home's cable service in the Southwestern Virginia (USA) area w/ Linux. This might only apply to Cox@Home, but their TOS state that they are not allowed to have any servers running. We think this is an effort to keep people from running insecure servers (like the exploited wu-ftpd 2.6.0 that ships w/ Red Hat 6.2) which can be cracked, and then their server can be used to start a DoS attack. In fact, @Home dropped a server in their subnet to scan all the clients for open ports. They got TOS'ed when the scanner detected their SSH servers running and were asked to shut them down w/n a week or lose their connection.

There are probably two other reasons why @Home's TOS include the "no servers" clause:

• Bandwidth availability: I live in the dorms at Virginia Tech, and a large portion of the on-campus LAN bandwidth gets sucked up by users trading large files (MP3s, bootleg movies, ISOs, etc.) using the horribly bandwith-intesive Windows file sharing (the SMB protocol). While on a 10Mbps switched LAN this isn't too much of a problem, it can bring a network of cable modems to its knees.

• CYA: If the RIAA goes after @Home b/c it willfully allowed the illegal distribution of copyrighted material, @Home is gonna quickly die a painful death, and a lot of people are gonna be lacking a high-bandwith connection.

The idea is worth merit and makes sense from a business standpoint when you think about it. I'd rather not go into that, though; this reply is already long enough. ;)

Re:@Home's TOS try to enfoce security

[MikeBabcock]

I've used @Home for almost a year now and called them up the first week I had it to tell them that I'm a tech and I run several server daemons on my machine to log in from work, etc. They just flagged my account.

How many people yell and scream about companies, but don't actually just call and say something and be honest for once?

Re:@Home's TOS try to enfoce security

[interiot]

What does @Home do about ICQ? I bet they ignore certain open ports just because John. Q User would be pissed if he @Home tells him that he can't run ICQ.

So, I wonder if you could just set up SSH on the ICQ port, and they'd ignore it. Might even be able to multiplex the port and get both ICQ or SSH out of it depending on the source address or even the first few bytes of each protocol.

I'm a soon-to-be @Home customer (no alternatives), and it pisses me off that they don't want to allow me to set up an ftp server for my sole use to get files that I forgot.

PS. I've always wondered why they don't just block incoming SYN packets. There's ways to get around that still, but it'd enforce their policy for 99% of the people.

PS2. They already cap the bandwidth, so that shouldn't be a problem. I don't see why ISP's or schools don't give users a fixed amount of bandwidth and let them do whatever they want with it. If the user is doing something illegal, then someone can sue the user. End of story.

PS2. If @Home were to be held liable for assiting warez distribution, then so could any other ISP, including AOL. So at most, a law could be passed that says "in 3 months, you'll be required to block napster ports".
--

DHCP a vulnerability in itself

[state*less]

DHCP is actually a weakness for a well trained hacker. In case you haven't read some of the papers i direct you to:

http://www.3com.com/technology/tech_net/white_pape rs/503011.html

Basically describes how a well trained hacker can act as a dhcp server therby giving the victim whatever ip it wants or worse give it a DNS server run by the hacker which opens up all kinds of possibiltys(i.e. fake websites, ftp sites, you nameit).

Time is Change.

Re:DHCP a vulnerability in itself

[verbatim]

DHCP is actually a weakness for a well trained hacker.

Some @Home DHCP systems give an IP address based upon the MAC of the router in the cablemodem. Whoops.. heh.. I guess the people on those services don't have a dynamic IP thru DHCP (I'm one of 'em).

Apparently DHCP is a weakness for some admins too.

Nevermind...

Re:DHCP a vulnerability in itself

[sulli]

Presumably the DHCP relay in the CMTS, as advertised by 3Com, or the DSL aggregation router could be set to prevent the attack described in this paper:

DHCP Server Spoofing: In DHCP server spoofing, a server that is not the one designated by the carrier responds to the cable client DHCP requests. This may be done maliciously or accidentally. A Windows NT user can by default enable a PC as a DHCP server. A DHCP client, a cable modem or host PC on the cable network, would accept DHCP responses from any server, generally taking the one first received. Rogue DHCP responses can play havoc with network clients' ability to get service. The 3Com smart DHCP relay agent on the CMTS is configurable to distinguish and honor operator-defined DHCP server addresses.

Is this something that ISPs or users here have experienced in the real world??

Re:DHCP a vulnerability in itself

[Black+Parrot]

> or worse give it a DNS server run by the hacker which opens up all kinds of possibiltys(i.e. fake websites

So, dare we hope that the real Slashdot is still out there somewhere, carrying interesting stories and eliciting interesting discussions?

Everyone should...

[verbatim]

EVERYONE with a "broadband" (ie. faster than 56k) connection should IMMEDIATLY follow the following steps:

1) Install Linux, FreeBSD, or GNU.
2) Connect to the Internet.
3) post your hostname and root password on Slashdot.
4) wait.

yup, XX-31337.whatever.home.com will magically point to your IP - even if it changes.

I'd do this just to see what happens... :)

Nevermind

Verbatim

Re:"Safe" Win/Mac only, and Firewalling all servic

[AKAImBatman]

Want to protect yourself? Disable file and print sharing, don't accept files from people you don't know, scan for viruses every so often, and avoid emails with a subject line of "I Love You". It really is that simple, believe it or not.

Yes it is. That is called 'user education'. Something that is sorely missing if @home says there are no security hazards.

@Home @asleep

[Bernal+KC]

I have @home service and it rocks. (I managed to get a static IP too. Nice personal staging setup for my hobby projects! But forget trying to get support from them. The first question in their script is to review DHCP settings. Sheesh.)

When I tried contacting their support to see if they could recommend a firewall or other protection, I was told they have no recommendations. Not that they were protecting me. Not that DHCP was the cat's meow. Nope. Not even an assurance that all was well. Just an emphatic, we have no recommendations for you.

So I did some searching and reading and I found a firewall on my own. But it baffles me that they explicitly choose not to help their customers secure their machines. Dumb, head in the sand policy.

Re:@Home @asleep

[Lord_Rion]

INAL: If they help you to secure your machine they could possible be held responsible if your machine gets owned. By not making any recommendations they remove themselves from the equation and elemenate any possible lawsuits.

Re:@Home @asleep

[Bernal+KC]

I think you're right. But silence could also be construed to be negligent too.

Elf Bowling

[cameldrv]

Fine, but you can say the same thing about UNIX if the user is convinced to install a trojan. Furthermore, I don't see how a cable modem makes this any worse. The point is that if you leave your stock Linux machine on the open net (such as on a cable modem), it will probably be rooted as soon as a new exploit is found. Because Windows 98 does not by default have lots of services running and doesn't have a good command prompt, it's harder and a less desirable target for crackers.

Re:Elf Bowling

[wirefarm]

"Because Windows 98 does not by default have lots of services running and doesn't have a good command prompt, it's harder and a less desirable target for crackers..."

Would that be "Security through unusability"?

;-)
Cheers,
Jim in Tokyo

Re:Elf Bowling

[Alan]

LOL!

Someone mod this guy up +funny!

(no mod points ATM :( ).

Re:Elf Bowling

[zebul0n]

:)

Here is the Kintetsu (Kansai) version of your "japanese proverb":
"Abunai desu kara, kiiroi sen no uchigawa de, omachi kudasai..."

Zeb

Windows boxes more dangerous than Unix boxes...

[Walles]

... at least according to Attrition's statistics about operating systems on cracked web servers.

Compare this to Linux's web server market share according to Netcraft.

Together, this tells me that Windows boxes are more likely to get cracked than Unix boxes. Of course, the numbers may be different for home systems, but as these are the only numbers I have I'll believe them until something better shows up.

Cheers //Johan

Re:I use @home

[Bieeardo]

I know two people who subcontract work from the local @home affiliate (no names, obvious reasons). They are specifically instructed to not even breathe the word "firewall" in front of the customer. The only thing that they're supposed to do is go in, install Buford (@home's branded Aieee/Netscrape hackjob), and get out.

Between the proliferation of broadband access, and the way that @home's "service" is structured, I'm extremely surprised that we haven't seen any more seriously massive DDOS attacks-- I'd say that at least 98% of @home's subscriber boxes are sitting naked on the net, just waiting to be bent over.

Re:Use @Home with ZoneAlarm

[Quila]

To date (one month) ZoneAlarm has blocked 139 attempts at unauthorized access.

Only 139? I'm using an analog dialup in Germany (poor me -- no DSL in my area until December) and I get an average of 10-15 hits per day.

Offering DSL or cable to the uneducated masses without at least telling them they should be running at a minimum ZoneAlarm is so fucking irresponsible! If you have a Windows 9x machine on DSL or cable, you're walking naked down Al Gore's Information Superhighway

Re: not to be a bitch...

[jihad23]

Doesn't matter what OS you run, if its misconfigured, its not going to be secure.

And likewise, it's not difficult to set up even Win98 so that it's fairly secure. Turning off file sharing in Windows effectively closes all ports. I don't know how someone's going to hax0r a box that isn't listening anywhere.

This is of course assuming the end user is bright enough not to get themselves BO'd or something.

--
Turn on, log in, burn out...

Re:It's a double-edged sword

[rtscts]

have you ever read the athome.newsgroups? newbies and even no-so-newbies who've just discovered Zone Alarm go completely mental when they get port scanned. I think they're plenty hyperalert over the whole thing as it is.

@HOME SCANS IT'S OWN USERS!!!!

[erotus]

I too use @home. I run an ipchains firewall with a very tight ruleset. I monitor my logs and I've noticed that @home scans, at least in my area, for port 119 every 4 hours on the dot. It's not just my IP, it's across my area. I have a friend on the other side of town who gets the same scans and we're not even on the same subnet. I know that newsfeeds take up a lot of bandwidth, but damn! The scan originates from 24.0.0.203 which resolves to authorized-scan1.security.home.net. Is there anybody else out there who is getting scanned by @home itself? And if so, what ports?

On top of @home's scanning, I get multitudes of other random scans for various ports. I get the usual scans for port 80,21,23,25,110 all the way from Japan to Germany and from the East to West coast of the US. I also got scanned for port 98(linuxconf) - if you have linuxconf service running you'd better disable it if you don't want to get hacked. Run SSH and get rid of telnet if you need to remotely access your box. It is imperative that anyone who has a cable connection use some kind of firewall. @home is full of shit if they tell you their network is safe. I've known many people, even geeks, get taken out because of some script kiddie or cracker.

Re:@HOME SCANS IT'S OWN USERS!!!!

[Erikmad+scientist]

OK, I work as SW engineer at @Home
Item 1.) "I know that news feeds take up a lot of bandwidth" , They at one time used 32% of our bandwidth for a bunch of data that no one even looks at. You are so correct we have kept our own News servers unfiltered in the vain hope that users would refrain from running there own and use the shared server. This has not worked and we are forced to hunt down and ask people to use the shared server.

Item 1.) I do agree on the firewall, @home can help you after the fact but your going to have to keep your own system secured. The port scanning has been a much-discussed problem that we have not found a good answer for.

Erik
@Home

Re:@HOME SCANS IT'S OWN USERS!!!!

[Erikmad+scientist]

Strange your @Home jargon is almost correct... I'm not to certain to believe you? please type "the" into atlas and give me a call I can shed some light on your problems..

Erik
@Home

Re:@HOME SCANS IT'S OWN USERS!!!!

[Erikmad+scientist]

your free time but I thank you for using the shared server.. Erik @Home

Re:@HOME SCANS IT'S OWN USERS!!!!

[btrain]

I had comcast@home and they too scanned from authorized-scan1.security.home.net, but I never heard from them about the ftp, http, or mail servers that I had running. I usually had about 6-10 other legit scans a week that Winroute easily blocked or routed to the proper port on my Linux box. Since Windows was required for @home installation.

Re:You think that's bad

[ScottDB]

I saw those same NetBIOS (port 139) visits on my firewall also when I first got my DSL line. Don't quote me on this, as I may be wrong.... But I think it's whenever some Windoze user goes online with their DSL line, the Network Neighborhood "service" goes out looking for all connected computers on the same subnet, such as: 64.217.216.X, where X can be anything from 0 - 255, and the Net 'Hood checks each one of them to see if anyone is sharing file systems. That's my theory, anyway.... Any one want to correct me or clarify the situation. I'm curious as to what's going on with these port 139 visits if my theory isn't right. Scott ----- A computer without a Microsoft operating system is like a dog without bricks tied to it's head.

Re:not to be a bitch...

[drsoran]

I agree. OpenBSD is absolutely beautiful for a cheap home NAT'ing firewall. I found myself one of those nice Siemens Linux terminals (IDT 200MHz Winchip, 64 megs of ram, built in ethernet and SVGA onboard) on an onsale.com auction, popped an old 545 meg hard drive into it and two $15 Realtek PCI ethernet cards (also via onsale) and voila. OpenBSD firewall box complete with onboard third interface for services network. ;-)
I highly recommend this to even the most bigotted Linux advocates. I was one of them before I tried it. Linux is fine for my desktop box but I'll make damn sure from now on it'll stay behind me openbsd firewall on my DSL. :-)

Re:DHCP != security

[alarosa]

If you want to disable file sharing on your cable/DSL connection but keep it on your network at home, just go into the Network control panel, find the TCP/IP that's bound to the cable/DSL modem's NIC, go to the properties, hit the Bindings tab, and uncheck the file and printer sharing part. Reboot, and voila.

Re:Remember a Cracker's Motive

[radja]

there are also problems with spammers using cable-modem boxen as mail relay...wouldn't be the first time i've seen that happen...

//rdj

zone alarm if you *are* in window$

[cliveholloway]

Zone alarm is a gem in windows - free, easy to use firewall that has caught at least 2 rogue programs on my machine.

It won't catch everything (calls through the IE interface, whatever it's called ?!), but it stops most things - no, my DVD player is not allowed to talk over the net to those 'PC friendly' people.

Re:DHCP? What a laugh

[jon_adair]

I've been on RoadRunner for almost 2 years. I don't think I've had more than 5 IP addresses in that time. About 2 months ago my RedHat 6.2 firewall was getting crashed about every other day. I could see a ton of ftp attempts getting blocked, so I assumed someone published the wrong IP for their warez/mp3z server. I thought I would try to change my IP. The only way I could do it was to swap out the ethernet card and get a new MAC address. I suppose I could have left it shut down for a day or two, but didn't have the time.

Then I moved to OpenBSD and haven't had a crash since. Well, that's not exactly true. I did have one, but once I taped over the power button on that machine, my 1-year old can't pull that trick again.

There is no way I would run my Win2000 or NT4 Server boxes without a firewall. I've got a two-page list of what I need to do to attempt to secure an NT4 or Win2000 web server.

Re:It's true, what goes on "out there" is horrendo

[Bieeardo]

Oh, god, don't I know it. My ex-roommate was running a copy of BlackIce Defender, and every time that something came in, his idiot wife would call out the "attack" in an authoritative voice, and expect him to do (or know) something about it. Of course, it certainly didn't help that BlackIce defined everything as an attack.

What I'd like is a good, readable, firewall FAQ. I've got an old copy of AtGuard, but I'll be damned if I've been able to slog through its firewall documentation. The best thing I've ever got it to do is block everything but SETI@Home packets.

Security Through Idiocy?

[doorbot.com]

What about the ever laughed at AOL user? Will @home's claim convince them to use their service?

I think we can agree that the average AOL user has no frickin idea what security is. They foward those spam emails that "look real" to their friends because the email says that there might be a way for bad, bad men to read their files if they run AOL on Saturday afternoon at 3:44 Pacific time.

So, along comes @home with these outrageous claims... who are they trying to convince? They want to convince the kind of person who doesn't want to waste their time finding out if their claim has any basis in technological facts.

These are the same people who go to college and are so excited to get on the ethernet, that they do stupid things like share their C drive to everyone (giving full access to all).

Do these people deserve a wake up call? Yes, but do you really expect them to understand?

"Welcome to the world of technology, please remain ignorant until your kernel has come to a complete stop!"

hey...What about

[niekze]

SETI@home?

Familiar

[HerrNewton]

Sounds like the lines auto manufacturers used to give about car safety, pre-Nader. "Sure it's safe as long as you drive safe." Which is basically saying, "You won't get hurt in a crash if you don't crash." Sigh.

----

Re:Familiar

[Erikmad+scientist]

Strange you would rant @Home over Pac-bell, but I digress...

No @Home is not your mommy and will not "protect you". We do monitor our network for mass connections also called "tribe attacks". An alarm is triggered by a mass (for us this it 13,000 connections a second) network jump from multiple points on the network. A real "tribe attack" is very distinctive on a utilization map, one-minute 6,000 connections and wham! 14,000. To stop the madness we take the site off the route tables till it passes and then put it on line again.

Again this is not blocking our customers or restricting them, this is keeping one of the Internets largest backbones from being used as a weapon buy an uncreative wan bee hacker.

Erik
@Home

Of course they do

[apg]

You don't really expect @Home to come out saying that their service is dangerous, do you?

Hey come pay us $40 a month so someone can break into your computer and steal your credit card numbers!

NAT at the router

[cheezus]

I didn't see anyone else posting this, so I thought i'd share:

I have DSL through USWest is now Qwest, and to the best of my knowledge, it is pretty secure from the get go.

My DSL 'modem' (would calling it a router be too hard for people?) is a cisco 675. It gets an IP via DHCP from qwest. Howerver, it's internal IP is 10.0.0.1 and all of the other computers on the inside get assigned a 10.0.0.X address via DHCP (from the router). When I want to get to a computer on the inside, i have to open up a port on the router. For example, 23 and 80 go though to my linux box. Is this as safe as I think it is?

---

No complaints with

[maetenloch]

I've had ATT@home here in Santa Clara for almost 6 months. Even though I have my system set up for DHCP, I've been using the same IP address the entire time. I even ordered an additional address for a second system. The only complaint I have is that they didn't offer any advice whatsoever on securing the system when they installed it. You'd think it wouldn't be that hard to warn new users or install some kind of firewall software. I'm sure they could work out a deal with ZoneAlert or some other provider, but nooo! Luckily we use BlackIce at work, so I knew how many probes a cable system can get in just one day. So on my windows system I use BlackIce, and on my linux system I have all but a few ports closed. It's amazing the amount of intrusion attempts I get. Usually if it's just a few probes, I'll just block the intruder. If attempts continue, I'll email the offender's isp. Probes also seemed to surge whenever I use gnutella - I guess host lists are perfect fodder for the script kiddies.

Re: not to be a bitch...

[Tuzanor]

Or if you must use Windows with file sharing you can always use Zone Alarm...free for personal use.

I use @home

[yetisalmon]

I have @home cable service and have had people hack my box from remote locations, print up funny jokes on my network printer, and change some of my settings. Go to hell, @home.

Re:I use @home

[christrs]

What is wrong with people! You dont leave the back door to you house open at night. Anytime you go online, regarless of the method, you are opening a back door to you computer!!

If you go online anywhere with you personal/finacial data on the computer and you do not use encryption/firewalls, then you DESERVE to get you like screwed up by some punk who can prove he smarter at getting you information that you are at keeping it.

As for @HOME, When I when online with their service I got probed by several ip addresses in the domain. One letter to abuse@home.com and I have not seen these ip addresses touch my system again.

In short, Encrypt what you don't want others to see, Firewall the computers that you don't want others to probe. And rat out those that try to you ISP's abuse email account.

80% of the human race are idiots, 20% are morons, and 10% know what they are doing.
Chris Sutter

Re:I use @home

[Kharny]

I Have @home (Netherlands), there was a note with the installation that You should NOT: 1:share files. 2:run unknown files. Further they said they did not have a firewall or port block (i checked:they are right) Personally i use a linux box as server/router. It has its own protection....People should read the f*cking manual.

Re:I use @home

[um...+Lucas]

Unfortunately, MediaOne prohibits static IP addresses and any attempts at creating one. So users who don't need the "added securiy" of a DHCP assigned IP address can't make do without one. Further, it's rather lame that there's no provisions in most dialup, ISDN and xDSL accounts as to how many computers share the bandwidth. As opposed to MediaOne who requires you pay an extra fee in order for other computers in your house to perform such tasks as receiveing email...

