Slashdot Mirror
Excite@Home Claims Broadband 'Safe'
photozz writes: "Ya know it's rare when an article can get me angry, but this has managed. Cable provider Excite@Home claims that their users are 'relatively' free of attack from hackers due to DHCP, and say you should only be concerned if they are storing private information on their PC's. From the article:'The fear created in consumers' minds is actually greater than the risk that exists,' he said. 'If a customer operates the computer in a safe manner, there shouldn't be any problem.'" Perhaps not surprising that @Home would downplay the risk, but photozz is right -- the fear in broadband customers' minds ought actually be higher, not lower. BackOrifice, zombie attacks etc., ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps.
DHCP is actually a weakness for a well trained hacker. In case you haven't read some of the papers i direct you to:
e rs/503011.html
http://www.3com.com/technology/tech_net/white_pap
Basically describes how a well trained hacker can act as a dhcp server therby giving the victim whatever ip it wants or worse give it a DNS server run by the hacker which opens up all kinds of possibiltys(i.e. fake websites, ftp sites, you nameit).
Time is Change.
I agree. OpenBSD is absolutely beautiful for a cheap home NAT'ing firewall. I found myself one of those nice Siemens Linux terminals (IDT 200MHz Winchip, 64 megs of ram, built in ethernet and SVGA onboard) on an onsale.com auction, popped an old 545 meg hard drive into it and two $15 Realtek PCI ethernet cards (also via onsale) and voila. OpenBSD firewall box complete with onboard third interface for services network. ;-)
:-)
I highly recommend this to even the most bigotted Linux advocates. I was one of them before I tried it. Linux is fine for my desktop box but I'll make damn sure from now on it'll stay behind me openbsd firewall on my DSL.
DHCP is used as a convenience for the ISP, allowing them to reallocate IP addresses dynamically, but they tend to re-allocate infrequenty. My cable modem has given me the same IP address for over 6 months.
Even if used to re-assign IP addresses on a regular basis DHCP is not a security feature. You box only needs to be up long enough to be cracked. The fact that your box might not be at the same IP address tommorrow makes it a slightly less attractive target, but I am sure a smart cracker could install something that would allow them to find you at whatever IP address you happen to have.
-josh
To put it rather bluntly:
Personal Computer Security is NOT the responsibility of the ISP. If you acquire broadband service in your home - then you have also acquired with it the inherent responsibility to protect your computer system for the would-be hackers of the internet. Why should it be the ISP's problem? They only provide the connection, not the content. By that same logic it seems rather short sighted to turn around and say they must secure your computer from the content you choose.
The term "Personal Computer" means just that - a personal computer. But when you place that computer at a pernament address on the internet - you are taking your chances and it is YOUR responsbility to minimize those chances.
Example: Lets say you buy a new mailbox and leave it sitting on your kitchen table inside your house. Well after a few weeks it becomes apparent that the mailbox is fairly useless without access to the outside world (aka the internet) so you place it on your front lawn and begin to send and receive mail.
So whats happens when some punk kid starts swiping social security checks from mailboxes? Hmmmmmm..... yeah it's illegal but would you even consider blaming the US Postal Service for something that is obviously your problem?(Solution: get a PO Box)
People need to start taking responsiblity. If you have a pernament, fast connection to the internet take the extra time to learn a little about computer security. If you dont want to care about it, or if you cant fathom opening a book and actually finding out just how your computer works, or you are one of those dimwits who actually paid money for an emachine - unplug the network connection NOW.
Too many people in America are content to simply bitch and moan rather than stand on their on two feet and do something about it. Perhaps you guys can solicit the aid of Al Gore - I'm sure he'll be more than happy to put your computer into his precious little lockbox, right along with trillons of dollars in so called Social Security money you'll never see again.
In essence - people have confused the term "Internet Service Provider" with "Internet Sercurity Provider" or perhaps in this case even "Internet Safety Provider".
Gamorck
"Flame at will"
I love idealists not because I am one, but because they make life bearable for pragmatists such as myself.
