Slashdot Mirror
Captain Crunch's New Boxes, Part II
micsaund writes: "It looks like the infamous Captain Crunch has been toiling away for 3 years on a firewall now known as the Crunchbox. It runs OpenBSD and is administered via a web-based interface. Steve Wozniak is quoted as saying it's 'next to un-crackable.' Check it out at ShopIP. The Register also has an article on it. As an aside, since the Linux Router Project (LRP) appears to have been sold-out and GnatBox is a tad expensive, is anyone aware of some kind of 'packaged' firewall with a slick interface available for free?" We mentioned Draper's venture into firewalls last year, but there's been some progress since then.
He has the mentality for finding ways around security. Be it with technological gagets, or otherwise.
It's a matter of not knowing how, but thinking of how it could be attacked. Security isn't just about plugging holes, it's about thinking about new holes that could be used.
Maybe, except he didn't say that it _IS_ uncrackable, only 'next-to-uncrackable'. I realize that some may consider this nitpicking, but it isn't, really. Any non-trivial piece of software has bugs, and Steve Wozniak knows that just as well as any of us. This sort of comment is likely Woz's way of expressing the high degree of confidence he has in the product without making any sort of claim that could very possibly be proven false next week.
File under 'M' for 'Manic ranting'
From the page at iShop.com:
The latest attack signature libraries can be automatically updated from a centralized source of the computer security community.
I am certainly not a security expert, but this seems like a potential weak point. If they can automatically change the rules the firewall uses, then in theory someone else could as well, if they cracked the update protocol.
Does anyone know how they protect these updates so that they can't be intercepted and broken?
Sailing over the event horizon
Maybe a few comments from De Raadt, the OpenBSD guy, regarding the intelligence of using a floppy disk for your firewall are in order. The short and quick: it's a stupid idea. This thread seems to be dominated by the "let's entrust my entire network's security to a $.25 (or cheaper) part that has the highest failure rate of any storage medium ever. This isn't directed at you, servoled, but just a general note for the thread.
No sig is worth reading.
LRP has been superceded by the LEAF project at http://leaf.sourceforge.net. I'm running a current LEAF distro (Oxygen) and it's rock solid. There are quite a few different flavors, depending on your needs and experience level.
From the LEAF site:
Last Oxygen release was about 2 weeks ago.Karma: Marginal (mostly due to the border around the website)
You know, after reading the entire thing, I think both you and Dick should be taken out and spanked. :)
It's obvious Dick is genetically incapable of responding civilly, and he should be physically prevented from responding to users. There are certain people who seem to revel in the Bastard Operator From Hell stereotype. One suspects he started his own company because if he tried to work for anyone else, they'd fire him, ideally with a cannon.
Having said that, though, it's also clear that you simply weren't willing to take "it's a firewall, and isn't competing with a Linux distribution" for an answer. Dustmite didn't start out irritable--he got that way after explaining the rationale. Then doing it again. Then repeating himself. Over. And over. And over.
Quite frankly, any engineer would have started sounding irritable by the end of that IRC log. He could have handled it better, but honestly, you didn't come across like you were going to accept any "closure" other than a Smoothwall employee saying, "Yes, it's a great idea to put GCC and a web server on our firewall, and we'll get right on it."
It's interesting to hear these things about Smoothwall, though, since I work for a company that makes a box that competes with them. (Incidentally, our box does have a web server on its firewall if you want it. Dustmite is right: it's bad security to do that.)
Name one reason _not_ to use 2.2?
Before you say "ip tables" try and fit that on a floppy.
2.2 kernels are safe, stable, secure, tested, well known, documented, efficient, lightweight, etc. The last known remote exploit was a DoS on 2.2.19 almost a year ago -- and most firewalls wouldn't have included the features that make it possible.
Try OpenBSD. It's rock-solid secure. It'll give you what you want. And, compared to Morrell, Theo de Raadt (sp?) is a model of civility and diplomacy.
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Let's say you have a good product and you want to get it endorsed. Bring it to a business guy, and he'll say: "This box is uncrackable. It's totally secure and cannot be comprimised."
Bring the same thing to a well-respected engineer and he might say: "It's darn, near impossible to crack. Hey, nothing is impossible, and there's always a risk, but this product is as good as it gets."
Too bad only the first endorsement would ever help sell the product.
Too big to fail? Does that make me to small to succeed?
Basrille doesn't do NAT, but it's great for firewalling your box.
You dumbass, those are options that you have to manually turn on during the installation.
By default it is set up simply as a firewall/router.
Any distro is only as safe as the services its running on open ports. duh.
I looked at Clarkconnect, but I refuse to run it.
You looked at what the package listing on the website?
You obviously didn't "look at" the distro enough to know what you're talking about.
Who in the fuck modded this guy up anyway?