AtHome and other ISP's shouldn't provide firewalling services. They shouldn't provide spam blocking services. And they shouldn't tell us what to do with our bandwidth. They should simply supply pipes to our homes. Offer any additional services on top of that one basic service.

Re:I use @home

[EvilAlien]

Its your own fault.

Re:I use @home

[Nastard]

Before the argument continues, a quick message to those who replied to my post:

I was referring to why *cable providers* use dhcp. Not any specific DHCP protocal. I suggest you at least try to understand what I'm saying before you say I'm wrong.

Re:I use @home

[Nastard]

Exactly my point. You will never get a new address.

With @Home, your netbios name is binded server-side with your 'computer name' (c53029-a). The DNS looks something like this:

c53029-a.city1.st.home.com

I doubt very much that @Home is willing to play musical DNS. It's easier to just give you the same IP. DHCP saves time on the installation and on the tech support calls, which saves the company money.

Re:I use @home

This isn't anything terribly new or secret, but your post reminded me of this.

@home install "tioga" on your machine. Maybe this is part of Buford? Anyway, this snatchware sits on your machine and reports the applications your run back to @home. This is their first line of defense/attack against people running server software.

I hadn't really done my homework when I first got @home last year, but did install ZoneAlarm on the machine. That is when I was asked which applications are ok to access the internet. Didn't take long before @home's dirty little secret popped up.

My advice for other Windoze users is to NOT install anything given by @home. They might make you think you need their software to connect, but you don't. Install ZoneAlarm to only allow apps to access the internet you want, and if you're getting a Christmas present, get yourself a Linksys Router/Firewall for just over $100 (or d-Link, whatever company's you want) That way you can share the fast internet connection with your other machines, and get another level of security, since now the IP address the rest of the world sees is actually your Router.

Is it fool proof? Most probably not. But it will stop the random modern-day-version of Wardialing the kiddies are up to today. They'll move on to much easier fodder.

Re:I use @home

[mpe]

Your DHCP lease runs out every so often. Lets say you are fragging away in a game of Q3A. Your IP is 24.5.5.5. All of a sudden, windows renews your IP lease, and you get 24.5.6.7. The quake server has no clue that your IP changed, and ignores the packets now coming from 24.5.6.7. Oops, you just got disconnected.

You'd have to specifically misconfigure the DHCP server to do this.
The way it usually works is that the client will attempt to renew the lease at the half way point.

Re:I use @home

[Panelvan]

The internet is a big scary place, and it behooves the prudent to do the basics - for example, install a firewall. @home can't do all your homework for you - if you're connected full time to the net, then you have to take responsibility for that.

Re:I use @home

[yetisalmon]

Maybe you could help me patch and fix my system so I dont get break in attempts. I'm not as smart as everyone else and dont hack kernels for a hobby yet. I'm just learning how to do stuff. Can you help me?

Re:I use @home

[Erikmad+scientist]

Hello Erik again

Ok, why does @Home use DHCP when you seem to get a static IP address...

Another small background on Cable modem technology, your cable modem is not a brain dead network bridge with a little compression thrown in like you typical Telco modem or DSL device. A cable modem works as a kind of mini router and DHCP server, as a DHCP server it can be configured to issue IP addresses and allow them to route back to the backbone.

Q: why did we do this?
A: Part 1. This allowed @Home to dynamically manage its IP blocks and routing tables, how does this help you the user? With this you can hit a web page and get more IP addresses for your home network (up to 5 in most area's). In addition all our devises can also be dynamically readdressed allowing an infinite (or close to it) growth of the @home network.
Part 2. Security is another consideration it is hard to hack a moving target a user can call or email @Home that they are under fire and we can first move them off to a new IP address if the attacker finds our user again we can port capture there address and call them up (if they are a fellow user) or block the IP at the cable modem for a few weeks.

Erik
@Home

Re:I use @home

[Erikmad+scientist]

You it the nail on the head, but there are more technological and management facts for using DHCP in the manor you describe... read my other post

Erik
@Home

Re:I use @home

[um...+Lucas]

From my dealings iwith MediaOne recently, they've made it sound like they'll shutdown someones service for running an "unauthorized" router.

Re:I use @home

[khog]

I know as well some people who install for @home, and they get to to whatever they want. @home has some "anti-virus software" which is a backdoor that they can use to "expedite the troubleshooting process." They never install it. On top of that, they repeatedly tell customers that a firewall will make them more secure and will be very cheap; they're thinking about selling some Windows 98 firewall software in-house to (well, make more money, really) let users get firewalls more easily.

On a side note, a lot of people are using routers for their DSL/Cable access that have firewalls built into firmware, with (LAN only!) remote administration and updates. Good stuff, for a guy who can't afford the overhead of/doesn't know how to run a software firewall.

Mikey G

Re:I use @home

[Erikmad+scientist]

Only if your running a business off of it... other than that @Home welcomes people to use NAT's and routers it saves the massive overhead of managing millions of IP addresses and there associated router configuration.

Look in your policy guild off of members central.

Erik
@Home

Re:I use @home

[Erikmad+scientist]

Not necessarily Naster, your DNS address is also dynamically linked to your IP address. You can get a new IP address if we need to renumber a massive section of our network... as a rule we inform you long before even considering doing so but you are far safer to rely on your DNS name (which is a user based ID) then your IP address. Erik @Home

Re:I use @home

[photozz]

I'm not complaning that excite should provide a firewall, but when i was set up. they never mentioned anything about it at all. I know better, but there are a lot of people that don't

Re:I use @home

[Dids]

Interesting.

I'm not sure about @home in general but it seems like cox@home does.

-D

Re:I use @home

I have @home cable service and have had people hack my box from remote locations, print up funny jokes on my network printer, and change some of my settings. Go to hell, @home.

I suppose you'd blame the automobile manufacturer if you slammed your hand in your car door. Don't blame @home for your own stupidity.

I have @home as well but I installed an LRP box as a firewall. Problem solved. I get 10-20 attempts to access my system every day and almost double that on weekends. Looking at the logs I see scans for news servers, mail servers, telnet, ftp, netbios and occasionally something different like time servers. Every couple of weekends or so, some luser tries to go through all ports looking for an opening. All are rejected. The script kiddies come knockin' but they can't come in.

I've only had one real problem. Last month someone on my subnet tried a DoS by flooding me with pings. Took the whole subnet down. It was my neighbor who noticed it and asked me if my service was down as well. I called @home, told them what was going on and gave them the IP address of the offender. They said they'd look into it and half an hour later the flood stopped. I tried pinging the offending address and it was gone. I haven't seen that address on the subnet since. I'd guess somebody had their service yanked.

My brother-in-law also has @home and he installed Zone Alarm on his Windows machine. At first he was bothered about all the attempts to get in but I told him that every alert is a sign that the software's working and proof that he's just been protected. Now he says he slyly laughs and thinks to himself, "Not today, f*ckers."

I do think that @home should be advising their users to install firewall products, if only for the security of their own system.
And BTW, Steve's site at www.grc.com is a great place to test the security of your system. And it's free.

Re:I use @home

[Score+0]

I can't find any mention of routers/firewalls in their customer service agreement but I know there was a mention of them somewhere in the documentation that I received that just basically said that MediaOne would not support any problems you may have with them. When I activated my service 2-3 months ago and called to change my MAC address to that of my firewall, they were told what it was and had no objections. I would think they would be happier knowing that your system was as secure as possible.

Re:I use @home

[Score+0]

Further, it's rather lame that there's no provisions in most dialup, ISDN and xDSL accounts as to how many computers share the bandwidth. As opposed to MediaOne who requires you pay an extra fee in order for other computers in your house to perform such tasks as receiveing email..

They charge extra for more PCs because of the additional IP addresses that would require, not bandwidth. Just set up a Linux/BSD router with NAT or pick up something like the Linksys cable/DSL router and connect PCs to your hearts content. I have a Linksys with three systems connected and I only pay MediaOne for a one system account.

Re:I use @home

[shotfeel]

Sorry, but this seems to much like Microsoft's answer to security.

Instead of makeing a feature secure, the answer is to just turn it off. But what if you actually need that feature?

I know most of the people here know how to "protect" themselves, but the @Home "Don't worry, be happy" attitude towards security is dangerous for the "@home" audience at large.

Re:I use @home

[Erikmad+scientist]

No not at all, your computer name is not set up by @Home, your DNS name (the other tab) is. @Home does not monitor users site hits or any other aspect of your usage. Period end of story.

on a side note, how would you possible monitor and log 2.7mil customers each pulling 800 to 4,000 pages a day? You just can't do it the way we work.

Your lie and logic are a wee flawed my friend,

Erik
@Home

Re:I use @home

[Dids]

I get on average 4/5 break-in attempts an evening and I'm using cox@home.

Norton Internet Security detects mostly some trojan attacks but also sometime some inbound connections on 80 or 21.

So far a very small percentage of these came from within @home's network (I know they probe themselves to catch people running servers).

-D

Re:I use @home

[Nastard]

"Not neccessarily Naster"

You are correct on that one.

What part of @Home do you work for?

Re:I use @home

[Nastard]

Unless someone drastically changed some configurations since I left, the computer name field (netbios name) is what is used to assign the IP. How do I know? First off, I did it for a living. Second off, DNS is disabled in @Home network settings. DNS servers are assigned by DHCP.

Re:I use @home

[Tassach]

Define "break-in attempt". A simple port-scan is NOT a break-in attempt. Repeated attempts from the same address to connect to an open port probably is.

When I first got @home, I was running 2 ip's with a hub. Each of my pc's was running firewall software (AtGuard on my wife's windoze box and ipchains on my linux box) I would usually log 10 or more port-scans PER DAY on both of my boxes.

After running this setup for about 2 years, I got a Linksys cable modem router. Linksys bills this as a "firewall", but it's firewalling features are pretty rudimentary -- NAT and some simple port filtering. It's easy enough to defeat this if you know what you are doing, so I don't rely on it as my only layer of defense -- I still have everything behind the router locked down as tightly as I can get it.

The Linksys router dosn't do any logging, so I don't know how often it's getting probed; but I have not logged ANY scans that made it past the router in the 6+ months that it's been operational [except for the ones that I did myself]. I find this pretty amazing. It seems that even the most basic security measures will deter the vast majority of would-be attackers.

Re:I use @home

[Panelvan]

Optus@home in Australia reccomends the use of firewalls. It's all there in the startup docs.
The installing tech also suggested that we turn off (not power-cycle) the modem when not in use, killing the link.

Re:I use @home

[griffjon]

Personal firewalls are the way to go, but the education is humbling for many home users nowadays. What RR does is portscan on the more popular ports (For fun, read
http://security.rr.com/, formerly bofh.rr.com). Partially they're hunting down rogue servers. They're ORBSed, and are mainly trying to find the insecure SMTP servers. They also have some security guidelines on their webpage.

It's not great, but it's something.

Re:I use @home

[Nastard]

Disable file and print sharing. Problem solved.

The @Home subscriber agreement warns very clearly that file and print sharing is a danger, and should be off. In fact, in most markets @Home won't install to a machine with it turned on, and in all markets, if the tech is doing his job, file and print sharing will be disabled by the installer.

You turn it back on, it's your own fault that your printer was "hacked"

Having left the company, I'm not a big @Home fan, but I'm not about to blame them if I'm stupid enough to misconfigure windows.

Re:I use @home

[h0mi]

So do I. Thing is, by the time I got a cable modem, @home (cox@home here) seems to have disabled or otherwise eliminated by port blocking (i think) many of the services that you would use to link your computer with others- ie accessing my printer, etc.

The down side was to make it more difficult for me to share printers within my home LAN, but more savvy LAN-geeks suggested that I use netbui instead of trying TCPIP only.

Eventually I'll do a router with bsd, but i dont have the spare hardware at this time.

Re:I use @home

[Nastard]

DHCP is used to make it easier to configure the box and to support it. (sane) cable providers bind the IP to the ethernet MAC of the modem or the NIC so that you will always get it.

Why?

Your DHCP lease runs out every so often. Lets say you are fragging away in a game of Q3A. Your IP is 24.5.5.5. All of a sudden, windows renews your IP lease, and you get 24.5.6.7. The quake server has no clue that your IP changed, and ignores the packets now coming from 24.5.6.7. Oops, you just got disconnected.

"I just got disconnected. I think I'll tech support and bitch about it"

Obviously, cable providers don't want this. Hence, DHCP is for ease of configuration, not due to the lack of IP addresses, REGARDLESS of what tech support or the marketing machine tells you.

Re:Sympatico VS Rogers@Home

[douper]

> 2 play the same dam song 5 times in 6 hours

yup, they do, but luckly I ownly listen to them ~1 hr a day=)
and it's better than The Bear=)

hehe

[niekze]

its safe as long as you don't get ops in #l33tw4r3zd00dz or get someone else's nickname. But hell, I've seen people have their hd's shared with full access without a password. I guess they figure someone can fix the bugs for them. Thats an idea, find a way to install a real OS on their computer when they are away. Then secure it. I should do that....then charge $19.99 a month afterwards....oh wait..then i-opener would sue me. Well shit, I'll just stick with OpenBSD.

Re:It's true, what goes on "out there" is horrendo

[photozz]

So true, now what's your IP again???

DHCP? What a laugh

[joshv]

DHCP is used as a convenience for the ISP, allowing them to reallocate IP addresses dynamically, but they tend to re-allocate infrequenty. My cable modem has given me the same IP address for over 6 months.

Even if used to re-assign IP addresses on a regular basis DHCP is not a security feature. You box only needs to be up long enough to be cracked. The fact that your box might not be at the same IP address tommorrow makes it a slightly less attractive target, but I am sure a smart cracker could install something that would allow them to find you at whatever IP address you happen to have.

-josh

irc

[jetpack]

DHCP makes you safe? That's fairly humorous. As soon as you log onto IRC, some script kiddie has already done an /nslookup on you and started scanning your box looking for holes with some warscript.

I'm currently running an OpenBSD firewall and am pretty happy with it, altho my linux firewall previously did a fine job. The point is to do *something* to keep out the riff-raff.

Sure, the heavy-hitters won't be bothering to crack most DHCP boxes, but their are plenty of kiddies out there that are itching to crack *any* box and make a mess of it.

The Internet isn't some little town where you know everyone ... you do *not* want to leave your front door wide open.

It's true, what goes on "out there" is horrendous

[bconway]

I've been using broadband DSL for quite a while, and some of the things that pass by my firewall are disgusting. I'm not even located on the usual 24.X.X.X range that is often associated with cable modem attacks, and every day I get no less than 10 or 20 attack attempts registered on PortSentry. As we all know, it's a dangerous web out there, and I'd really pity the foo' that doesn't use a dedicated firewall in cojunction with a broadband connection. Safe web surfing is one thing, but let's be serious, folks.

Re:not to be a bitch...

[mrowlands]

or even
NETBSD Firewall project

@Home Security Issues

[gamorck]

To put it rather bluntly:

Personal Computer Security is NOT the responsibility of the ISP. If you acquire broadband service in your home - then you have also acquired with it the inherent responsibility to protect your computer system for the would-be hackers of the internet. Why should it be the ISP's problem? They only provide the connection, not the content. By that same logic it seems rather short sighted to turn around and say they must secure your computer from the content you choose.

The term "Personal Computer" means just that - a personal computer. But when you place that computer at a pernament address on the internet - you are taking your chances and it is YOUR responsbility to minimize those chances.

Example: Lets say you buy a new mailbox and leave it sitting on your kitchen table inside your house. Well after a few weeks it becomes apparent that the mailbox is fairly useless without access to the outside world (aka the internet) so you place it on your front lawn and begin to send and receive mail.

So whats happens when some punk kid starts swiping social security checks from mailboxes? Hmmmmmm..... yeah it's illegal but would you even consider blaming the US Postal Service for something that is obviously your problem?(Solution: get a PO Box)

People need to start taking responsiblity. If you have a pernament, fast connection to the internet take the extra time to learn a little about computer security. If you dont want to care about it, or if you cant fathom opening a book and actually finding out just how your computer works, or you are one of those dimwits who actually paid money for an emachine - unplug the network connection NOW.

Too many people in America are content to simply bitch and moan rather than stand on their on two feet and do something about it. Perhaps you guys can solicit the aid of Al Gore - I'm sure he'll be more than happy to put your computer into his precious little lockbox, right along with trillons of dollars in so called Social Security money you'll never see again.

In essence - people have confused the term "Internet Service Provider" with "Internet Sercurity Provider" or perhaps in this case even "Internet Safety Provider".

Gamorck
"Flame at will"

PacBell said DHCP = security, not @Home

[Gogo+Dodo]

photozz didn't read the article right, PacBell said DHCP = security...

"Our consumer customers get dynamic IP addresses," said Sean Danes, a spokesman for Pacific Bell DSL, a large DSL provider.

Flame @Home all you want, but don't flame them for the DHCP = security statement. Flame 'em for other stuff, of course. :-)

@home DHCP == !Security

[lizrd]

The worst thing (or possibly the best, depending on how you look at it) about the @home service is that they don't even use the DHCP server to change your IP address on occasion. The DHCP server is just there to make it easier for the incompetent tech when he comes to your house to fuck^H^H^H^Hset up your computer. From a DHCP provides security standpoint this is a bug. I tend to think of it as a feature; I know my IP address.

The skill level of some of these techs is really poor too. When I first got @home a few months ago they sent a tech out to my place. I didn't want to let him near my Linux box (don't think that he would have touched it anyway) and intead let him do his setup thing on my girlfriend's mac. He had a really hard time with that, and we're talking MacOS here not some really oddball alternate OS. Not a chance in hell these guys know what they're doing enough to properly secure machines. I don't trust them any further than I can throw them

What I do think is quite good is an LRP firewall. Charles Steinkuehler has one that I have found to be quite easy to setup and quite secure on his web site. It's really nice to be able to boot the whole router machine from a write protected floppy and know that if someone does start to mess with it you're only a reboot away from a system w/o any root kits left behind by some k1ddy. Also included are a DHCP server, NAT, and port forwarding. Well worth checking out.
________________
They're - They are
Their - Belonging to them

IPTraf

[macdaddy]

I keep IPTraf running on my firewall at home. It's in the TCP/UDP port watching mode, whatever it's called. I love coming home and finding screens of port #'s listed as ports that have seen activity. We aren't talking 1-2 packets from a simple TCP connect port scan. I'm talking a couple hundred packets over a meer weekend. Let me see, how many port scans is that... ADSL and Cable modems are the greatest thing since the invention of pron (and you can download a lot of it real fast too!) but it's the worst possible thing for security since the first release of Irix.

Re:DHCP? What a laugh

[thedude60]

dis dude really know his shit!!!

DHCP Irrelevant. Portscanning IP blocks.

[TrevorB]

It doesn't matter what IP you have when people are portscanning:

24.112.*.*

The IP blocks of @Home connections are WELL known and are scanned constantly by hax0r dudes across the planet.

Just treat @Home as a hostile network environment, and act accordingly.

Re:something silly- turn off the computer?

[Lumpy]

How about this ghastly idea, turn off the computer when you are done? Good gods, save energy? just to wait for a boot up??? What are you a wierdo?

I re-iterate. if you dont know basic computer use then you have NO BUSINESS OWNING ONE!

Use @Home with ZoneAlarm

[dmccarty]

I signed up for @Home access about a month ago. It's the best you can get out here in the SW Chicago suburbs other than 56K or ISDN--DSL won't be here for another year or so. I have to say that, this article aside, my experience has been pleasant so far. Download speeds average about 300kbps (I'm not kidding). Everyone I talk to enviously says, "Just wait till your neighbors get hooked up." Well, DSL still has to get shared at some junctions as well--it doesn't matter if that switch is at the CO or at the junction box. I don't have the numbers in front of me, but @Home guarantees 144kbps or something like that.