I'm an @home user. Before I learned the value of having a firewall (LRP rocks!), I was cracked once (IMAPd) and had my DNS killed (BIND buffer overflow; killed the daemon but didn't get root-kitted).
Based on my friends logs, an @home customer can expect constant port scans.
Don't get me wrong - I like the service; people just shouldn't run unsecured systems. (For that matter, nor should you leave the keys in your car. ;-)
If your O/S is inherently unsecure (like Windows), I would definetly employ a firewall. I use LRP (I like the control), but I know folks having good luck with those cute LinkSys units.
I work for a major ISP that offers DSL service, and we use DHCP to allocate IP addresses. We do this because it's a pain to type in your IPs, particularly for mobile users, and because it does help allocate IP addresses a bit more efficiently. It's not a protection against someone who scans a pool of IP addresses looking for open shares, as the "911 Worm" did some months ago. Just for IP allocation, that's all.
sulli
RTFJ.
HOw about adding ALL: ALL to /etc/hosts.deny? Is there a way around that?
Unfortunately, it also locks yourself out of services you might want, such as lpd or X. Then you have to set some permissions in hosts.allow, and there are way to spoof even localhost.
Alos install port sentry, soon as someone portscans you they'll be locked out by the time they reach port 20.
Sooner if it's set up properly. However, a lot of the scans that hit me came from people looking for open Netbus ports. Got the occasional scan looking for something else once in a while, along with the usual Wingate detection from IRC servers and @home scans for open NNTP ports.
Since when do viruses appear in text files? When I type "vi LIFE-STAGES.TXT", will my computer explode?
It a trojan that affect mIRC only. It relies on people accepting the file, usually because they have auto-DCC set to on. Really annoying, even for those of us who actually check what gets sent to us before accepting it.
In windows, if you share (for example), your mp3 directory, as world readable, is there an exploit?
Not sure, but it wouldn't surprise me to find out one shared directory can be used as a jumping-off point through the use of an exploit to fool Windows into thinking a remote viewer is, in fact, local. It's the same reason *nix people shut down nfsd; you don't even give potential attackers the opportunity to get a beachead on your system.
A healthy dose of paranoia is acceptable, but is it worth reducing usablility?
An ounce of prevention is better than a pound of cure.
-------------
Someday, you're going to die. Get over it.
The DHCP remark was made by a DSL provider, NOT by EXCITE@HOME. The @HOME representative was quoted as saying that their techs take precautions during the installation such as "Disabling file sharing". They also say that people should take more precautions if they have "sensitive information" on their PC, not "private information", and that while Excite@home does not provide such software, they did say that they are willing to help a customer install and set it up to work with their service.
I'm not much of a fan of @HOME's tech support and security policies either(personally I run an ipchains firewall on my @HOME account), but the original poster made a pretty inaccurate review of the article and painted Excite as being more clueless than they actually were.
Don't be too quick to jump on the "bash @HOME's security advice" bandwagon based upon the posters comments. Read the quotes in the article for yourself first, the original poster was way off the mark.
Unix is user friendly, it's just selective about who its friends are.
Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)
Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes. I'm not trying to start a huge flame war here--but the facts speak for themselves. Look at all the rootkits out there. Look at all the successful cracks. Were the servers running Unix and variants thereof? Probably.
Now I'm not saying that a Unix box can't be properly secured. But the fact remains that more hacker activity is exerted towards cracking Unix and its siblings than Win32 and other OSes--and with good reason: it's easier.
Interesting discussion invited; flames to /dev/nul please.
--
Have fun: Join D.N.A. (National Dyslexics Association)
"Because Windows 98 does not by default have lots of services running and doesn't have a good command prompt, it's harder and a less desirable target for crackers..."
Would that be "Security through unusability"?
;-)
Cheers,
Jim in Tokyo
-- My Weblog.
Don't listen to the baloney that @Home dishes
out about incompatibility with Linux. I use
an old 16-meg RAM 486 box with a floppy booted
copy of EigerStein/Linux router/firewall:
http://lrp.steinkuehler.net/
and it has worked perfectly 24X7 since the day
it went online last June.