Anyway, the point I was trying to make (badly) is that if you're going to maintain a constant connection to the Internet by all means run some type of firewall if you don't want to get your box compromised. I use ZoneAlarm and couldn't be happier with it. I just passed the Port Probe and "Sheilds Up!" tests at grc.com with flying colors. Some of the scans ZoneAlarm protects me from (as reported by the security checks at GRC):

• Your Internet port 139 does not appear to exist!
• Unable to connect with NetBIOS to your computer.
• Port 21 FTP Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
• 23 Telnet Stealth! There is NO [...]
• 25 SMTP Stealth! There is NO [...]
• 79 Finger Stealth! There is NO [...]
• 80 HTTP Stealth! There is NO [...]
• 110 POP3 Stealth! There is NO [...]
• 113 IDENT Stealth! There is NO [...]
• 139 Net BIOS Stealth! There is NO [...]
• 143 IMAP Stealth! There is NO [...]
• 443 HTTPS Stealth! There is NO [...]

To date (one month) ZoneAlarm has blocked 139 attempts at unauthorized access.
--

Re:You think that's bad

[Chops]

That's not what I was getting... I'm in Pittsburgh, and I was getting port 139 queries from DC and New York, not even within 8 bits of being on the same subnet. The Baltimore city paper has an article that says that IP-scanners on port 139 are getting popular with the kind of haX0r who's not even 31337 enough to know about rootkits. I wish the article had been a bit more forceful about placing the blame for this "exploit" squarely on Microsoft's flabby shoulders, but I guess I should be happy they mentioned that MS was to blame at all.

Re:Already firewalled (-1 Offtopic)

[theCoder]

You're right -- it probably has nothing to do with security. It's probably a data cache. That way, each /. reader in Australia on Excite@Home doesn't have to download every single image on /.'s page. You can argue if this is a good thing (faster download times, less overall Internet traffic) or a bad thing (privacy).

I know that there's something like that at my school and I've never had any problems with it. There was a discussion on the PLUG (Purdue Linux Users Group) mailing list about it. Eventually, someone suggested they turn it into a giant porn server, since it probably has a lot of that on it :)

DSL and firewalls

[martin]

Every piece I've ever seen on DSL and cable modems always recommends very highly that you install either a personal or true firewall.

This spreading of un-FUD is purely the marketing droids trying to get as many people as possible on this new service. But not letting people aware of the risk is IMHO highly unresponsible.

If they tied up with Norton and their personal firewall software for Windoze they'd do something. Maybe they could subsidise the software or even up the price a bit to encourage responsible use of the broadband access. While this doesn't help the Apple or *nix user but an old 486 only costs a little which would be fine for a firewall.

I guess they are trying to down play the risks, but have too far in doing so. Its very fine balance they have to tread but I'd say they are on thin legal ice on this when your machine gets used in a DDOS attack...

Re:not to be a bitch...

[niekze]

But what about the security. thats what we are talking about.

i used to work for at&t @home

[azroth]

the dhcp is useless, they are simply running out of 24.xxx.xxx.xxx addresses so they are making everyone switch to dhcp just so they are fully switched over when they need to start using the dynamic ip address. so if your with at&t@home you will always get the same ip addres.. well for the time being. and your cable modem will ALWAYS have the same ip address.

Re:Linux is a perfect firewall/router for @Home!

[Tuzanor]

I'm using linux as a desktop with @home and it's great. It was a pain in the ass to set up, but once i got it running everything was fine!

Re:security

[photozz]

bunch of kiddies get their systems together in one room and try to blow the hell out of eachother in Quake arena.

Re:what?

[Nailer]

I don't think the Slashdot people are pissed off that their ISP isn;t taking care of this for them, I think its more the fact that they are angry on behalf of the computer newbies being lied to by cable modem companies - in that spending more time and bandwidth on the net doesn't increase risk, when clearly it does.

Re:Windows 98 security

[the+real+jeezus]

go to a 1337 irc channel & say something like "u h4x0rz n0 1337 u sux". Wait a few minutes.

A default winbloze98 install offers about as much protection as a chickenwire condom.


Do you hate other human beings?

BigPond firewall port 139

[purplemonkeydan]

Telstra BigPond in Australia firewall port 139, in an attempt to stop the 'qaz' worm that was running around their network not so long ago. See this article on Whirlpool for the e-mail Telstra sent out to members.

broadband safety

[EvilAlien]

Bah. Firstly, DHCP is meant to be dynamic. @Home's implimentation merely automatically configures customers' machines to minimize the Bonehead User Factor. The thing is, the IPs are largely static, and the IPs are from the well known 24 blocks in use by cable broadband providers all over North America. Its a prime hunting ground for hackers.

That being said, many cable modem brands actually support encryption inherent to their functionality, so they are more secure in many cases that a simple little xDSL modem. I work with both technologies, and know each fairly well from both a network admin and operations perspective. The main point that shouldn't be forgotten is that is users operate their computers properly there will rarely have problems. That means no wide open File and Printer Sharing, don't be a slut with your email (if you randomly open attachments then you deserve what you get - including Back Orifice), take a little initiative to keep abreast of the goings on in the computer world, use a virus scanner, etc. The problem isn't broadband Internet access, the problem is users with poor habits. There is no reason to slam E@H for these statements even though they may be a little naive - users have to take some responsibility for themselves, dammit.

Isn't that pretty standard cracker practice?

[Zopilote]

Isn't that pretty standard cracker practice? Don't a lot of "script kiddies" crack into machines just for fun and to use them as IRC bots?

Re:Isn't that pretty standard cracker practice?

[Aerolith_alpha]

I guess... I don't really know--i only read that one article about a honeypot--and none of my (work related) systems are exposed to this sort of stuff, so I am not too sure what 'standard' practice is...


mov ax, 13h
int 10h

I was cracked

[cybersquid]

As Bender might say, Safe my shiny metal ass.

I'm an @home user. Before I learned the value of having a firewall (LRP rocks!), I was cracked once (IMAPd) and had my DNS killed (BIND buffer overflow; killed the daemon but didn't get root-kitted).

Based on my friends logs, an @home customer can expect constant port scans.

Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)

If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.

DHCP is for ease of use...

[sulli]

NOT security.

I work for a major ISP that offers DSL service, and we use DHCP to allocate IP addresses. We do this because it's a pain to type in your IPs, particularly for mobile users, and because it does help allocate IP addresses a bit more efficiently. It's not a protection against someone who scans a pool of IP addresses looking for open shares, as the "911 Worm" did some months ago. Just for IP allocation, that's all.

Re:DHCP is for ease of use...

[Erikmad+scientist]

Really Mobil DSL... I got to get me one of those :-) Digital subscriber Line or DSL is a hardwired copper connection to your home, there is nothing mobile about a DSL line... So you work for marketing? :-)

Erik

Re:DHCP is for ease of use...

[sulli]

No, silly, mobile PC users who switch from office networks to DSL connections at home. Carry a laptop around from office to office and you'll quickly see that typing in IPs is a pain in the ass. That's a major reason DHCP is in common use on office networks, and in hotels, and it's why we use it in our DSL service.

Re:hate DHCP

[lizrd]

Who cares? Just pirate the IP address that you have now and set it as a static one.
________________
They're - They are
Their - Belonging to them

Charter Cable

[gomerbud]

At least you guys dont have to deal with charter cable. They have bocked all incoming ftp, smtp, and http instead of booting customers who serve. And they did this without a warning.

PS. Their throughput sucks.

Re:Charter Cable

[cryosis]

They never did this to me. I had ftp, http and icecast all running with no problems. Maybe the admin on you segment just gave a damn and was REALLY lazy.

Life is a disease, sexually transmitted and fatal.

Re:Charter Cable

[gomerbud]

What region are you in? Im stuck in San Luis Obispo. I know that charter their main offices are in LA (at least thats where i send the check) and that they are starting to provide for a significant part of the US.

Re:Charter Cable

[Erikmad+scientist]

I just checked the CMTS and routes,,,, your not blocked... try again

Erik
@Home

Common Sense = Security

[bahwi]

Use common sense. I use AT&T@Home. I have portsentry on almost every conceivable port, including 21, 22, and 23. SSH is the only service running, and on a completely different port. (Portsentry = Access a port and it performs an action on their IP, and in my case, it firewalls them). I'm running FreeBSD, and have over 200 entries in my firewall. Some were obviously false IP's, (111.111.111.111), but the person apparently didn't try to portscan me again. Yeah, portsentry isn't some god-send or anything, but it sure as hell helps.

Two words

[tulare]

Yeah, right! (With appendum due to shameless karma whoring)

Too much ISP protection can be bad!

[Wibbble]

ADSL provided by BT here in the UK is bad, bad, bad.

The stuff for home users (ie, the stuff that's cheapest) uses NAT on the modem, and you've no choice about it.. and you can't (AFAIK) configure it. (It's bad in other ways too, of course.. like being USB-only and expensive)

Horrible! No servers at all.. if I had DSL or cable I'd want to be running my own mail server, at least.

It's one thing to protect the clueless people, but it's no good when it also cripples those who do know what they're doing.

If ISPs are going to use firewalls to block connections, then it needs to have the option to opt-out (I'd have it on by default to catch those too clueless to help themselves), so that people can use their connection how they like, and take their own risks.

I'd love to be able to get broadband here, but I don't know if I'd bother if they were going to put in random portblocks.

A suggestion for Linux distros?

[marm]

Given the increasingly wide availability of broadband, and the fact that Linux has such a solid firewall built-in in the forms of ipchains and especially the forthcoming iptables in 2.4...

Why not offer to auto-setup a basic firewall during the 'workstation' install?

This would be massively helpful to the many newbie Linux users, handy for those of us with not much time on our hands, and would be a great boost to the reputation of the distro as secure-by-default. It is, after all, not that difficult for a setup program to simply deny all incoming SYNs on all external interfaces, but is beyond many who are new to Linux.

Given that those of us who would find this a problem are also probably those who are confident enough to mess with ipchains/iptables anyway, I can't see how this could be a disadvantage.

So, Red Hat, Mandrake, Debian et al.... how about it?

Re:DHCP != security

[Platinum+Dragon]

HOw about adding ALL: ALL to /etc/hosts.deny? Is there a way around that?

Unfortunately, it also locks yourself out of services you might want, such as lpd or X. Then you have to set some permissions in hosts.allow, and there are way to spoof even localhost.

Alos install port sentry, soon as someone portscans you they'll be locked out by the time they reach port 20.

Sooner if it's set up properly. However, a lot of the scans that hit me came from people looking for open Netbus ports. Got the occasional scan looking for something else once in a while, along with the usual Wingate detection from IRC servers and @home scans for open NNTP ports.

Since when do viruses appear in text files? When I type "vi LIFE-STAGES.TXT", will my computer explode?

It a trojan that affect mIRC only. It relies on people accepting the file, usually because they have auto-DCC set to on. Really annoying, even for those of us who actually check what gets sent to us before accepting it.

In windows, if you share (for example), your mp3 directory, as world readable, is there an exploit?

Not sure, but it wouldn't surprise me to find out one shared directory can be used as a jumping-off point through the use of an exploit to fool Windows into thinking a remote viewer is, in fact, local. It's the same reason *nix people shut down nfsd; you don't even give potential attackers the opportunity to get a beachead on your system.

A healthy dose of paranoia is acceptable, but is it worth reducing usablility?

An ounce of prevention is better than a pound of cure.

-------------

Corrections

[Shagg]

Actually, if you read the article, the majority of it is talking about how INSECURE broadband connections are, and experts were quoted saying that everyone should be running a "personal firewall".

The DHCP remark was made by a DSL provider, NOT by EXCITE@HOME. The @HOME representative was quoted as saying that their techs take precautions during the installation such as "Disabling file sharing". They also say that people should take more precautions if they have "sensitive information" on their PC, not "private information", and that while Excite@home does not provide such software, they did say that they are willing to help a customer install and set it up to work with their service.

I'm not much of a fan of @HOME's tech support and security policies either(personally I run an ipchains firewall on my @HOME account), but the original poster made a pretty inaccurate review of the article and painted Excite as being more clueless than they actually were.

Don't be too quick to jump on the "bash @HOME's security advice" bandwagon based upon the posters comments. Read the quotes in the article for yourself first, the original poster was way off the mark.

Re:Corrections

[cubuff]

I agree, too many posters fail to read the article prior to flaming.

I "upgraded" from a S/W firewall to a Linksys router/firewall for the reason that I was tired of seeing the intrusion attempts. For $150 it sure is nice.

Remember a Cracker's Motive

[dmccarty]

Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.

Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)

Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes. I'm not trying to start a huge flame war here--but the facts speak for themselves. Look at all the rootkits out there. Look at all the successful cracks. Were the servers running Unix and variants thereof? Probably.

Now I'm not saying that a Unix box can't be properly secured. But the fact remains that more hacker activity is exerted towards cracking Unix and its siblings than Win32 and other OSes--and with good reason: it's easier.

Interesting discussion invited; flames to /dev/nul please.
--

Re:Remember a Cracker's Motive

[complex]

you're forgetting ddos. an army of realtively useless cracked win98 boxes can flood a popular web site quite easily, esp. if those boxes have nice fat connections.

also, you may be giving win98 and win98 users too much credit. which is easier: a netbios scan to see if the entire c: drive is shared with full access and no password, or searching through bugtraq and securityfocus for a string overflow in proftd (not picking on it, just an example). granted, there may be a ready-made exploit for the proftd method, but then he has to find it, etc. etc. etc. it's easy to see how the win98 method is easier.

both of these things combine to make the vast number of win98 boxes at least somewhat attractive to the script kiddies.

Private information?

[mdroid]

you should only be concerned if they are storing private information on their PC
Hmpf... ALL information on my PC is private unless otherwise stated...

/mdroid

Re:@home really *IS SAFE* to use.

[agentZ]

In flame wars, unlike real wars, noone has ever used ICBM's to assault the person they are pissed off at.

Not yet. Remember all the talk about John Deutch doing classified work at home on his unclassified computer? What if he had @Home and some foreign government was targeting him... That could get messy right quick.

They are Absolutely Right!!!

[v77]

Because the damn service disconnects so many times, it's impossible to hack a machine that phases in and out of connection ;)

Linux is a perfect firewall/router for @Home!

[baudtender]

Don't listen to the baloney that @Home dishes
out about incompatibility with Linux. I use
an old 16-meg RAM 486 box with a floppy booted
copy of EigerStein/Linux router/firewall:

http://lrp.steinkuehler.net/

and it has worked perfectly 24X7 since the day
it went online last June.

As a cross-platform software developer, the
client machines on my LAN include Windows
98, NT, and 2000, and a Red Hat Linux 6.1
system. All work great with the Linux router/
firewall. I usually get around 1100 kilobits
(~130 kilobytes) per second on the receiving
bandwidth and you'd never know the router/
firewall was there.

The EigerStein package can either dynamically
assign IP addresses to the client machines,
or you can hardcode them, depending on your
needs. Additionally, like with any other
linux router package, you can pass through
(or lock out) individual ports if you want
to use something like Napster on the client
machines.

There was very little tweaking of the firewall
configuration files to get it working with @Home
and DHCP - the hardest part was figuring out the
real names of the local mail and news servers -
when installed, the @Home tech will simply use
"mail" and "news" as the server names. The
receipt they give you after the install has all
the info you need to figure them out.

Re:Sympatico VS Rogers@Home

[Tuzanor]

Hey i live in stitsville too! well that's where HOME is...I'm in Oakville(toronto) going to Sheridan right now...@home is pretty quick there and DSL is available, though I don't know how reliable/fast it is...

Re:Sympatico VS Rogers@Home

[Tuzanor]

Ya, over the the past 3 years the bear has slowly been turning into Chez 106...

And hey, don't mess with DHCP

[sulli]

it got a great score on the Slashdot Poll! (Well, it came in fifth after Hemos, but who cares.)

Re:IP broadcast

[Alan]

Well as a user you'd just set up your network scripts to not use dhcp *anyway*. I do that and point my DNS at my home system, just so that it's more convenient for me.

Re:try ping

[Sadfsdaf]

Try using mail.rest.of.your.dns eg. my dns is c#####-b.stcla1.sfba.home.com so i'll just use mail.stcla1.sfba.home.com ... took me 2 hours to figure that out =]

They are not selling you security...

[Ndog]

They're selling you high speed internet access. My DSL provider, CapuNet, displays a very sensible article about security in their customer support section. It basically says, your machine is valuble because it has a high speed connection, so do something to secure it. I agree, and that's all they need to say. It is up to the customer to weigh the risks, rewards, and options and act accordingly.

There are plenty of firewall and security products out there, and if your computer gets comprimised, it is not the fault of the service provider. For those hear on /., probably the one that many would be interested in is the NetBSD firewall solution. If you don't have a machine to dedicate as a firewall, there are plenty of others, including free software like ZoneAlarm. One of the funniest things about this, though, is that a lot of the port scans and other intrusion attempts that people get are coming from their ISP. It would be nice if this was to benefit the customer, but I think it's mainly just to keep an eye on the customer instead.

Re:Game port scanners

[Denjiro]

I agree. I've got one of these myself and it works great.

Re:It's true, what goes on "out there" is horrendo

[XyouthX]

I work at a large ISP here in scandinavia taking care of abuse and support email/phonecalls.

These new personal-firewall programs are really really starting to piss me off, about 95% of all abuse calls turn out to be either NetBIOS connection attempts from their friends or open proxy scans from IRC servers.

Please go away evil software.

Re: Oh dear...

[SurrealKnife]

On the other hand, what about the support calls you get when some poor user has his/her system infiltrated because there is no protection there? And anyway, most companies seem to have the ideal way of dealing with software support calls they don't want: "No, no, you don't want to talk to us about that - look, ring this number here and talk to the people who wrote it"

Yes, perhaps my comment was a little definite; but as you say, you have to draw the line somewhere. I choose to draw it in favour of greater potential security, especially having read about all of the people on this site who have had their PC's compromised when using broadband.

Firewalls are must

[stigvolestrangler]

Many users of Broadband here is Australia (@Home our Telco's Bigbond) have reported attacks on their systems, Telstra's BigPond service recommends not using TCP/IP at all except for their clable connection. (Me? I'm safe-ish behind my Linux firewall)

Re:DHCP != security

[Slak]

Best be careful, you might wind up like Nader being sued by MasterCard for your parody. That said, very nicely done:

Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.

Cheers,
Slak

Re:"Safe" Win/Mac only, and Firewalling all servic

[Technician]

Watch all the IM users and Napster users revolt if that happens! There are a few.

Re:Hope DHCP keeps away from me :( + what security

[Koos]

the 24.0.0.0 address space is owned by the entire @home network.

The 24.0.0.0/8 address space is reserved for 'cable modem use' and @home has the first part (24.0.0.0 - 24.23.255.255). Other cable providers have other parts (such as UPC/A2000 here in the Netherlands, who has 24.132.0.0 - 24.132.255.255).

At the last RIPE meeting, the ICANN director told that this special use of 24.0.0.0/8 addresses for cable modems would come to an end since it gave them more hassle and Cable modems aren't that special anymore.

About the story in general: I can only repeat remarks made before. For some reason the "DHCP for security" myth seems to be very active lately.

Re:security

[rosie_bhjp]

Its different cause.. well...
believe it or not... its a social thing.
kinda.

Its more fun to kill people when you can hear their real life counterparts cursing at you, and roger wilco just doesnt cut it. It also gives a "good" excuse to get away from your husbands, wives, kids, or whatever and have a few beers.

The best part is picking out the loser for the event. That poor soul who is so excited to come over, only to find out that somehow his peachy-keen brand new Pentium VI-4GHZ decided to divide by zero for eternity SOMEWHERE between Jefferson St, and Lavalle Ave. The rest of the event for him, is figuring out what went wrong and why it happened to him of all people. You can't buy fun in such volumes as that. Except if you lived in Los Vegas... you can buy anything there.

rosie_bhjp

Re:"Safe" Win/Mac only, and Firewalling all servic

[plague3106]

What if i want to be able to open a share to the internet? Maybe it has some kind of security needed to access...

At any rate, claiming that DHCP is protecting customers is outright ridiculous. Modem users have that as well, and they are in more trouble then they commonly think. RoadRunners uses DHCP too, but for the most part, my IP address doesn't change. I've had 2 different onces since sept.

Better for a newbie

[DreamerFi]

Check out the NetBSD/i386 Firewall Project. Far, far easier for a newbie.

And yes, 15% of the the people who visit that web site do so from the @home domain...

-John

Re:It's a double-edged sword

[Ed+Avis]

There was a user where I used to work who went mental when his machine was _pinged_. It's dangerous to give Windows users software like Zone Alarm or Norton Personal Firewall...

ZoneAlarm SUCKS

[kindbud]

False alarms from ZoneAlarm have plagued me to no end. I am lead administrator for a large dot-com, and the ZoneAlarm users send me email all the time complaining about "scans" coming from my network, all with source ports 80 and 443. I usually have to ask the person reporting the "scan" what the source ports are - ZoneAlarm does not tell them that LOGS are important when reporting abuse. Furthermore, it does not log the TCP flags, so I sometimes have a hard time convincing some users that ZoneAlarm is wrong - but usually a paragraph or two about TCP handshaking will make them go away.

I should bill the ZoneAlarm vendor for all the time I have spent supporting their users.

I fear that ZoneAlarm and lame Windows firewalls like it will only increase in use with time - and more articles like this.

Thank god for ipfilter

[0xA]

I have an @home cable connection. Its' really the only available broadband in my city, from what I've been hearing, the local telco has made a real mess out of thier DSL service.

I have had an Open BSD box up as a firewall / router for about 2 months now. I didn't really put a lot of thought into my firewall rules because I wasn't especially concerned about someone comming after me. I just put together someing basic, killed everything I didn't need running and turned on ipmon.

Last week I decided to start messing with ipsec to see if I could set myself up a connection to work and I noticed I was just about out of friggin disk space. On a 1 gig drive!

I'm far from an expert on this stuff but near as I can figure I've been port scanned about 4 times a day the whole time the firewall has been up.

Time to learn more about firewall setup. Ain't life in 24.x.x.x great?

For the record...

[yerricde]

Elf Bowling, a holiday-themed bowling simulator for Windows, was not a trojan. There was a hoax going around that it carried a virus, but this proved to be false. Either way, you can pick up a clean copy of the latest version here.

Motives

[_Sprocket_]

Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.

Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)

Different people are motivated by different things. Sure, you're going to have attackers whose interests aren't met by @home customer targets. That doesn't hold for every attacker.

What's the value of an average user's Windows box?

Perhapse a script that runs through open shares looking for a default install of financial software and harvesting the user's data. Maybe the script harvests cookie.txt files and scans them for common online bank identifications. Imagine the wealth of information an identity theif could have waiting for them after a day or two running such scripts.

Maybe the data itself isn't interesting. Instead we have a host with a broadband 24/7 connection. Relatively insecure. Perfect DDoS server host.

Of course... that's assuming the value is something that normally makes sense. Its great that you mention Quake. Quake cheats are relatively rampant. Why bother playing if you're playing with an artificial advantage - and one that's been "done" before? Yet it happens all the time. In the same line, you have skript kiddies who see themselves as something special if they can poke around, and maybe even delete, some unsuspecting target's files. The fact that it may have been trivial to do so means nothing to them.

Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes.

The article opens up with the example of an unknown individual posting messages on target machine's WINDOWS desktops. Apparently enough of a customer base was affected by this "attack" to warrent a FBI investigation.

It doesn't matter what OS you're using. It doesn't matter if your IP address is constantly moving. Connect a box up to a broadband, persistant connection and it is a target. Being unaware of this is the danger.

Re:DHCP != security

[DreamerFi]

Step 4: visit www.dubbele.com

I may not be a Geek on a caffeine high, but that firewall is priceless - free, that is :-)

-John

Don't be stupid and make noise about this...

[TobyWong]

The last thing i want is to see PPPoE or some similar dumbing down of my @home just because joe moron down the street left an open share on his machine and had his goat porn collection deleted.

Right now I have a static ip, no @home firewall, and optional http proxy (which I don't use).

The hands *off* approach taken by rogers@home is what has kept me with them. Sometimes I wonder how long it will be before too many idiots make too much noise and @home implements a moron lockdown. I guess when that happens i will have to take the leap to shell out 4-5 times more cash for a commercial connection.

As for the original poster, buddy you don't know how good you have it... shut your piehole before you force @homes hand.

Re:Don't be stupid and make noise about this...

[Erikmad+scientist]

Ok, the truth from an @Home SW engineer A small background on Cable modem technology, your cable modem is not a brain dead network bridge with a little compression thrown in like you typical Telco modem or DSL device. A cable modem works as a kind of mini router and as a router can be configured to filter out traffic that broadcasts across your network. Like the infamous Windows file and print sharing broadcasts... Q: "Why do we do this" you ask? A: Well think of it this way... you network you are connected to is a data steam, do you really want someone spewing dirt into your clean stream and Rivers... NO. Additionally unsuspecting users systems could be damaged by a uncreative wan bee hacker, remember not all or half our users are techno savvy folk. This does not mean we are firewalling you in it means we are keeping data that was never meant to go out of the users home networks off your broadband connection. It is wasteful and drives up the cost of your connection On the optional http proxy note... you may want to turn them on because 1. Our proxies do not log so unlike AOL and smaller ISP's we do not resell your sit hits 2. We mainly store graphical information files of large content on the proxies to save from you having to (again) waste your connection and @Homes backbone on repeating the same request another user just did. Again is saves bandwidth and is saves Us/You in the end with hopefully soon a reduction in cost. Erik, @Home

Re:Don't be stupid and make noise about this...

[TobyWong]

The thing is, I don't want @home deciding what is "meant to go out of the users home networks off your broadband connection".
The problem is with the big ISPs it seems to be all or nothing... right now it's pretty close to 'all' and I would hate to see @home start deciding what is "good for me". If i wanted castrated high-speed service I would sign up for Sympatico HSE.

On the proxy issue,
1) I have no way of verifying that.
2) I have no way of verifying that.
if @home doesnt sell my information then why is it i have a ton of junk emails in the @home email address I was given but have never used?

Re:Don't be stupid and make noise about this...

[Erikmad+scientist]

I agree with the sentiments... I will se if we could make the port route out an option you can set yourself.

Granted... 1 and 2 are a take at face value problem.

Alas our Email administration group is how shall I say this delicately... plain stupid. A spammer just read our LDAP email store and sold your account. We are not perfect but I will try to admit our flaws openly.

Email has surprisingly remained our single largest problem. In security alone we fail to protect our users rights to confidentiality. Hopefully changes are in place to replace what has been so lacking in our support of users.

Erik
@Home

Re:Don't be stupid and make noise about this...

[Tassach]

Eric,
It's nice to see a little honesty coming out from behind the corporate veil.

I've been a comcast@home subscriber from practically day 1, and for the most part have been very satisfied. My biggest problems so far have been:

• Undependable DNS. My assigned DNS servers seem to go down at least once every other week. This bothers me less now that I have my own caching DNS server; but renders the service useless to most people.
• Undependable email. I'll take your word that your email department is staffed by idiots. Lately, it takes 2 or 3 tries to connect to the mail server. I might have to go to self-hosting, taking advantage of Tzo's store & forward service.
• Really goofy routing. For example, packets going from work to home (3 miles apart in MD) get routed dc (qwest) > chicago (qwest) > cleavland (@home) > nj > dc. There should be a more direct route, since both @home & qwest both have backbone connections in DC. The return route is basically identical. I also see several 10.*.*.* addresses when tracerouting in from work.

Re:Game port scanners

[F452]

I agree that the Linksys is a great unit - I have the 4-port one myself. One clarification - it doesn't actually have a built-in firewall. It uses Network Address Translation (NAT) which has the effect of acting as a firewall.

A negative is that it is difficult (if not impossible) to host a Quake3 server. I haven't tried to get one going but I know people have had a lot of difficulty with it. You can join Q3A and Starcraft games just fine however :-)

For my Windows machine I also use the free ZoneAlarm software, which allows you to control incoming and outgoing connections.

Plays into .NET's Hands

[ssclift]

The net as we know it today (unlike the French Minitel of the 80's) doesn't encourage people to put up services. Articles like this; slow adoption of IPv6 by legacy O/S's; it's all part of a general disempowerment consumers are experiencing that favours plans like .Net and hotmail that centralise their information in other people's hands when they should be accessing it from their own machines. Why should I use .Net/hotmail when I can get at my own machine over a constant IPv6 address in a secure manner?

Earthlink offers free firewalls...

[s390]

to its DSL subscribers. Only for Windows and MacIntosh, so I can't use it (I run OS/2 with Injoy Firewall, and Linux). Here's their letter:

Subject: EarthLink DSL Members - Free Personal Firewall Software
Date: Thu, 19 Oct 2000 17:27:45
From: "EarthLink Broadband Team"
To:

Dear EarthLink Member,

EarthLink cares about keeping your information secure, which is why we're
pleased to offer personal firewall software FREE to our DSL members. Personal
firewall software monitors all Internet connections to and from your computer
and alerts you to attempted intrusions.

This special security package, valued at over $49.95, includes either Symantec
Norton Personal Firewall 2000 v2.0 for Windows users or Open Door DoorStop
Personal Firewall 2.0 for Macintosh users. Both of these powerful software
offerings provide security for your PC and privacy for your personal information.

In order to register for a digital coupon and download your free copy of
personal firewall software, please click on the link below.

http://www.mindspring.net/cgi-bin/dsl.pl?ramunro1@ ix.netcom.com

After you are registered, you will receive your digital coupon for your
free software in 2-3
business days.

Please Note:
-You must be an EarthLink DSL customer whose service is currently activated.
If your DSL service is not currently active, you will become eligible for
this offer upon activation.
-This offer includes one copy of either PC or Mac personal firewall software
per DSL account.

Thank you for choosing EarthLink DSL.

The EarthLink Broadband Team

Re:Windows 98 security

[nchip]

This is a nice example of window security is the following worm. Or how about password passing? The only reason windows machines aren't cracked so often is that are not so easy to use remotly as Unixen. Windows 2000 is about to change this....

I install @Home about 6 times every day and...

[Afrosheen]

...I let everyone know how vulnerable their computer is to attack due to the fact that they're now on a LAN and the connection is more or less permanent. DHCP isn't a security feature, it's done for the convenience of us installers. We end up hard coding or statically coding about 30 percent of computers ourselves since dhcp can be a moody bitch. I always tell people to get a firewall and will download, install and configure it for them if they seem like complete idiots. @Home needs to strike a deal with NetworkIce or someone to make it a part of their software package. I did an install last week where some guy had anticipated his install, done his homework, and had an unopened copy of Blackice on hand. I was impressed. @Home isn't a bad service but they do need safeguards in place. They don't push security to their customers because they don't want to breed paranoia in them. Luckily, everyone that trains with me gets to know the importance of firewalling and security and inform customers of the risks of broadband.

Re:Free Cable TV

[jedidom]

no this is not true it may last a while most likely it wont though during the next audit they will most likely check your traps, when they discover they you dont have any, your theft of cable will soon stop however, this does depend on how busy and how thorough the persons performing the audit are.

Re:I find more zombies on @home than anywhere

[Erikmad+scientist]

Sadly yes,

We at @Home are working on a better way to educate our user base but yes you can't save every one and still believe in personal freedom.

Erik
@Home

A firewall for the whole network? Maybe not...

[eherot]

Personally I think it's up to the home user to make their network or computer secure. There's little difference between what companies like Excite@Home provide and what UUnet and Genuity (or any T1/T3 service providor) provides. I like that, it means that my broadband connection to the internet is more direct and if I don't want to block a port, I don't have to. I don't want to see AT&T blocking ports left and right just because Joe User has no password on his computer. Suppose I have a secure way to open up port 80 or 139? What if I *want* to run a web server. The responsibility of making a computer secure has always been in the hands of it's administrator, and it should stay that way.

Re:Free alternative

[kindbud]

I always recommend Zone Alarm...

Please stop doing that. ZoneAlarm is prone to false alarms, I get 3 or more reports of false alarms regarding "scans" from my network every week. It's downright depressing to think people use and trust crap like this. For God's sake, scans coming from port 80 or 443 right after having visited our site, are flagged as scans by this ZoneAlarm POS, according to the misguided abuse reports I get. If I have to explain TCP handshaking to another @home clueless newbie, I am going to scream.

Re:"Safe" Win/Mac only, and Firewalling all servic

[Erikmad+scientist]

Not at all @home was founded by people who do not believe in the "Walled Gardens" like AOL or Pac-bell. your connection is never tampered with, we only stop the modem from routing requests or broadcast on 2 known ports, that were never meant to be passed onto the backbone in the first place. To be honest if you don't know how to close your own ports (like 1054) you deserve it ;-)

From another post of mine:
" A small background on Cable modem technology, your cable modem is not a brain dead network bridge with a little compression thrown in like you typical Telco modem or DSL device. A cable modem works as a kind of mini router and as a router can be configured to filter out traffic that broadcasts across your network. Like the infamous Windows file and print sharing broadcasts...

Q: "Why do we do this" you ask?
A: Well think of it this way... you network you are connected to is a data steam, do you really want someone spewing dirt into your clean stream and Rivers... NO. Additionally unsuspecting users systems could be damaged by a uncreative wan bee hacker, remember not all or half our users are techno savvy folk.

This does not mean we are firewalling you in it means we are keeping data that was never meant to go out of the users home networks off your broadband connection. It is wasteful and drives up the cost of your connection"

Erik @home

I run a server on Dalnet...

[chrome]

... and the amount of compromised machines using @home' service is ridiculous. Most of the DDOS servers out there join IRC to allow the 'master' to find the compromised machines easily, and dalnet is quite popular because services can control your channels for you.

I work for a pretty high-profile ISP in the UK and I have tried to contact @home on many occasions regarding DDOS attacks launched from their networks, and all you get is a long message on their answerphone saying "Don't bother trying to contact us, we're dealing with any thing that's wrong, so sod off."

I'm at wits end and are almost ready to lauch a formal complaint to any and all industry complaints boards that there might be.

The company is incredibly unprofessional, and rude. I doubt their technical ability.

chrome.

DHCP lease times

[photozz]

FYI: the DHCP lease times on cable providers (Roadrunner anyway) is about 2 hours. Anyone running firewall will see a ping from them about once an hour or so to see if your still there. When I asked them, they said they needed to "up" the time to 2 hrs 'cause the "network" folks were screaming about the corporate mandated 15 MINUTE LEASE TIMES. cna you say ping nightmare?

Re:DHCP lease times

[eudas]

wouldn't a 15 minute dhcp lease time cause a lot of lost bandwidth in overhead for dhcp negotiations on the internal network?

eudas

Re:DHCP lease times

[drsoran]

I think that's what he was getting at. That's why the network folks were screaming. ;-)

Re:Good. Luckily, I have only public information.

[F452]

I was really worried that some evil hacker might break in and steal all of my public information

LOL :-)

No thanks

[Zagato-sama]

Well, I'll be the first to say that @home sucks like no tommorow. I was one of their first beta testers, and had stuck in until half a year ago when I finally couldn't take their ex-taco bell phone support anymore. Having to stay on hold for twenty minutes in order to get transferred to someone who knows what "traceroute" is bites.

However, one thing @home didn't do is silly things like this. Please, you want an ISP to infringe upon your freedom and dictate what kind of traffic can come in, and can't come out? Hey that's nice and all, but I'd rather have the freedom to setup a firewall for myself, I don't need my ISP to do that for me. For a website who talks about freedom so much, this is a pretty bogus idea

Re:No thanks

[Erikmad+scientist]

On behalf of @Home I'm sorry for the problems you had. @Home is a partnership with many cable company's like Cox, AT&T and Comcast we can not control their performance or their ability to keep there cable understructure clean... I will say that is you want to try us again I can arrange a 30-60 day trial fr free...

if your up to it email me and try us again. @Home is working very hard to make up for its faults in the past.

Erik
@Home

Re:No thanks

How much more dangerous is a broadband connection than an old POTS dialup?

• It's on when you're not, so more things can happen when you're not looking
• It's harder to notice curious resource usages if you are hax0red.

And that's about it. Attaching your computer directly to a cablemodem is not some magical guarantee if instant flaming death like some people would make it out to be - That said, doing so while also engaging in high-risk activities like teasing l33t hax0rz on IRC isn't nessacarily a good idea.

I personally run about half a dozen computers directly on my cable modem, two each of IRIX (better known for performance than security), Debian (It's not OpenBSD, but what is?), and MacOS (You can crash it all you like but you can't break in), and *never* has anything distasteful happened to any of them.

Personally it just really amazes me that Ye Olde Freedom-Fighter americans (I'm canadian - cable modems don't suck up here) would say something along the lines of "Gosh the internet is dangerous, I sure wish big brother would restrict our connection in ways we can't control because they tell us we're safer that way". I mean, SERIOUSLY! Think about it.

I find more zombies on @home than anywhere

[Jason+Straight]

Snort alerts me to all the scans done on my network (2 class C's) and every night is at least 2 from @home. And it's not like I ask for it, it's got to be just spanning networks, I don't even allow ping or traceroute to my network.

There are tons of zombie machines on @home

Bad, bad!

[MWright]

This could cause more harm for their customers...

I have a cable modem that uses DHCP. Every once in a while, I'd see that another remote root exploit was found. I'd pretty much say "Well, I don't really need that. Probably only people running websites, or more important things. I'm using DHCP, and nobody will attack me, anyway".

Then, later, my computer gets rooted. People, ALWAYS update when big security flaws are found! You'll save yourself the trouble of backing up and reinstalling the whole system later on!


-----

Personal firewalls (part 2)

[13013dobbs]

As a abuse person at a tier1 backbone I would like to add a few things to this post:

1. Learn about what you are blocking/reporting. We get numerous reports of people claiming that our DNS servers are attacking them, or they will mistake a ICMP host unreachable packet as a ICMP flood.
2. PLEASE use NTP! Our dial-up pool IPs get reassigned 20+ times a day. A offset of 15 minutes can cause us to finger the wrong account. I think most people set their computers based on thier watch, which is based on thier VCR, which is based on the time they saw on the WeatherChannel. I have recieved reports on a tuesday about packets that, according to the logs, were sent on the following Friday.

AT&T@Home....

[NNKK]

being an AT&T@Home user, I can tell you that their DHCP is both useless and irrtating

a: it simply doesn't appear to work within linux or any other OS besides windows
b: it always assigns the exact same IP address
c: even if it didn't assign the same IP address, because of how the network is organized, the hostname will remain the same

thus, DHCP use on the @Home network, at least in the northwest united states, is a waste of resources

Re:AT&T@Home....

[NNKK]

oops should clarify I'm well aware that proper DHCP works within linux, I was reffering to the fact that AT&T@Home's DHCP servers are poorly set up

Re:AT&T@Home....

[Erikmad+scientist]

Actually your Cable modem is your DHCP server (you could hit it to make yourself feel better). DHCP is a lousily defined RFC and allows for May interpretations http://www.ietf.org/rfc.html our's does have problems with some Linux releases. Our RDC based DHCP software was written by @Home because no other company's DHCP implementation could handle the load... 120 request a second.

Imagine what happens when a city louses power... that's right. Every cable modem comes up and asks for its IP address and boot file and like a bunch of hungry chicks this server has to manage to service all the chicks, rather a daunting task huh?

Erik
@Home

Re:AT&T@Home....

[Erikmad+scientist]

sorry not how we (@Home) run it...

Ok, why does @Home use DHCP when you seem to get a static IP address...

Another small background on Cable modem technology, your cable modem is not a brain dead network bridge with a little compression thrown in like you typical Telco modem or DSL device. A cable modem works as a kind of mini router and DHCP server, as a DHCP server it can be configured to issue IP addresses and allow them to route back to the backbone.