As a cross-platform software developer, the
client machines on my LAN include Windows
98, NT, and 2000, and a Red Hat Linux 6.1
system. All work great with the Linux router/
firewall. I usually get around 1100 kilobits
(~130 kilobytes) per second on the receiving
bandwidth and you'd never know the router/
firewall was there.
The EigerStein package can either dynamically
assign IP addresses to the client machines,
or you can hardcode them, depending on your
needs. Additionally, like with any other
linux router package, you can pass through
(or lock out) individual ports if you want
to use something like Napster on the client
machines.
There was very little tweaking of the firewall
configuration files to get it working with @Home
and DHCP - the hardest part was figuring out the
real names of the local mail and news servers -
when installed, the @Home tech will simply use
"mail" and "news" as the server names. The
receipt they give you after the install has all
the info you need to figure them out.
Check out the NetBSD/i386 Firewall Project. Far, far easier for a newbie.
And yes, 15% of the the people who visit that web site do so from the @home domain...
-John
What's the value of an average user's Windows box?
Perhapse a script that runs through open shares looking for a default install of financial software and harvesting the user's data. Maybe the script harvests cookie.txt files and scans them for common online bank identifications. Imagine the wealth of information an identity theif could have waiting for them after a day or two running such scripts.
Maybe the data itself isn't interesting. Instead we have a host with a broadband 24/7 connection. Relatively insecure. Perfect DDoS server host.
Of course... that's assuming the value is something that normally makes sense. Its great that you mention Quake. Quake cheats are relatively rampant. Why bother playing if you're playing with an artificial advantage - and one that's been "done" before? Yet it happens all the time. In the same line, you have skript kiddies who see themselves as something special if they can poke around, and maybe even delete, some unsuspecting target's files. The fact that it may have been trivial to do so means nothing to them.
The article opens up with the example of an unknown individual posting messages on target machine's WINDOWS desktops. Apparently enough of a customer base was affected by this "attack" to warrent a FBI investigation.It doesn't matter what OS you're using. It doesn't matter if your IP address is constantly moving. Connect a box up to a broadband, persistant connection and it is a target. Being unaware of this is the danger.
Step 4: visit www.dubbele.com
:-)
I may not be a Geek on a caffeine high, but that firewall is priceless - free, that is
-John
Well, I'll be the first to say that @home sucks like no tommorow. I was one of their first beta testers, and had stuck in until half a year ago when I finally couldn't take their ex-taco bell phone support anymore. Having to stay on hold for twenty minutes in order to get transferred to someone who knows what "traceroute" is bites.
However, one thing @home didn't do is silly things like this. Please, you want an ISP to infringe upon your freedom and dictate what kind of traffic can come in, and can't come out? Hey that's nice and all, but I'd rather have the freedom to setup a firewall for myself, I don't need my ISP to do that for me. For a website who talks about freedom so much, this is a pretty bogus idea
I use the austrialian excite@home, and we get probed every day. It's important to warn consumers about the risks, - don't turn any services on that you can't control, stay up to date etc.
What would be worse would be for the broadband provider to put a big filtered firewall in the way so I couldn't use the internet the way I want.
What might be best is the ability for consumers to choose "safe/protected" mode or "open" mode where we are responsible for our own firewall.
Optus@home ( an australian cable ISP ) states in their FAQ that
Optus@Home is completely secure if you are using a standard operating system like Windows 98.
I had a good laugh over that one.
:wq
but this would be a good time to mention
OpenBSD
Chaos, Mayhem, and Destruction: Not
When Skeletor finally kicked He-Man's ass he bestowed upon man broadband. There were those that said of this thing nothing good shall come. These nay-sayers tried to convince people that they were in danger of everything. Broadband won't hurt you. Why don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security. And completely besides the point, where the fuck are my internet active toys? Why can't I plug my microwave into my router and surf the net on its one line monochrome screen? I need to check my fucking email!
I'm a loner Dottie, a Rebel.