Q: why did we do this?
A: Part 1. This allowed @Home to dynamically manage its IP blocks and routing tables, how does this help you the user? With this you can hit a web page and get more IP addresses for your home network (up to 5 in most area's). In addition all our devises can also be dynamically readdressed allowing an infinite (or close to it) growth of the @home network.
Part 2. Security is another consideration it is hard to hack a moving target a user can call or email @Home that they are under fire and we can first move them off to a new IP address if the attacker finds our user again we can port capture there address and call them up (if they are a fellow user) or block the IP at the cable modem for a few weeks.

Erik
@home

Re:AT&T@Home....

[Erikmad+scientist]

AT&T has little to do with it they give @Home the copper is all. We (@Home) ate the technology that makes this work... even for roadrunner they copied our model easy sense we believed in open standards.

Erik
@Home

Re:AT&T@Home....

[photozz]

If you shut down your system for a day or so, you would probly get a diferent address, as long as your old one has been reasigned in the mean time. that's how it works. It allows them to keep a smaller base of IP's for a larger base of users. also facilitates subneting when trafic gets too heavy on one network.

Re:AT&T@Home....

[FeeDBaCK]

The DHCP employed by @Home (at least Charter here in Upstate SC) *WILL* work on a Linux box, sorta. They *assign* a hostname only to a machine. The machine then connects to their network (remember them changing the computer name to your hostname? there's a reason for it.) To get Linux to grab an IP:

Install samba. Set it up with the computer name being your @home hostname. The workgroup is @home. Start DHCP client. Voila!

You may now remove samba.

Re:AT&T@Home....

[NNKK]

on the work order for my cable modem installation, it LISTS the IP address and hostname I am to use

and the fact that it still assigns the same hostname due to how the network is organized remains, thus not really reducing any security risk

and realisticly they still need an IP address for every user, as many people simply leave their systems on, esspecialy the customer who isn't simply an "average user"

Re:AT&T@Home....

[NNKK]

you obviously don't have a clue how your own network works
do you not realize that all someone has to do after you switch the IP address is do a DNS lookup on the hostname?
i.e. c79347-a.whateverregion#.whateverstate.home.com will point directly to the IP address
all the attacker has to do is make sure to retain the hostname in addition to the IP address
either you don't work for @home or this is further proof that @Home simply doesn't know how to run an internet service PERIOD

Re:AT&T@Home....

[NNKK]

you don't seem to have a clue what I've been saying

I'm saying that their DHCP system DOES NOT WORK

if it was truely useful, the IP address would indeed change, and the hostname would indeed change, infact I'd prefer that since if I want a static IP I'll ask for one, or better yet take my business elsewhere (which I will be doing IMMIEDIATLY after DSL is avalible in my area REGARDLESS of cost) and request a static IP there

their system also fails to work with linux without requiering Samba to be setup first

all in all I'd much prefer a DHCP system that did what DHCP is supposed to do

Re:AT&T@Home....

[NNKK]

workgroup... of course... I should have realized that's why DHCP wasn't working it still begs the question, wtf is AT&T thinking?

Re:AT&T@Home....

[photozz]

Then you must have a static IP asigned to the MAC address of your modem. It dosen't nessesarily have to be set on your system.

Getting started with securing your home LAN

[image]

Hi,

I've found my home LAN to be relatively secure. I started with these two things:

One) Purchase a WatchGuard SOHO Firewall/Gateway device. Only $350 at Outpost.com (free overnight shipping!). This little beauty does DCHP and NATs your LAN as well. You can plug 5 machines directly into it, or extend it with a hub. There is also a VPN option if you want it. It is configurable via a web interface, and can basically upgrade itself from their website.

Two) Start running iptables on the 2.4 Linux boxes, and ipchains on the 2.2 boxes. Here is a version of the firewall.sh script that I run to configure iptables to keep the box reasonably safe, without going overboard.

Re:It's true, what goes on "out there" is horrendo

[buysse]

...well documented log excerpts to show a clear pattern of abuse, not some untraceable and/or forgivable indiscretions.

Keep in mind that for these logs to actually be *useful*, it helps if you have the correct time in those logs. Something like NTP is your friend.

It's a double-edged sword

[petermarks]

I use the austrialian excite@home, and we get probed every day. It's important to warn consumers about the risks, - don't turn any services on that you can't control, stay up to date etc.

What would be worse would be for the broadband provider to put a big filtered firewall in the way so I couldn't use the internet the way I want.

What might be best is the ability for consumers to choose "safe/protected" mode or "open" mode where we are responsible for our own firewall.

Moderators! Ease off the crack!

[Tim]

Who the heck moderated this thing up as Informative? It has one link!! To a well-known OS's website, no less!

Here, I'll be more informative:

Linux.com
Linux Kernel
Computer Emergency Response Team (CERT)
Securityfocus.com

Woo-hoo! Now I'll just kick back, relax, and watch the karma roll in...

Re:DHCP? What a laugh

[Necron69]

Just as an example, some joker cracked my dial-up Linux box, back in May when I had uswest.net. (They apparently exploited a bug in rpc.statd).

The bad guys WILL find you, DHCP means nothing in terms of security. Buy or build a firewall, or you WILL be sorry.

- Necron69

You think that's bad

[nihilogos]

Optus@home ( an australian cable ISP ) states in their FAQ that

Optus@Home is completely secure if you are using a standard operating system like Windows 98.

I had a good laugh over that one.

Re:You think that's bad

[Chops]

Yah, I got my DSL yesterday, and since then I've seen six bunches of SYNs on port 139 (Windows file sharing) bounce off my firewall... it's kind of the "looking for change in phone booths" of cracking.

Unplug the ethernet cable when you are finished

[mrs+clear+plastic]

A house guest of mine (who is an experienced unix sysadmin) suggested this. When I am finished using the workstation, I would unplug the ethernet connection from the dsl modem that my ISP sold to me with the service.

If the ethernet is disconnected, then they cannot get into the system.

Rogers@Home

[douper]

In Canada, Rogers@Home has a new advertising campain all over TV/Radio saying that cable is safer than DSL.

I laughed out loud the first time I heard it.. ahh well...

Re:Rogers@Home

[Erikmad+scientist]

Correction, Digital Phone Service is a cable modem based Telephony service, so you're a little misinformed :-) If a word sounds like it does not mean it is:-).

Please go to...
broadband.att.com

Erik

Re:Rogers@Home

[NNKK]

in the pacific northwestern united states (I don't know about elseware), AT&T is running two seperate ad campaigns

1. pro-cable, anti-DSL
2. pro-Digital Phone Service (translation: DSL) anti-cable

both refer to bandwidth
they're competing with themselves
are they doing this intentionaly, or is this a case of the right hand not knowing what the left hand is doing?

Re:not to be a bitch...

[UU7]

I use OpenBSD on my p166 and love it. The NAT works beautifully and I apprecate it not installing a ton of garbage I didnt need. By no means am I saying that this is the only way to go. But I have found that the default install is quite secure and stable and includes exactly what you need for NAT and firewall capability. More so than debian or redhat.

DHCP? Yes. Changing IP? No.

[bdjohns1]

Sure, @Home says they're using DHCP. Every time my system comes up or down, I always get the exact same IP address - it's configured through dhcpcd, but never changes.

In any case, it's easy enough under Linux, since I'm not doing masq or anything - I just closed off basically every service. All that's listening is Apache, SSH, sendmail (no relay), and imapd (but only to 127.0.0.1 for IMP via httpsd).

It's not a perfect setup by any means, but between that, a backup of my RPM database, and tripwire, I'm in decent enough shape.

***VERY WRONG***

[ironman8250]

This goes even beyond the basic insecurities I'm sure you've all already posted about.

I just wanted to let you know just how pointless DHCP is here on mediaone (now AT&T broadband) in Massachusets. The nameserver here allowed me to a ZONE TRANSFER... yes thats right. It handed over a nice list of every host on the network... users and all. And since the names are usually based directly from MAC address, the IP doesn't even matter. This is a serious security problem that I've notified them about...

win smb bug

[Barbarian]

There's a bug in windows filesharing right now, where the client attempting to connect can specify the length of the password.. Okay, so they specify 1, and that's 256 max to try, 128 avg.

--

Re:It's true, what goes on "out there" is horrendo

[Alan]

Not to plug, but our product Gateway Guardian is a new way of doing firewalls. Not really a "personal" FW, but something that is probably a little more industrial strength (and smart).

A little paranoia and a little common sense go far

[Lord+Kano]

When I had my linux box sitting between my cable modem and the outside world, I killed just about every service on eth1(which was connected to the cable modem) except for appletalk, telnet and a couple of others which I wanted to use from work.

Every once in a while I'd get portscanned. No big deal. If it's some script kiddie, if he doesn't see anything interesting he'll just move on. No response to http requests, and any attempted telnets would give the prompt "Login:". No kernel or distro information to give someone an idea about which buffer overflows to try to exploit.

If you've ever carried large amounts of cash through "bad" areas you already know how to play this game. It's called "Blend In", if you look as plain and normal as everyone else, you're not going to attract the wrong type of attention. If you're machine is responding to requests on every port (figuratively, not literally) and you're giving WAY too much information away in your issue.net, you're making yourself far too tempting of a target for crackers.

LK

Re:slashdot fearmongers

[chrome]

Wrong.

They want as many win98 boxes they can get so they can install DDOS floodnet trojans such as Sub7.

1 windows box on a rogers@home link isn't much, but times that by fivehundred, and you have a network of machines that is able to generate an *astounding* amount of traffic.

This is not FUD. This is fact. I see it every day.

chrome.

perhaps

[niekze]

They are waiting for their prototype router/switch like linksys makes....then the'll say: "HOLY SHIT. YOU DON'T HAVE A FIREWALL?" then proceed to offer you amazing savings on their product with the "no brains, no problem" service. But, thats just my opinion. dhcp is safe? then why were there a few nice exploits for it recently. answer? to even out the playing field for the windoze kids that god Backorifice or Netbus when they got Diablo III beta or some crap off #kr4dw4r3z or some shit. hell i don't know. Time to drink more beer.

It's the gateway, stupid... (not you, state*less)

[dpilot]

One of the parameters passed by DHCP is the gateway. If a rogue server passes a bum gateway address, they can route all of your traffic through them, and sniff it all.

Veracity check:

Does DOCSIS prevent this?
On a DOCSIS net, is the gateway essentially a null field, and your head end is always the gateway?
Or can you be spoofed into going through your own head end, and gate through the rogue's system?

Re:It's true, what goes on "out there" is horrendo

[photozz]

You might want to check the IP of the attacks, I was getting about 30 or so a day until I found out most of them were just pings from the provider asking to renew the lease on the IP

Re:It's the gateway, stupid... (not you, state*les

[Malor]

About all that would happen that way is a denial-of-service. Default gateway has to be one hop away. A remote attacker can't specify his own IP address as your gateway, he has to specify another machine on your network. So he can shut you down remotely, but that's about all.

Now, this attack is useful once he has control of a machine on your network. There are all SORTS of exploits once you have root access to the wire. This is a lot of the reason for the domino effect -- once you lose one machine, your others usually fall over like dominoes because they trust that machine not to be malicious.

Security is a process, not a state. The more secure you think you are, the less secure you tend to be. Andy Grove would love this field -- 'only the paranoid survive' :-)

what?

[True+Dork]

What the hell? Having a live IP at ANY point means you are exposed. God forbid anyone take any personal responsibility for their own systems and make sure that they are not at risk. Why would an ISP be responsible for your personal configuration at all? Take care of yourselves... dont expect others to do so. Sorry for the rant but that's like asking the government to stop by and lock your doors at night because you'll forget.

Re:what?

[FeeDBaCK]

/opt is for software packages that are self-contained. Try *reading* FHS before complaining.

So much for DHCP providing even obscurity.

[urtica]

I've got cable connections at both home and work, with different ISPs. Both use DHCP. In the last year, my home IP address has changed twice. Maybe 3 times. Work hasn't changed in the 6 months or so since we got connected.

No way I'm trusting either ISP to provide any security. I've got an "un-supported operating system" running in both locations. OpenBSD. SSH ports are the only ones open (most of the time) and I've got a nice ipsec tunnel between the two.

Re:Moderators! Ease off the crack!

[niekze]

i was just gonna try to piss of the leenuchs kids. who knew that i would get moderated UP for such a simple post?

total bs

[austad]

This is total bullshit on so many levels. But one stands out for sure. With DHCP, the users aren't guaranteed they'll get the same address when their lease expires, but they usually do get the same address. A friend of mine has a cable modem through @home and he's had the same IP for the last 3 months. Their lease time is set for 2 weeks too.

Cable modem providers need to hand out a "tell it like it is" pamphlet, and start pushing personal firewall software. There are way too many clueless users out there, and a pamphlet designed to scare the living daylights out of them is just what they need. I suggest ZoneAlarm. It's free and is way better than just about all other personal firewall products, even the ones you have to pay for.

Re:total bs

[Erikmad+scientist]

You and me agree but Richard (why they interview him I don't know he barley understands what we do for a living) doesn't want to scare the less informed user's. I think like-minded managers and myself here at @Home are winning...

We will see,
Erik
@Home

@Home

[pokrefke]

I've had my @Home connection for about three weeks. I'm already spoiled rotten and doubt I will ever be able to go back to a dial-up account. I spent a lot of time securing my PC before I got my modem, so I'm relatively safe. I installed Zone Alarm, shut down any programs that may access the internet, and watched last Friday as I accumulated 500 warnings (the maximum number ZA will log) in about 45 minutes. These were portscans from Universities, other cable modem users, and some internationals.

I'm savvy enough to know how to secure my PC, but I wonder if the average user is. I know if my Mom had a cable modem, I'd be over there once a month to reload her OS.

providers providing firewalls is bad

[Bourbon+Man]

At least, it's bad if they are clueless. I had a local cable ISP that firewalled to "protect" me, and the only port open was 80. No way to ssh, telnet, ftp, nothing, in or out. I finally got them to open FTP, but it was too little and too late. Also, by providing *any* protection, they may be assuming liability for all customer boxen and become easy lawsuit fodder.

Re:providers providing firewalls is bad

[edlinger]

I agree. I don't seem to be firewalled at all. I've got DSL and a static IP. I enjoy the fact that I can ssh home and check my mail via my nice console.

But that's not all. I get to use my home machine to test out the work I do at work. I can check firewall rules, 'n stuff like that. It's a remote location where I can do work. That's what I need. I don't need a super pipe necessarily, but broadband is nice. I want to be able to test things from various locations.

Yet I fear the fact that ISPs may soon take it upon themselves to firewall their clients. I have my own firewall set up. I like it that way. But I know what I'm doing (I hope...) The average user doesn't have a clue. I wouldn't be surprised if ISPs were convinced to firewall their clients in the future as broadband access increases. There are some things that I just want to be able to configure myself. If I want a VPN, I want it. So long as I always have the option to control my own set up, I'm golden.

Yes, security it definitely an issue. If my parents were to get broadband, I'd set up a firewall for them. Add a proxy server maybe. They don't know enough to worry about security problems. Then again, they don't use the computer for much apart from word processing, quicken, and stuff like that. I really do wonder if ISPs will start firewalling more often. Will that become the norm? If so, what about folks like me who use their computers for more than surfing and mail?

slashdot fearmongers

[Lumpy]

I'm sorry but this article is pure FUD. 98% of all hackers couldn't give a rat's patoot about a personal pc. Win98 boxes are boring. Granted there is a large amout of hacking/cracking being done but it is far from how it is portrayed here. Cripes you guys sound like NAI. your computer will get viruses instantly!!! there are a bazillion virii waiting to attack your PC right NOW!!!! buy our software to protect yourself.

Fearmongers are the worst element of society. and this article trying to say that @home users should be scared shootless that every hacker/cracker is trying to get their pc is pure lies and FUD. I have ran servers with static IP's and have been on the internet for more years than 80% of you and online in some fashon cince 1979 (remeber using 110Bps modems? I DO!). I have NEVER been hacked, and I have NEVER been virused. (I dont run virii scanners and I didn't use a firewall on my servers in the lambdanet.com domain.) If you have a pc on the internet and you dont know how to secure it then you deserve having it taken down by some kiddie and you have no business having it online.

No, thinking that crackers want your computer is pure lies. Shame on slashdot for letting this FUD on the site.

Now if you have lots of porn, then the crackers want you.

Re:slashdot fearmongers

[Lumpy]

sorry they are attacking a small number of the users. in fact a smaller number than AOL'ers being attacked. It's based on sheer number of subscribers. (no matter how much people bitch about @home they buy it and refuse to get rid of it.. The drug of faster than 56K is addictive) It is not that bad, most portscans are done by @home themselves, and employee accounts, outside auditors. I know the @home admins in my DMA zone and cince we have 1/2 of a state, the amount of scanning and problems are nothing like people scream about. They (I was shown how they do it) watch ALL traffic closely. and they portscan the crap out of the customers (something I think is a dirtbag policy.) yet all their servers and @work customers dont have this problem... funny cince they reside on the same subnet.

I have access inside @home. and it is not that bad. Give me solid numbers and I'll look at them. But from what I saw inside, it's impossible to seperate the company portscans from real kiddies.

It is a nice illusion to pin on the big guys, but un-substantiated reports are FUD.

security

[jednet]

I constantly get scanned by people in my subnet on @home. If I come home from a lan party and forget to turn off file sharing, it's only a matter of a few hours before my system comes to a crawl with people leaching mp3s off of me through network neighborhood. I've even done some myself, printing "You've been h4x0r3d" on a friends printer nearby. That was fun.

Re:security

[joshv]

What, pray tell, is a 'LAN party'?

-josh

Re:security

[jednet]

http://www.lanparty.com

Re:security

[joshv]

I thought I was a geek...

Anyone doing this with fellow broadband subscribers on the same loop? Should be about as fast.

-josh

@home firewall built in

[alacrityfitzhugh]

I use @home and am well protected. Every port is stealthed. It is too cool for school. I am in a lockbox. No one can find me, much less attack me. Now DSL needs the consumer to provide their own protection...

Re:@home firewall built in

[skya]

You mentioned the lockbox. Has Al Gore given you the key to it? I thought he lockbox was in a secure location with the primary box being camoflagued and a decoy. --reference SNL skit from Enimem show

Oh dear...

[SurrealKnife]

>"For example," he said, "as part of the >installation process for @Home, we always turn >off a computer's file sharing."

Oh dear me. Please, somebody, tell me this is a joke. No? I think I'm going to become a hacker, 'cause it just got a whole lot easier. If this is a large company's idea of 'anti-hack' security, we have big problems.

These companies need to face facts: End-users don't worry about security. They put credit card numbers in text files; they fiddle with settings and save sensitive passwords by accident. And even ignoring the security aspect - what about the destructive side of hacking?

It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed. Otherwise, no-one will be secure. Simple as that.

Re: Oh dear...

[McChump]

Really, how hard would it be to include a copy of ZoneAlarm for your Windoze customers? While it's not the greatest security in the world, it is free (beer) and preconfigured--it runs in the system tray and the newbie user never even has to look at the damn thing. And let me tell you, it would be very easy for you to duck responsibility if it's compromised -- the ISP can provide it as a service, not a guarantee. Just make it clear in your quick install info. Sheesh.

Jay

Re: Oh dear...

[jihad23]

Well, I've been out of that department for a while now, but I recall hearing that they're now distributing some other Windows firewall software. Something free, I don't remember what it's called, but it's not Zone Alarm. It's included on the CD we ship, but we aren't supporting it. I'm sure they get plenty of calls about it though and lots of "Ok, so you don't offer support for it, but I've just got this one question..."

--
Turn on, log in, burn out...

Re: Oh dear...

[jihad23]

It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed.

Great. You want to handle the tech support calls when your average cable modem using consumer hoses up his $ISP provided firewall software? I thought not.

Speaking as someone who used to work in broadband at a large ISP, no fscking way would we get involved in end-user security. Our customers were encouraged to read up on security and run firewall software, but we weren't going to give them the software or provide tech support for it.

You have to draw the line somewhere. If you help them install/configure a firewall, who is held responsible when it's compromised? Whether or not the ISP should be held responsible, that's exactly how the users would see it.

--
Turn on, log in, burn out...

hate DHCP

[NuclearArchaeologist]

Is there anyone else out there that got cable because of a static IP? Arrrrg! The day ATT kills my static IP is the day I drop their cable service.

Re:DHCP != security

[bulgroz0]

In any case - The @Home DHCP as such timers that my IP address never gets released... Even afer one week off... Addressing has nothing to do with security

Re:try ping

[NuclearArchaeologist]

I don't know what ping you are using, but mine (default red hat 6.2) did this:

$ping mail

PING femail.sdc1.sfba.home.com (24.0.95.81) from 192.168.1.6 : 54(84) bytes of data

cntrl-c killed the useless attempt to get an answer after 5 pings and zero returns. Of course, this won't work if you depend on the @home DNS because it won't be working most of the time!

You will be better off if you can get mail and DNS elsewhere. I use the local university.

Re:Game port scanners

[n1m1tz]

Linksys has released several updates for the unit that help it forward ranges of ports instead of a fixed number (used to be 10). That should help you host a game server without any problems, in theory that is.

what a joke

[jkc120]

C'mon, the only real reason @home uses DHCP is that it's easier than assigning static IPs for them. It makes their lives easier so that their users have to suffer. Personally, I'd rather have a static IP. If it means I have to setup a firewall to keep the script kiddies away, so be it, but I'd rather have a static IP. I'm not sure how pppoe works, but dhcp will attempt to regain the same IP, so if the users' computer is powered on 99% of the time, then the chances are it'll have the same IP.

Oh and on an off-topic note, @home service varies so much by area, do some research before you invest $50/mo of your hard earned money. I currently have comcast @home in the sacramento area, and the latencies are horrible. Speeds are starting to suffer now as well. After 2 months of back and forths with the @home "technical support", there is still no resolution. Obviously they've TOTALLY maxed out a pipe and/or hub and are refusing to fix it, saying "we're investigating any malfunction in our hardware". Yeah right, it takes 2 months to diagnose poor performance on a traceroute *I* gave them? Like I said, TOTAL joke. Only a couple of more days until DSL is installed, and I can put the nightmare that is @home behind me.

Re:Already firewalled (-1 Offtopic)

[Erikmad+scientist]

On the optional (or not) http proxy note... you may want to turn them on because
1. Our proxies do not log so unlike AOL and smaller ISP's we do not resell your site hits to others.
2. We mainly store graphical information files of large content on the proxies to save from you having to (again) waste your connection and @Homes backbone on repeating the same request another user just did. Again is saves bandwidth and is saves Us/You in the end with hopefully soon a reduction in cost.

Erik,
@Home

DHCP not always used...

[CyNRG]

I know for a fact that @Home tech support will set a static ip address routinely, if they can't get DHCP working quickly. The pressure to get call time down is very high. I don't work there.

not to be a bitch...

[niekze]

but this would be a good time to mention

OpenBSD

Re:not to be a bitch...

[Hurst+Dawg]

Doesn't matter what OS you run, if its misconfigured, its not going to be secure. Look here if you think it is 100% secure. I know you were probly making a bit of a joke when you posted, but I still think its worth mentioning that no OS is secure unless you maintain and keep it up to date.

Re:not to be a bitch...

[niekze]

sure, you're right. But having a head start doesn't help. Why give your users 10000 services to run by default? If they need to run them, then they should be able to turn them on

Re:not to be a bitch...

[B-Rad]

That's all true, of course, but if you look at the main OpenBSD page [ link ] then you'll notice the "Three years without a remote hole in the default install!" quote. Now, if you're using OpenBSD as a firewall you're not going with the default install, but this claim is a lot stronger than any other OS out there today.

Free alternative

[Pfhreakaz0id]

I see a few people recommending firewalls or routers with a built-in firewall. Whenever this discussion comes up, I always recommend Zone Alarm. It's free (beer, the only one I care about), works great, and is super easy to use. I also like the privacy feature of prompting me when a program is trying to send OUTBOUND packets as well and allowing me to block it.
---

Re:Free alternative

[Pfhreakaz0id]

so,,, just turn it off. I don't care about reporting the scans. Just don't let 'em in... I take it your site is getting there IP or something? I've never had this problem, but I turn off the reporting (I don't have it get the alerts, just block it)
---

Re:Free alternative

[kindbud]

You misunderstand. People "out there" who run ZoneAlarm report to ME at our abuse@ address, that WE have been scanning THEM. The "scans" always come from port 80 or port 443. DUH!

There are two explanations for this, and ZoneAlarm provides no info to determine which one happened (it fails to log TCP flags).

1. The "scans" are in fact replies from our web servers to browsing sessions initiated by the person making the "report". ZoneAlarm is simply in error flagging these packets as scans.
2. The reporting user has a dialup or dynamic IP, and the packets coming in from our web servers are intended for the previous user of their IP address, who was likely dropped offline in mid-session with our web servers. The packets ZoneAlarm sees are remnants of the previous dialup user's session with us.

Whatever the explanation, we aren't scanning random people from port 80 and 443. Yet ZoneAlarm "accuses" us of doing so, and I have to deal with the reports to our abuse@ and hostmaster@ addresses.

Re:Free alternative

[Pfhreakaz0id]

I don't know. What's your timeout on the web server? What are the chances of someone else getting that IP in that short amount of time? OK I guess. Tell the author, but my web servers have never generated a quivver on my zone alarm.....
---

Re:Hope DHCP keeps away from me :( + what security

[ziegast]

For example, 24.24.0.0 belongs to Time Warner cable.

Re:DHCP != security

[isorox]

HOw about adding ALL: ALL to /etc/hosts.deny? Is there a way around that?

Alos install port sentry, soon as someone portscans you they'll be locked out by the time they reach port 20.

Since when do viruses appear in text files? When I type "vi LIFE-STAGES.TXT", will my computer explode?

In windows, if you share (for example), your mp3 directory, as world readable, is there an exploit?

A healthy dose of paranoia is acceptable, but is it worth reducing usablility?

A much nicer security method is to decide who shouldnt have access, rather then who should.

Firey balls of broadband

[Graymalkin]

When Skeletor finally kicked He-Man's ass he bestowed upon man broadband. There were those that said of this thing nothing good shall come. These nay-sayers tried to convince people that they were in danger of everything. Broadband won't hurt you. Why don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security. And completely besides the point, where the fuck are my internet active toys? Why can't I plug my microwave into my router and surf the net on its one line monochrome screen? I need to check my fucking email!

Re:Firey balls of broadband

[Graymalkin]

FlexNet IIRC is only available in Hawai'i and besides which, you do not own your boardband pipe, you're simply paying for access though it. You can't operate a heavy usage email or webserver if your provider says no. You own jack and shit that you're using, you can't dictate terms on something like that. I'd like it if the cable or DSL provider gave me a router/modem that way I don't need to spend any extra money on anything. Having a router at each end is also going ot make things simpler because then everyone can use internal IP's that won't get routed and set up effective firewalls without really complex inclusions and exclusions.

Re:Firey balls of broadband

[lizrd]

Why don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security.

I'm really not sure that I want the cable company deciding on what security policy is appropriate for my home network. Either it's going to be worthless and do something boneheaded like not block 139 or it's going to be so tight that I can't take advantage of the fact that I have a fast connection with a pretty much static IP address. I want to be able to have ports 22 and 80 open if I decide that I want that functionality. I want to be able to host my own e---------ma il domains if I decide that I want to do that. I want to be able to set up my own NAT box and set policies in the way that I see fit. I really don't believe that that's going to happen if the cable company sets things up for me.

What people need to start realizing is that an always on broadband connection to their home is a completely different ball game than any connection through AOL. The only hope I see at this point for broadband being useful to /.ers and for general users is if the market really does become open and we start to have real choice in ISPs with broadband. That way we can have ISPs like FlexNet for those of us who just want a raw internet pipe with none of the extras and AOL for those who want their online experiencefiltered down and spoon fed to them.
________________
They're - They are
Their - Belonging to them

try ping

[NuclearArchaeologist]

"ping mail" and "ping news" returned proper ip addresses behind my firewall. Strange thing is, cable mail and news never works with ATT@home. Could it be because they use NT? I think so!

Oh yeah, their DNS server never works either. I don't know about their DHCP server, but I would expect similar success.

Trojan infections build character.

[greedobutts]

I stupidly ran a renamed BO client a couple years ago. I had great fun reading the funny little dialogs my tormentor pushed at me.

Did I whine to my isp?

Did I write to my congressman?

I disconnected from my isp, found the exe, and deleted the little bastard from DOS.

That which doesn't kill my OS can only make me stronger! :D

Sorry @Home, I have firewall logs to disprove you

[sleeperservice]

I had @Home for a while, and thought the service was just fine. I have DSL now, but the switch was due to cabling issues in my apartment, not the @Home service.

However, I had a WebRamp 700s as a firewall and for a period of about 4 weeks recorded at least 1 serious attack a day (Syn Flood, DoS, Ping Flood, etc....).

So yes, @Home is talking **** again.

A sample of the last few days:

[Ricochet]

Here is a sample of this weeks log (Started Sunday). Some days there are more attempts other days fewer. This is not the only log but it is of the more common ports. You would be amazed at homw many times these sites will continue to knock even though they get no response.

Oct 22 13:19:17 ng ng: IP[Src=24.3.84.46 Dst=XXX.XXX.XXX.XXX TCP spo=00021 dpo=00021]}S03>R02mD
Oct 22 15:40:58 ng ng: IP[Src=199.217.172.253 Dst=XXX.XXX.XXX.XXX TCP spo=01301 dpo=00023]}S03>R01mD
Oct 22 15:41:43 ng last message repeated 4 times
Oct 22 15:42:13 ng ng: IP[Src=199.217.172.253 Dst=XXX.XXX.XXX.XXX TCP spo=01548 dpo=00021]}S03>R02mD
Oct 22 15:42:58 ng last message repeated 4 times
Oct 23 03:32:35 ng ng: IP[Src=24.19.0.225 Dst=XXX.XXX.XXX.XXX TCP spo=02562 dpo=00080]}S03>R03mD
Oct 23 03:32:35 ng ng: IP[Src=24.19.0.225 Dst=XXX.XXX.XXX.XXX TCP spo=16419 dpo=00080]}S03>R03mD
Oct 23 06:22:21 ng ng: IP[Src=24.142.211.22 Dst=XXX.XXX.XXX.XXX TCP spo=04846 dpo=00021]}S03>R02mD
Oct 23 06:22:30 ng last message repeated 2 times
Oct 23 16:55:25 ng ng: IP[Src=24.142.211.22 Dst=XXX.XXX.XXX.XXX TCP spo=02913 dpo=00021]}S03>R02mD
Oct 23 16:55:34 ng last message repeated 2 times
Oct 23 17:54:11 ng ng: IP[Src=24.93.99.103 Dst=XXX.XXX.XXX.XXX TCP spo=03195 dpo=00021]}S03>R02mD
Oct 23 17:54:21 ng last message repeated 2 times
Oct 24 06:37:52 ng ng: IP[Src=24.23.155.145 Dst=XXX.XXX.XXX.XXX TCP spo=04602 dpo=00021]}S03>R02mD
Oct 24 06:37:53 ng ng: IP[Src=24.23.155.145 Dst=XXX.XXX.XXX.XXX TCP spo=04626 dpo=00080]}S03>R03mD

BTW: This is a hardware firewall, I havn't quite figured out how to get it to log only certain things. It's either a specific few or everything. I also have IPCHAINS and TCPD running (just in case). One day I'll replace it with a Linux box running Net Filters.

h4kk0r's delight

[smartfart]

There was a thread in our LUG's mailing list a few weeks back about Linux boxes being rooted. The kiddies used the hacked boxes for irc takeover bots and warez. One poor soul in particular learned he had been hacked weeks after the intrusion only when he discovered that his 20 gig hard drive was full.

I'll say it again, and listen up this time --- you can't put a Red Hat or other boxed distro box up on the net without turning off all kinds of services and running a locked-down ipchains ruleset, or you are gonna get owned in short order.

Indeed!

[NuclearArchaeologist]

I wonder how many of those port scans are cable admins?

@Home firewalls

[baboin]

I'm a Rogers Excite@Home customer, and I can assure everyone @Home broadband is safe: they knock you off their network for hours or days to make sure! You can't get hacked when you're off their network, which is quite often. Service has stunk lately, with email outtages lasting entire week-ends (and who knows if emails bounce or are lost). Now that's a good firewall.

Re:@Home firewalls

[Jordan+Block]

that sounds way too fammiliar. damn rogers.

I've been cracked

[Sludge]

I'm a member of rogers@home, as I have been for two (unhappy) years.

I was cracked while my computer was on a dialup connection to my ISP. Completely dynamic IP, not a 24/7 connect by any means. Ever since I've had the experience of using Rogers@home, my friends and I have always received the same IP when renewing their lease with DHCP. It's almost as if they've just taken out the middleman of telling you that your IP address has been assigned and telling you to configure your data, and just assigning it to you using server side software.

A friend of mine apparently had someone stealing their IP address for two weeks on end. When phoning @home tech support, they traced it to one guy with the incorrect DHCP settings. However, under Acceptable Use Policy, they couldn't do anything but ask him to stop. The result? My friend's DHCP settings constantly returned the same IP, even though it was conflicting.

She paid for two weeks of @home cable modem usage without being able to use it.

Fuck you, @home.


Michael Labbe

Re:fun @home

[Erikmad+scientist]

Are you that guy? Hats off to you :-) Erik @Home

my isp has had no problems

[marx20]

I work for a nationwide wide isp that handles thousands of dsl customers and i have yet to recieve one report from a customer complaining about an intrusion even though we use static ip's. The probability of being hacked is just too low to warrant the recent flood of warnings that broadband customers are in serious danger of being hacked. The problem lies with customers fearing the worst and putting software firewalls in place and call in every 5 minutes claiming they are being hacked by their own isp. Come one guys...do you really think that everyone wants to steal your valuable mp3's and your nice new broadband collection of porn. How about those .txt documents...pretty interesting stuff.

Okay, let's think about this for a moment...

[AKAImBatman]

• - If you are using DHCP, your IP sticks around for potentially 2-3 days if you leave it on.
• - Most ISPs (including @Home) use contiguous blocks of ip addresses.
• - Windows has far more security holes than Unix.
• - Many people don't even know what a patch is, much less how to apply it.

As you can see, the long persistance puts people at risk because they are often not security experts. Escpecially people new to computers or to an OS in particular. And now @Home wants to tell them there is no danger? Pfff. This is going to be a media circus.

DHCP? Since when?

[NetFu]

I've used Excite@Home about a year and DHCP has always been an option (and a crappy one, at that). Even if you DO use DHCP, you're still using it to access a permanent IP address -- not a different one every time you use the internet. It's scary how easy it is to look out over my subnet at home and see everyone else's computers -- an Airport here, and iBook there, a Sun here, a few Win NT machines there, etc.

With the right tools, anyone could crack any of those computers -- you think systems are weak in businesses? Home computers are much more out-of-date and more easily crackable than most business systems!

Everyone who uses any broadband for internet access should be VERY paranoid about it -- paranoia is the best way to be prepared. Don't go crazy, of course, but use your paranoia to protect yourself. Lots of people are posting good suggestions here, but the main point here is not to let your guard down on this just because the companies who want your money say so.

Put the blame where it belongs

[jhines]

Shouldn't MS be called to task, for not doing a better job of security in their os?

IP broadcast

[SurrealKnife]

Not just a smart cracker - anyone with half a brain could set up a system on a hacked PC to get it to broadcast its IP when it goes online or changes! I mean, I've done it, and if I can do it anyone can...

Translation

[martyb]

Neither Pacific Bell nor Excite@Home provide their customers with such [firewall] software. Each company's officials said, though, that they would help its users install the software if they required it.

Script Kiddies - hack our customers' computers.

Cable is NOT safe

[kirkb]

I installed a firewall on my PC (zonealarm) earlier this year, and was shocked at how frequently my PC gets poked at (eg: TCP port 31337). I've traced these attacks all the way from Saskatoon to Qatar.

I even managed to get a fellow @Home user's account terminated after I proved to abuse@home.net (via my firewall logs) that he'd been a naughty boy.

I strongly urge anyone with a windows box and a cable/DSL connection to get a firewall (zonealarm, black ice, etc).

Re:It's true, what goes on "out there" is horrendo

[Evil+Grinn]

ok they are pings pointed at particular ports where vulnerabilities may lie but it is still just a ping

Is it just me, or does "just a ping" not imply that we are only talking about ICMP echo packets, or else the TCP or UDP echo port ?

A connection to any other port means that somebody is checking for something specific, not just for connectivity.

DHCP and changing IP addresses

[Jothom]

A quick lesson, which I am sure that you have had: Yes, DHCP assigns an IP address when you log into the server that your ISP has. With broadband, chances are that you can leave your connection going all the time, effectively giving your computer a static IP until you shut down or reboot. While you are going, you can still get hacked.

Free Cable TV

[skya]

The one thing I love is that once you have the @Home service, you can get full extended cable TV for free. The installer told me that a subscriber needs only sign up for the modem service and from there, connect the splitter and TV's. This was 3 months ago, has anyone else found this to be true. Sure a nice way of saving 40-50 bucks a month.

Re:DHCP? What a laugh

[Aerolith_alpha]

yeah, the one example of a honey pot i saw--once they cracked it, they had a doctored irc client that connected to a certain channel of their irc server, so they could always find it--granted that was solaris, but i am sure something similar can be done for pretty much any OS given enough time and effort.


mov ax, 13h
int 10h

Game port scanners

[Salmonius]

Just for information, a lot of the entries in firewall logs are often from game port scanning robots.

I suggest to anyone with cable/adsl internet to get themselves a Linksys internet router. It has a built-in firewall and can redirect ports to specified computers for games, ftp, telnet and such. It also has a 100Mbit switch on the the internal side and it's cheap! Purchase of the year.

Re:Game port scanners

[avm]

Gotta second that. I've got the Linksys single-port router, and the li'l bugger is working like a charm so far. Uses less wattage than most PCs you'll find being used as routers, too.

.sig fried

Re:It's true, what goes on "out there" is horrendo

[mrowlands]

its 64.28.67.48 but why would you want to know that?

Q: Security about logging into Online Banking

[skya]

I use @Home. I file share for friends. No firewall as I have nothing on my computer but mp3's and theater/dvd-ripped movies. I run Napster 24/7 for my 5,000 mp3's. The question is: If I log into my online bank using the secure connection (https), can anyone else see what my username and password are? Now, I back up everything to CDR so I could give a sh-t if anything happens, but how dangerous is my Win98SE setup. I'm guessing it's very vulnerable, but I don't really care, or give a flying f-ck, I'd rather spend my time doing something more valuable outside.

Re:Q: Security about logging into Online Banking

[jmkaza]

Someone could easily come in through file sharing and install a keystroke logger that records everything you do. They could also add something like pcAnywhere to your start up and then connect remotely with full control of your PC. These are both instances of deliberate attacks on YOU. To protect yourself from your general kiddie looking around to see what stuff their neighbors have, For God's Sake!, never click 'Remember Password'.

What an idiot

[Karl_Hungus]

Holden added that only if people are using their computers to store sensitive information will extra security software be necessary.