As for security, that is total bunk. DHCP does not stop the 5cr1p7 k1ddi35 from scanning a subnet and attempting to hack whatever open ports they can find. Once they have control of a machine, it is trivial to have it mail them or signal them (have it ping an address, or do a POP mail check, or even an ICMP unreachable packet). There are a million methods to get the new IP address when it changes. DHCP helps nothing.
Enigma
Enigma
Oh, gee, that puts my mind at ease... I was really worried that some evil hacker might break in and steal all of my public information. Apparently my fears were unfounded... I only need to be concerned if I have private information on my PC... These fears really are overblown... I mean, who puts private information on their PC, anyway?
*wipes brow in relief*
---
DHCP just makes you a slightly moving target, and if an attacker is looking for victims, they probably won't restrict their portscans and probes to single addresses, but IP ranges. I occasionally do a sweep of my university's residence network just for yuks, and I've run across a few unsecured boxen, Windows and Linux alike (the guy in Pitman Hall who just installed Debian, this means you!)
.0 releases. You don't think the latest macro virus craze can get you? Think again, spam-boy; why do you think Unix/Linux vendors have been going batshit looking for format string holes in their software offerings? The exploits may be merely theoretical, but it's best to close them up before the theoretical becomes practical (with apologies to the L0pht).
However, there are some simple ways to make your broadband connection a little bit less like swiss cheese:
1) Disable file sharing and remote login - Running Windows? Take a look for any folder or file with that little hand icon, and un-share them. Even better, just go into Control Panel -> Network and shut it off completely. Don't think passwords on your shares will help you, as a recent bug was discovered in Win9X share-level password protection where a one-byte character string can be used to bypass a protected share should that byte happen to match the first byte of the actual password. If you're on Linux/*BSD, for the love of Bob shut off NFS, ftpd, telnetd, Apache, and the like until you know what you're doing! Can you say "backdoor"? Even experienced admins leave the occasional hole, and default installs aren't often known for being secure (OpenBSD people, stuff it while I make a point for everyone else:).
2) Don't let anything run automatically - Java and ActiveX in IE and Netscape installing and running automagically? Kill it. Auto-DCC in IRC clients? Un-auto it. Run attachments on preview in Outlook, or run macros in Word documents? You know the drill. Don't let a damn thing run automatically unless you actually know what's taking place. If I ever see LIFE-STAGES.TXT offered to me by DCC again, I'm going to reach through the monitor and shove a virus scanner up the patoot of the victim. The world doesn't need another Melissa or backdoor being passed around just by opening an e-mail in a brain-dead-by-default program.
3) Check for patches and follow directions - MS didn't tell people to change their Outlook settings while it took them a month to patch the program in the wake of ILOVEYOU because it was fun for everyone. Red Hat isn't releasing megs of updates for Red Hat 7 so you can sit there and kvetch about buggy
4) Extra steps if you're really careful and/or paranoid - Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.
5) Ignore the DSL/cable pissing contest - Nothing to see here, move along...
I'm glad to say most cable installers where I live have a brain, and hence make sure filesharing is turned off in Win9x when they set up your system. Linux/BSD geeks usually have to take matters into their own hands, but most usually know enough to at least kill nfsd and ftpd if they're not going to be used. (Incidentally, this is also why Red Hat and others need to stop enabling every conceivable service by default.)
Closing your box off to kiddies is acutallly pretty easy. However, back-patting fluff like this Excite dropping does way more harm than good by instilling that false sense of security that leads people to think its OK to let attachments run automatically, or leave all those services running on their new Mandrake box. Hard advice is better than press releases and misrepresenting technologies as security measures.
-------------
Someday, you're going to die. Get over it.
It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed.
Great. You want to handle the tech support calls when your average cable modem using consumer hoses up his $ISP provided firewall software? I thought not.
Speaking as someone who used to work in broadband at a large ISP, no fscking way would we get involved in end-user security. Our customers were encouraged to read up on security and run firewall software, but we weren't going to give them the software or provide tech support for it.
You have to draw the line somewhere. If you help them install/configure a firewall, who is held responsible when it's compromised? Whether or not the ISP should be held responsible, that's exactly how the users would see it.
--
Turn on, log in, burn out...