Is this guy for real? Before you think only the paranoid need worry consider the following:

• credit card #s (obvious)
• passwords (also obvious)
• personal correspondence
• financial info (spreadsheets, etc.)
• addressbooks
• business plans
• diaries
• term papers/theses/dissertations/research
• browser histories & caches
• unfinished code
• that Great American Novel you're working on
• etc. ad nauseam

Where else would I put any of the above? The "PC" stands for "personal computer". That's the computer I put my personal stuff on. Jackass.

even worse, their marketers lie

[mr_burns]

I remember waiting outside a BART station waiting for a friend to meet me, when a maketing type (the kind that roam around college campuses with a clipboard full of credit card applications) approached me. This person knew absolutely nothing about the internet. I raised the security question, and this is the gist of the answer:

"@home has special sotware that makes it so nobody can get in your computer"

that's a rough paraphrase as it was about a month ago. Upon hearing this, I gave the girl a quick and dirty guide to internetworking. I asked her where she heard that, and she said the guy who hired her.

I think anyone in this forum can understand that a firewall would be involved if that were the case, but I have never heard of @home installing a firewall on every client machine on their network.

In any case, if the people who know better don't educate their friends on how to defend themselves against these attacks....they will go and get tougher laws passed to make up for their ignorance when they get tired of being cracked.

Sensitive information...

[psocccer]

I read the quote and couldn't believe it, and yes, they actually say this:

Holden added that only if people are using their computers to store sensitive information will extra security software be necessary.

Now really, who doesn't store sensitive info on their computers? Really? I used to collect movie clips off scour when they had a web interface, and using trusty smbclient I'd search a number of peoples hard drives. And what's even more scary is at least 80% had anonymous un-password protected WRITE access! I left quite a few notes to people on their desktop.

But about secure information, most people want their computer to do useful things, and one large area of the useful-thing pie is finance management. Lots of people use quicken, and can't even recount the number of people I found who had quicken backups all over their drive, and what about people who use excel? C'mon, almost everyone has sensitive information on their computer, even if it's just a little address book.

I have DSL here and use NAT on my linux box to share the connection. I get at least 10 portscans a day, according to good old portsentry. I also run samba on that machine, and get lots of strange machine names in the log files of people trying to snoop. It's ridiculous to say that people are over-paranoid, most people really believe that hackers are just some movie fantasy and not a real threat.

I don't believe, however, that the answer is firewalls. They are annoying. They break lots of things, and I'm sure would increase the amount of tech support 10 fold if they employ any kind of sweeping policy. What really needs to happen is education. To help people know where the real dangers are, and what's imaginary. People learn about safe living, safe sex, and safe everything else, they also need to be taught safe computing. Sure, it sounds retarded, but IMHO, it's the only thing that will help. Awareness and education can stop lots of problems.

The Average User

[QuantumG]

My brother is somewhat of an alarmist when it comes to his broadband connection. He runs antivirus software and scans his computer regularly and he does sometimes find things. Often windows will crash and reset to some 3 month old registry settings and he will be forced to reinstall - he will firmly blame this on a virus. Once he found a virus on his computer and quickly sort someone to blame. Obviously it couldn't be his fault for downloading every crack he can find and running it on his computer. Turns out he got the idea that it must have been his girlfriend running Napster on his pc. I had to patiently explain to him that there are no mp3 viruses. That mp3's don't contain code and although exploiting holes in Napster to propogate viruses may be possible, I seriously doubt that is what happened. The argument lasted for hours. Are you aware of how difficult it is to argue with someone about how they got a virus when they don't know the difference between code and data?

Re:It's the gateway, stupid... (not you, state*les

[Malor]

I don't even use Linux as a firewall. It's a great router, but in the v2.2 kernel, the firewalling code is pretty weak. It's stateless; that is, you have no context about a packet. You can't (easily) allow, say, all outgoing traffic on port 80 while refusing it inbound.

You can get around this by filtering on particular combinations of SYN/FIN/RST, but that makes it pretty easy for someone using NMAP to get packets in past your filter.

Personally, I use OpenBSD as my firewall/NAT device. Stateful inspection firewall for free -- gotta love it. I even paid for mine. :-)

There are some nice online pages that will walk you through a series of questions and generate an ipchains ruleset for you. It's a lot better than nothing, and it's a good place to start learning about firewalling, but the process is complex enough that any form of automation is likely to make assumptions you may not like. The Checkpoint Firewall-1 product comes to mind. Out of the box, the 4.0 and 4.1 installations are just dreadfully insecure. It's easy to administer but it's got tons of holes in it. That's my biggest fear about automated rulessets.

But doing it by hand isn't very likely, for most folks. I'd say no more than one person in a thousand is really qualified to be writing firewall rulesets. Hell, I've been learning this stuff for three years and I'm still not sure I'm entirely qualified. :-) The whole process is just enormously complex and incredibly prone to error.

I'm not sure what the answer is here -- TCP/IP requires an extraordinary amount of study in order to be used in s 'safe' way. From a security standpoint, I think the protocol may be essentially useless. You CAN get security but it's so difficult as to be impossible for 99.9% of the public.

I'm struck that maybe it's time to toss out the whole mess and start over -- except in the real world, that NEVER happens. Look at COBOL. :-)

Kind of the opposite of THIS article...

[mholve]

Hmmm, just as I was reading this earlier today in Wired.

Personal firewalls

[shalunov]

The bit on using personal firewalls looks quite different from the point of view of network administrators.

These things rarely protect their users, since they usually only block closed ports.

What they do is annoy the admins by sending bogus emails "somebody from your network just sent me a packet". These emails are deliberately huge (megabytes) and include very little useful information.

I wish people would stop advocating use of this sort of broken software. It's far easier to not run redundant services than to install them anyway.

Not to mention the fact that these kids have made the firewalls newsgroup completely useless with the childish questions and "expert advice."

Re:It's the gateway, stupid... (not you, state*les

[dpilot]

>About all that would happen that way is a denial-of-service. Default gateway has to be one hop away. A remote attacker can't specify
>his own IP address as your gateway, he has to specify another machine on your network. So he can shut you down remotely, but
>that's about all.

Understood. I was presuming this MITM attack from someone on my cable network. The subnet mask is 255.255.254.0, so I'm potentially sharing it with almost 500 others. Plus a rogue server could come in on a 10. (or other RFC1918) net.

>Security is a process, not a state. The more secure you think you are, the less secure you tend to be. Andy Grove would love this
>field -- 'only the paranoid survive' :-)

I keep seeing, "I got a really tight firewall from linux-firewall-tools," show up out there, and that mindset bothers me, for just your reason. So far firewall rules tend to be less Open Source than other software. I suspect part of the reason is because people are scared to expose their protection. But IMHO the good side is that firewall rules should be a process, not a thing that you trust. Recently rc.firewall V5 came out. I'm looking at it not to use, but to tighten my own ruleset.

@home really *IS SAFE* to use.

[b0z]

Using the @home service is extremely safe if you take the following into consideration:

- In flame wars, unlike real wars, noone has ever used ICBM's to assault the person they are pissed off at.
- In cybersex, unlike real sex, noone can get herpes, aids, crabs, etc.
- While running around shooting people in a game such as Quake or Unreal, unlike running around shooting people in school or a post office, the worst wound you can get is blistered fingers.

I can think of other reasons why @home would be considered safe, but it's all about relativity. Sure, @home might not be safe when compared to other ISPs, but they sure are safe compared to playing hot potato with a hand grenade. :o)

Re:@home really *IS SAFE* to use.

[niekze]

parents might think that kids might see inappropraite movie previews.

good thing these kids are downloading the whole movie or this country would be in a big heap of moral trouble and crisis ;)

Hope DHCP keeps away from me :( + what security?

[Enigma2175]

I am on @Home, but in my area they don't force us to use DHCP (yet). In my area, you have an IP address assigned to the MAC address of your modem and you keep the same IP address. Of course, they have DHCP available, but you don't have to use it. They are planning on forcing everyone to use DHCP in the future, so they can have more IP addresses available at any given time. They have a class A, how many damn ip addresses do they need? I use my IP address for alot of things (network administration from work, web server, etc.) I hope they don't try to make me change it every 2 hours. I imagine it will be awhile, they just barely are getting around to putting the 128 kbps cap on my line :( I guess it was good while it lasted, many market have had the cap on for quite a while.

As for security, that is total bunk. DHCP does not stop the 5cr1p7 k1ddi35 from scanning a subnet and attempting to hack whatever open ports they can find. Once they have control of a machine, it is trivial to have it mail them or signal them (have it ping an address, or do a POP mail check, or even an ICMP unreachable packet). There are a million methods to get the new IP address when it changes. DHCP helps nothing.


Enigma

Score -1, Offtopic [but he started it :-) ]

[Nailer]

Why don't you?

I'd quote, but pathname is down right now. Damn straight I have read the FHS, and its description of of opt primarily states *optional*. Packages that are self contained [ie, which need their own tree] should live in /usr/local/.

Either way, `optional' is a pathetic label. Is StarOffice optional? Is KDE optional? I can run a system without grep, is that optional? What about compilers? If you use binary packages, are they optional?

On Solaris, anything not made by Sun is [usually] considered `optional'. Okay. Apply the same logic to Linux distributions. In that case, Acrobat reader is optional of redhat, but non-optional on Caldera.

/opt is fucked.

@home have I

[heymull]

Yes, I have @HOME too. Because I use a firewall (free ZoneAlarm) I am relatively safe, in actuality. Intrusion attempts are common, usually daily. That scared me pretty deeply when I first installed ZoneAlarm. Now I'm sanguine. "I can see it coming". Its also obvious from port# and IP that most are "simply" @HOME pings. Trouble is, how does a subcriber KNOW which is which?

Re:"Safe" Win/Mac only, and Firewalling all servic

[plague3106]

Well the ISP should not be blocking anything, since most claim unlimited internet access. As far as the dopy people that leave sharing on and get burned by it. Fuck them, its time people learned about thier pc. Just as when you use a car you first learn how to properly function and care for it, you should learn to do the same with your pc. I've never once seen a warez site thrown up via SMB. If users are too dumb to turn off file and print sharing, they are probably too dumb to share anything to begin with. I'm not going to be inconvienced b/c someone doesn't want to learn about their pc, just like i'm not going to be denied access to information b/c some other people can't handle it.

Check out Steve Gibson's Shields Up!

[cpeterso]

Check out Steve Gibson's Shields Up , especially if you run Windows. It will probe your IP address for open ports and NetBIOS crap.

Horsepuckey

[Caradoc]

Of all of the probes I've seen run against the networks with which I'm associated, @Home is far and away the *largest* source of such probes.

RoadRunner comes in a close second.

When notified that one of their users was attempting an RPC exploit against one of our machines, an @Home representative said, "I didn't think any of our customers were smart enough to do that."

I pointed out that it may not have been @Home's customer making the attempt, but that one of their customers' machines may have been "owned" by some pathetic script kiddie - he was shocked.

I don't think he'd considered the possibility that the entire @Home network is a smurf-cluster (or other "relocated" attack) just waiting to happen...

Re:"Safe" Win/Mac only, and Firewalling all servic

[PG+Hammer]

And that is a bad thing? I hate to tell you this, but most users don't have the slightest concept of what firewalls do, how to install them, or how to set them up! Linux (and most UNIX variants) have included firewall software as part of the basic package, and now similar (and free) firewalls are available for the Win/Mac crowd (example: Zone Alarm). ZA is easily the easiest personal firewall to install and use, but how many broadband users would dare to download it OR install it?

Good. Luckily, I have only public information.

[Booker]

...[they] should only be concerned if they are storing private information on their PC's

Oh, gee, that puts my mind at ease... I was really worried that some evil hacker might break in and steal all of my public information. Apparently my fears were unfounded... I only need to be concerned if I have private information on my PC... These fears really are overblown... I mean, who puts private information on their PC, anyway?

*wipes brow in relief*

---

How are static IPs good for the user?

[Dwonis]

Personally, I always want a static IP. I realize that DHCP provides no real protection against cracks.

What's something that we can push to the general e-populace to make them want static IPs?

$200 mini-webservers? $100 firewall devices?

Post your suggestions here.
--------
Life is a race condition: your success or failure depends on whether you get the work done on time.

Re:DHCP? Yes. Changing IP? No.

[nihilogos]

I did this too, although can anyone tell me what the hell sunrpc need to have port 111 open for? Actaully, what is sunrpc?

Is closing off ports enough? I have a nagging feeling that in order to have a reasonably secure box I'm going to need to know a little more about ipchains.

It does work with linux!

[Anne+Marie]

AT&T won't support linux, but that's far from saying it won't work at all if you know what to do yourself. Here's one person's experiences with successfully hooking his linux box up to his @Home service.

@HOME is a bunch of lying idiots...

[Oztun]

I have on average 30 people a week from @home.com IP's scanning my netbios ports. @home actually had the nerve to tell me they are filtering their users from doing this. If your smart and you have DSL or cable you will setup a firewall like I did. I just had someone tell me last week his computer got erased because someone on napster got mad at him.

Re:@HOME is a bunch of lying idiots...

[bwhalen]

stuff happens when u share your whole drive and not the mp3 folder..

Re:"Safe" Win/Mac only, and Firewalling all servic

[Tassach]

As a comcast@home customer, I can say for a fact that the NetBIOS ports are definately filtered and have been for at least the last year or so. I've confirmed this by doing nmap scans of hosts that I knew had open netbios ports and seeing those ports come back as "filtered".

Re:DHCP? What a laugh

[niekze]

Just hack it once and install a script to update yi.org or dyndns.org or what not whenever the nslookup of the host is different than the current value. duh. thats what i used to reset ipnat on my openbsd box because my cable would drop in and out of signal threshold and i would lose my ip. But these other bot suggestions work too, but this would be easier. You could always have it send 3 ping packets to a certain host at a certain time and just monitor the ipf logs of the targeted host to determine the ip. Any of these ways defeat the stupid:

"security through obscurity"

hell, try to hax0r my box. now that i've gotten telocity i have a static ip, hax0r d00dz will try that shit and see that it's not gonna work. they will figure out that i don't have a redhat honey pot and they can move on to the next subnet. but like you said, dhcp didn't change too much with cable. but true security is a myth. you can only hope to reach farther than others in that great quest. apply those root exploit patches from 6 months ago and turn off BIND, apache, sendmail, samba and all that other stuff if you don't use it. There are many resources for securing linux and other OS's. they should offer that information to their windoze subscribers (the windoze info, not linux, since that wouldn't help windoze users too much would it) :)

Re:Cable Modems and Broadband

[bwhalen]

dhcp as a defense is lame. If the ip of a computer changes, which is not that often on this network from what I hear, that is little defense. You come on the net, people will probe you. Once they get in with a trojan horse or sumthing, the numerical value of your ip doesn't mean squat.

If this is true...

[N2UX]

... Then why do 80% of the attacks (we get them nightly) come from machines on @home's networks?

Re:If this is true...

[photozz]

Probly ping requests from Excite themselves looking to renew the DHCP lease. send the log in and see what they have to say.

Re:If this is true...

[bhanafee]

Not going to help. I actually have sent log files to them. No response whatever.

BTW, @Home portscans seem to resove back to machines with names like authorized-scan1.security.home.net, and lately they've been hitting NNTP ports pretty frequently. It seems they're more interested in making sure I don't violate my agreement not to run servers and soak up their upstream bandwidth than they are in actually securing their network.

Re:"Safe" Win/Mac only, and Firewalling all servic

[plague3106]

Yet they would still want to do that. Why not tell users they should turn it off, and tell them how? Especially since most likely an @home tech guy will be on site..he could do it just as easily. Winxx comes with SMB, not FTP. Its also a little earier to setup and use then FTP...and don't forget that NT is more secure then 9x.

Re:It's true, what goes on "out there" is horrendo

[Enigma2175]

If you can't differentiate between a ping request and a portscan, maybe you need to read up a little on TCP/IP. Here is a great place to start: The firewall forensics page It is chock-full of commonly scanned ports (and tasty goodness!).


Enigma

Worm

[e_n_d_o]

Um ok... sure. Wait till the next Internet worm comes around, taking advantage of some remote r00t exploit in Windows and takes down every wide-open win box permanently connecteed to the Internet. It's amazing how quick exponential algorithms grow, and if you just have every infected Windows box hack 2 more you've got a million dead billboxes in 20 cycles (yes I'm sure you already knew that). I'm entirely amazed this hasn't happened yet.

I don't think its excite's fault though. Broadband is *relatively* safe if you've got a locked down *nix box behind software and hardware firewalls, but it certainly took me a hell of a lot of time and energy to figure out how to do that right, and I'm still a novice when it comes to security. (I couldn't crack a Commodore 64 :-)) But DHCP isn't going to effect a worm that can touch every IP address available.

Now if only all the Linux distros would start locking down their distros by default so that you can be safe as a Linux novice, I'd really appreciate it. I'd much rather have the inevitable worm target Windows than Linux.

Re:Hope DHCP keeps away from me :( + what security

[photozz]

They have a class A, how many damn ip addresses do they need?

Well,..when the trafic starts to overload in one network, they can subnet off and keep things at a managable level. This realy cuts into the # of available IP addresses. If they are aiming at millions of customers, a class A gets chewed up prety quickly, thus DHCP scopes.

Re:"Safe" Win/Mac only, and Firewalling all servic

[plague3106]

OK, it appears that YOU are one of the dopy people who are exporting Windows file sharing to the world.

If you like, i'll give you my IP and you can see just what i have exported.

Well, don't be surprised when some kiddie attacks your Win9X box.

Ya, they can do ALOT of damage getting to my mp3 directory, even had i been exporting it. Even if i were to export it, i'd not be giving just anyone access. My win95 box is VERY secure; i don't have one to break into. The box with the cable modem hook up is linux, and each share can only be accessed by certain users, and from certain IPs. The internet is not in those ranges.

You've got to realize that people who do enable file sharing over a persistent broadband connection in fact ARE inconviencing the rest of us. Why do you think @Home got blacklisted? It's because too many of their users had their boxes cracked and turned into spam relays, and @Home didn't do anything to correct the problem.

Oh, gee silly me thinking it was @Home's mail servers that were open. Or someone incorrectly setting up a mail server. No, they did it ALL with only windows file sharing. Quite a feat i'd imagine. Of course its possible, but to argue that they use that and that alone to do it is higly unlikely. You'd only probably be in real danger if you share your entire harddrive with full access without a password. Since home networks are still fairly uncommmon, i doubt many people would do that. Incidently, why is it my fault that someone broke into your machine and setup a spam rely? Its partly your fault i'd think but most of the blame rightly remains on the person doing the cracking.

Firewalls for the masses?

[Tassach]

I agree with you that cable modem providers need to do more user education about security. That being said, installing somthing like Zone Alarm or Norton Internet Security is pretty much asking for a support NIGHTMARE.

Every clueless luser who installs a personal firewall is going to go batshit that they are being "attacked" 10 times a day. Logging is a Good Thing, but ONLY if you know how to read the fscking logs. I've played with a couple of personal firewall tools for windoze. These kinds of mass market programs need to install with minimal/no logging as the default, to help manage the "chicken little" syndrome. The alternative is to build in AI heuristics that can distinguish between random portscans and a real attack.

I have a cable modem router. It dosn't do any logging. On the windows box behind the router, I run AtGuard. Ever since the router went up, AtGuard's logs have stayed empty. If an "attack" dosn't get past the router, it dosn't get logged. That's fine with me; I'm not worried about script kiddies who are too dumb to source route through a simple NAT box. If anything DOES get thru and shows up in my AtGuard/ipchains logs, I'm DEFINATLY going to pay attention!

Firewall

[Zerothis]

The hub router I have, mainly for sharing my cable modem with every computer on my network, has a firewall built-in. Just enter a few numbers, and tada, the firewall is active. Of corse, I then have to enter more if for IRC and stuff, but I'm off the subject. If a hub router can have a firewall built-in, why can a broadband modem have a firewall built-in?

Re:Sympatico VS Rogers@Home

[linuxbert]

i get max speed on sympatico all the time..

Trying to get myself fired here...

[lanner]

If I may be so bold as to bash the company for which I am employed. Frontier was purchased by GlobalCrossing awhile back.

Check out this page as it is on Frontier's add for DSL. I thought that it was pretty funny.

http://www.frontierlightninglink.com/fun/fun.sht ml#secure

"Secure

Cable modems leave your computer vulnerable to others accessing your private files.

Not so with Frontier LightningLink. Your connection to the internet is dedicated and secure. You can leave your computer on all day with no worries about whether someone is looking at the private files on your personal computer."

Yea!

Not true.

[Al+Wold]

This is completely untrue. I get at least 3 portscan attacks per week from other home.com hosts alone, not to mention others. I think the idea of the cable modem just attracts a lot of shady l33t d00dz who like to sit around and run portscans all day since they have nothing better to do. I have to say, their service is really going downhill. It's almost to the point that I'd go back to dialup, since there are no other high speed options in my area.

That's not what I said...

[NNKK]

Read it again, I said DHCP refuses to work correctly with linux, not @Home I use @Home, and am a linux user, but I can't use DHCP, but there's no reason to anyway at the moment

Re:DHCP? What a laugh

[nihilogos]

And to top this off optus@home actually actually names your machine on their network (customer id number) so it doesn't make any difference what ip number it has assigned.

Reminder

[skatalite]

Note to self: Turn off my firewall, purchase @home access, and use their dhcp/self healing network because they are on top when it comes to security. Oh wait..I said that about time warner...then i got raspberry jammed.

Re:Reminder

[photozz]

Only one man would give me the rasbery.......

My firewall kicks ass...

[defaultXIX]

I use at home, if im not around i just un plug the wire, lay it on my desk. Try portscanning me now!!

sunrpc (was Re:DHCP? Yes. Changing IP? No.)

sunrpc is Sun's Remote Procedure Call. It forms the basis of many UNIX services, especially NFS (Network File System). However, RPC is extremely dangerous when left exposed to the Internet, which leads to frequent compromise of servers based upon Sun Solaris and Linux. RPC should never be exposed to the Internet. close down NFS, portmap, NIS and anything rpc.* which you aren't using (if you don't know if you need it or not, you don't need it... turn it off!)

DHCP, Safe?

[Ghost_5316]

I personally have a DHCP server in my house(so more than one person can access the internet at a time) and my computer (which isnt' the dhcp server) was hacked, and called 911.. but anyways, if someone can get through DHCP so easily to my computer, then how can it be "safe" ?

Re:DHCP? Yes. Changing IP? No.

[Enigma2175]

Sunrpc is remote procedure call, which is a VERY DANGEROUS service to leave open. It is used primarily for NFS(Network Failure^H^H^H^H^H^H^ile System)and NIS(Network Information System), which is basically the same as windows file shares. Usually you don't have NFS mounts available by default, but on some systems you might. Yes you should learn about IP chains. Here is a great site that will custom-build you a firewall on the fly. Firewall Forensics is also a great page to find out what port scans are looking for. Be careful, I see quite a few scans for RPC in my logs, if you leave it open, you will be comprimised sooner or later.


Enigma

Plethora of attacks

[DuckWing]

Idiots! after I implemented my firewall ( Edge FirePlug) for my @Home connection, I watched as a whole wave of attacks went through my logs. Most of them were from other @Home users, but some were from as far away as Germany and Australia!

I wrote an article on it for O'Reill yNe t

As usual, @Home is full of it and needs to hire people who know what the hell they are doing.

fun @home

[linuxbert]

heheh
1.walk up to a in mall demo of the @home service (in ottawa, rodgers cable)
2.pull out your trusty floppy, with 1 permiscous mode packet sniffer
3. use said program, peole will wonder what your up to, and look over your sholder
4. explain to them that what they see is all the trafic on that segment of the @home Network
5.point out bob749's password as he ftp's to some porn server
6. tell them "oh yah,its very secure"

enjoy the look on reps face...

Security Vs. Usability.

[etymxris]

A truly safe distribution would be locked under 50 feet of cement and never turned on, lest it's data possibly be altered by evil crackers. But I actually want to use my computer, so I care very little about security on my machine. Even maintaining moderate security can take many hours I just don't have, or that I'd rather spend doing something useful, such as creating programs, rather than just protecting the one's I have. People too concerned about security remind me of people too concerned about diet. If you count every ounce you eat, and spend most of your time exercising, you'll be fit and healthy, but you'll only get about 2 hours a day to enjoy it. Me, I enjoy 4 hours a day (besides work) in sloth and laziness. I don't want to become wrapped up in diet so much that I lose sight of the end goal, enjoying life. I don't want to become so wrapped up in security that I lose sight of the end goal, using and enjoying my computer.

Sympatico VS Rogers@Home

[linuxbert]

up here in ottawa, the cable companys were running adds about download rigermotous, ie stiffing of libs that occures while waiting for downloads to complete.

the local DSL provder started runing adds where the family bought the whole neighborhood so they could get fast, secure access.

heheheehhehe

Re:Sympatico VS Rogers@Home

[douper]

You havn't heard the new ones? I guess they are just mostly on X FM (owned by rogers)

- new download righermotous one (TV)
- new one about arcades coming back into style due to slow internet connections over the phone and the Canadian mint releasing a commemerative coin (Radio)
- new one about how cable is more secure than the phone line (the one I was orgianally talking about)

I listen to the radio alot when I'm driving to school during rush hour=) (Vanier->Carleton U)
oh well, enough procastination... back to studying.

Re:Sympatico VS Rogers@Home

[linuxbert]

x fm sux,
1 owned by teddy boy
2 play the same dam song 5 times in 6 hours

oh and ahem, i do Stittsville to Algonquin's Rideau campus daily..
by bus.
:)

Everyone blames things on viruses.

[Perianwyr+Stormcrow]

I prefer to blame things on "general fuck-up propensity". I'm usually right, too.

--Perianwyr Stormcrow

Windows 98 security

[cameldrv]

How can a default install of Win98 be remotely "rooted"? I'm sure there are DOS attacks, but without installing a trojan or using an insecure email client such as Outlook, I'm not aware of any common exploits. Care to enlighten me?

Re:Windows 98 security

[Jeremi]

I'm not aware of any common exploits. Care to enlighten me?

The "elf bowling" attack works surprisingly well.... -Jeremy

Re:It's true, what goes on "out there" is horrendo

[photozz]

Well, he said "attack atempts" not specificaly portscans. I know I was a little freaked out at getting 30+ allerts on my first day running a firewall, and found out later most of them were just ping requests.

Big Brother

[wpc4]

"...ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps." To a point this is true, but I don't want Big Brother ISP protecting me from myself either. I get that enough from the government. Though having them supply something like Zonealarm (which is free) wouldn't be too bad. As long as it went no further.

DHCP no defense against Trojans

[jones_skeeter]

We are a small ISP with Network ICE Sentry monitoring one of our backbones. We see regular events from people infected by the Sub7 trojan. you can change your IP address, but you can't hide. (I hear you can get a desktop version of this IDS as well with a personal firewall).

How good is the service? ask the techs...

[linuxbert]

i have a friend who is in tech support at the local @home call center

he uses the competing DSL from the phone Co.

most DSL techs i know, use the service they support..
hmmmmm....

Re:Rogers@Home (AT&T competing)

[Enigma2175]

Actually, there have been some news reports about AT&T breaking up into 4 different companies. Maybe they are just gearing up for the future :)


Enigma

Hack Resistant firewall

[dawg+of+the+south]

I was browsing the net the other day and found a great little white paper on how to make a linux baised firewall out of an old pentium computer(With the addition of 2 network cards).
It is pretty sweet addition for any cable modem or DSL line, It allows the user to use the service with an unlimited computers on the inside (well not more than 253).
It was a pretty good way to relive my old P75, but most anywhere you can pickup a pentium 100 for 30 bucks at a garage sale and two 10/100 network cards for 20 bucks each.
http://www.emacinc.com/white_papers.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

DHCP != security

[Platinum+Dragon]

DHCP just makes you a slightly moving target, and if an attacker is looking for victims, they probably won't restrict their portscans and probes to single addresses, but IP ranges. I occasionally do a sweep of my university's residence network just for yuks, and I've run across a few unsecured boxen, Windows and Linux alike (the guy in Pitman Hall who just installed Debian, this means you!)

However, there are some simple ways to make your broadband connection a little bit less like swiss cheese:

1) Disable file sharing and remote login - Running Windows? Take a look for any folder or file with that little hand icon, and un-share them. Even better, just go into Control Panel -> Network and shut it off completely. Don't think passwords on your shares will help you, as a recent bug was discovered in Win9X share-level password protection where a one-byte character string can be used to bypass a protected share should that byte happen to match the first byte of the actual password. If you're on Linux/*BSD, for the love of Bob shut off NFS, ftpd, telnetd, Apache, and the like until you know what you're doing! Can you say "backdoor"? Even experienced admins leave the occasional hole, and default installs aren't often known for being secure (OpenBSD people, stuff it while I make a point for everyone else:).

2) Don't let anything run automatically - Java and ActiveX in IE and Netscape installing and running automagically? Kill it. Auto-DCC in IRC clients? Un-auto it. Run attachments on preview in Outlook, or run macros in Word documents? You know the drill. Don't let a damn thing run automatically unless you actually know what's taking place. If I ever see LIFE-STAGES.TXT offered to me by DCC again, I'm going to reach through the monitor and shove a virus scanner up the patoot of the victim. The world doesn't need another Melissa or backdoor being passed around just by opening an e-mail in a brain-dead-by-default program.

3) Check for patches and follow directions - MS didn't tell people to change their Outlook settings while it took them a month to patch the program in the wake of ILOVEYOU because it was fun for everyone. Red Hat isn't releasing megs of updates for Red Hat 7 so you can sit there and kvetch about buggy .0 releases. You don't think the latest macro virus craze can get you? Think again, spam-boy; why do you think Unix/Linux vendors have been going batshit looking for format string holes in their software offerings? The exploits may be merely theoretical, but it's best to close them up before the theoretical becomes practical (with apologies to the L0pht).

4) Extra steps if you're really careful and/or paranoid - Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.

5) Ignore the DSL/cable pissing contest - Nothing to see here, move along...

I'm glad to say most cable installers where I live have a brain, and hence make sure filesharing is turned off in Win9x when they set up your system. Linux/BSD geeks usually have to take matters into their own hands, but most usually know enough to at least kill nfsd and ftpd if they're not going to be used. (Incidentally, this is also why Red Hat and others need to stop enabling every conceivable service by default.)

Closing your box off to kiddies is acutallly pretty easy. However, back-patting fluff like this Excite dropping does way more harm than good by instilling that false sense of security that leads people to think its OK to let attachments run automatically, or leave all those services running on their new Mandrake box. Hard advice is better than press releases and misrepresenting technologies as security measures.
-------------

Re:Hope DHCP keeps away from me :( + what security

[cybereye]

well, acording to the arin whois, the 24.0.0.0 address space is owned by the entire @home network. Your local @home provider only has a single subnet of that large class A.

Where I live, (Toronto, ON) we still have the option of using static or dynamic addressing. They both provide the same ip address, and with how many times their DHCP server goes on the blink, I am quite happy to use a static IP. In terms of security advantages, since both provide the same IP, I don't get any type of additional security.

One thing that you pointed out that must be re-mentioned. All of the people that are looking to do damage to your computer, are not after your computer individually. They are after a computer, with weak security, to have some fun with.

That's my $.02

Safe, HA!!!

[hashish]

I'm using Optus@Home and all someone has to do is break into my computer, get my Optus@home hostname and then they become me. If they abuse my account, i'm the one who gets kicked off!!

Now if there is no security, how would you stop someone getting this??

Reality

[onyxruby]

6/10/2000 Became a cable modem user. 8/30/2000 Over 5500 unique IP address's tried to break into my computer, not counting pings. This is a personal account, not hosting anything. There is nothing to attract interest. 'nuff said.

With proper inflection, their words are true

[Anne+Marie]

If a customer operates the computer in a safe manner, there shouldn't be any problem.

Indeed. Any computer that's sitting with its bare ass out on the net with a static (or even dhcp-assigned) address with all ports open, unnecessary services running, and without a firewall for protection, is just begging to be pillaged.

It's like sex. Would you have sex without a condom or suitable barrier? You might out of laziness (or the mistaken thought that you're not getting the full experience), but if you do, nine times out of ten, you'll be coming home with an STD. It's the same with firewalls and network security. You might not run one out laziness, or the mistaken thought the firewall will impede your performance by constraining your movements, slowing down your "bandwidth", or impeding your access to others' ports, but nine times out of ten, you'll be coming home with a cracked box.

I tell all my lovers, "No glove, no love", and I encourage all of you to tell your sysadmins, "No firewalls, no thigh-or-balls, er, I mean, no service."

safe from hackers

[Sakke]

well, my local isp that provides me adsl said me the same that i'd be quite safe from hackers & etc if i'd used "grey" ip and dhcp. but that didn't suite my needs, so here i am. gladly i have ipchains running and all unnecessary services disabled... at least some security.

Ford Declares Pinto Safe

[vheissu]

Ford executives today declared the much maligned Pinto to be entirely safe and sound. "If people operate the car in a safe manner, it will be safe." Ford CEO Henry Edsel Ford IV said in a press conference today. The Ford administration cited a lack of customer education, and claimed that "The risk is much greater in the customer's mind than in the real world" "For example, a basic precaution all other traffic should be avoided, reducing risk of rear end collisions. Reverse gear should never be used, as the risk of colliding into stationary objects is much greater while backing up. As part of the final dealer checkup, we are careful to remove all fuel from the tank. Customers should be advised that they fill the tank at their own risk." Other safety precautions cited by Ford engineers included the cars ability to move quickly and make sharp turns. "Since it is a moving target, it is much harder for no-good-niks to hit. For this reason, we were able to ignore the need for any sort of structural protection."

Re:It's true, what goes on "out there" is horrendo

[Rusty+Foster]

These personal firewall systems are really starting to piss me off. Now millions of instant "security experts" can shriek every fucking time they get a ping. At home, you'll know you've been r00ted when mysterious traffic starts showing up on your modem or router. Sure, you've noticed someone scanned you, but WTF do you do after that? Send a complaint to the netblock maintainer? Hah, like they care what someone from their thousands of systems ran a portscan on someone in 24.x.x.x!

At work, your firewall *should* be good enough. Reporting abuses of your network to the maintainer of that netblock may actually produce some results. You *should* have some qualification (read: you know what you're talking about), be able to speak that person's lingo, and *should* have some well documented log excerpts to show a clear pattern of abuse, not some untraceable and/or forgivable indiscretions.

That's my $0.02.
--
There is no K5 cabal.

I walk the streets naked and let anyone fuck me.

I walk the streets naked, while blindfolded and let anyone fuck me and probe all by orifices, while using no protection whatsoever. Gee, why do I have all these viruses and diseases?

I use Zonealarm

[tarbabyxxxx]

Hi, I use the free firewall Zonealarm which does a very good job. Everyone must use security software and good security practices on the internet.

Why wait until you're finished?

[ptbrown]

Fnord.

Re:"Safe" Win/Mac only, and Firewalling all servic

[Nastard]

As an ex-@home (att) employee, I can tell you that the blocking of ports is, for the most part, a myth. I only dealt with AT&T@Home, so I don't know about the other cable providers, but I can personally attest that no att customer has *any* blocked ports. If there is a service blocking ports, it's becuase the cable company themselves blocked those ports. Excite@Home has nothing to do with how the MSO's configure their hardware.

On the issue of security, it's almost funny to hear people talk about how dangerous it is to leave your computer on if you have cable or dsl.
SpeedGuide.net has a good article abnout cable/dsl security.

To sum up the security issue; there is no discernable difference between the security of a cable modem and the security of a 56k, aside from the VLAN (virtual local area network) setup of a cable modem.

Want to protect yourself? Disable file and print sharing, don't accept files from people you don't know, scan for viruses every so often, and avoid emails with a subject line of "I Love You". It really is that simple, believe it or not.

(-1, Sarcastic)

[the+real+jeezus]

So PacBell is gonna foil those 1337 h4x0rz again by using DHCP. I feel safer already:

With a dynamic IP address, a computer's "location" on the Internet is periodically changed, thereby...

Wow. They move you to a different part of the "Information Superhighway" and the l337 ldd33z have to ask for directions. I have DSL through a baby bell i don't want retaliation from, and i have been scanned within minutes of getting my IP from the DHCP god.

So basically the marketing guy did his job and lied for the reporter. He should get a job working for bush

Do you hate other human beings?

If you are on a cable modem, I'd recommend...

[wilkinsm]

...one of these. Makes me sleep better at night. I actually got the 10/100 5-port switching version because I have a home lan to protect (and masqurade.)

Software upgradeable, and _a_lot_ easier to setup than a dedicated linux box with ipchains.

Safe my ass...

[verbatim]

I believe I am as safe as I need to be. I don't type it in and no one can get it. I type it in, anyone should be able to get it - even if they have to break into my computer to get it. Mind you, I have _some_ protection (eg. a nicely setup firewall).

If you don't want people to see your porn surfing habits, don't go to porn sites. They don't need to hax0r your computer to create a click-stream of your online-exploits (doubleclick?).

If you don't want someone to steal your credit card #, call your order in or go to the store. You could also, if you trust it, use encryption. Even if you call in your order, you have to TRUST the other end.

The BIGGEST thing we cable users face is DOS attacks. Because we are online for long periods of time we often keep the same IP address for the same long time period. This makes it easy for someone to DOS attack us and be very effective. For the record, my cable IP has not changed in 9 months, and only changed once when they swapped my modem for a newer model.

It's interesting (as a user) to telnet into the firewall and watch the hits go by. I set up a small script to count the number of incomming DOS attacks (including BO, Netbus, WinNuke, Smurf, etc) and the bandwidth they consume and sent the numbers to my ISP. I turned on my internal DUMMY MODE and did not let on what I really knew (I said "a lot of weird stuff is comming thru my pipe"). They LIED and said it was "standard internet traffic" (okay... maybe it's normal to get nearly 1MB/s of DOS attacks 24/7.. I dunno). I called back and told them what I did (firewall, logging, etc) and they didn't believe me at all. I even e-mailed them the logs and they asked me what they were supposed to do with 'em. Jeez. I finally broke down and set the firewall to ignore those packets again, but @Ho.. err.. I mean... my un-named ISP refused to do ANYTHING... They didn't acknowledge the problem, they didn't offer to change my DHCP entry to give me a new IP (as I said before.. I have a non-changing DHCP IP), or help trace the source of the attacks... NOTHING.

Oh well. I'm paying $40/mo for a service that pisses me right off.. but it's cheeper than DSL in my area so.. pfft.

Whatever.. nevermind...

Verbatim

Already firewalled (-1 Offtopic)

[The+Famous+Brett+Wat]

The Australian Excite@Home (provided by Cable and Wireless Optus) already has at least one annoying firewall-like feature that has nothing to do with security. They implement so-called "transparent proxying", meaning that all outgoing connections on port 80 go via their proxy box, regardless of your browser's proxy settings. This has had me spitting chips on one occasion when their proxy died. On other occasions it's merely annoying, because you're never quite sure whether it's dishing up data that is actually current.

Secure? not even close

[ninjalex]

I get 5-10 hits a day from spammers trying to hit port 1080. On a stock win98 system I'd be a unknowing little spam relay. I also get 3-4 scans a day from @home's 'security' boxes looking at port 119. Using a Linux box as a firewall/router helps with most script kiddies, and all the 'security scans,' but if someone really wants, they'll get in. I don't think that's @home's problem. If we put our boxes' security in thier hands, there goes what little freedom of use we have now, considering the midevil AUP that is in place. The service would become nothing more that REAL fast WebTV.

Re:It's true, what goes on "out there" is horrendo

[mrowlands]

please define attack. A lot of the "attacks" (approx 3-4 a day) I see, are no more or less than pings.. ok they are pings pointed at particular ports where vulnerabilities may lie but it is still just a ping. Over the last 10 months, only one of these vicious attacks from an evil master cracker been followed by any activity indicative of more than a rudimentary intelligence. The dangers are vastly overstated, mostly by people who do not know what they are talking about usually, in my experience, in an attempt to impress people who know even less.