[linux-elitists] telnet weenie frenzy!

Seth David Schoen schoen@loyalty.org
Mon Feb 26 12:39:46 PST 2001


Don Marti writes:

> Attention Linux elitists:
> 
> People are getting to the back of the March issue. Today is a good day
> for "Well _I_ use telnet and I don't get hacked", "Don't u know u can
> telnet BEHIND THE FIRWALL DUMASS!!!" and "I don't like your attitude"
> mail. 

The telnet-behind-the-firewall argument is very weak.  It's a failure
to make a distinction between _private_ network and _trusted_ network.
There are lots of reasons you might not want to trust a private
network.  For one thing, it probably requires trusting every single
local user, including trusting those users not to make an honest mistake
which could expose you to attacks.

Or as the public health slogan said, every time you trust a network,
you're trusting everyone that network has ever... or was that Ken
Thompson?

There are lots of successful attacks on large corporate networks
behind firewalls.  Most of them are never reported in the press
because the victims are afraid of the bad publicity.  However,

	http://www.symantec.com/avcenter/

lists dozens of successful attacks which have repeatedly gotten the
equivalent of root access on workstations at major sites on private
networks.  Oh, they don't choose to phrase it that way?  It's still
true.

If you are the only user on your private network and you trust
yourself, trusting your private network is reasonable.  Or if you have
some other reason to trust all the users and the network security
policies and measures, also fine.  Otherwise (and this covers almost
everybody behind a firewall), you might as well not trust the network.
And that means using ssh instead of telnet.

Don, you might also want to cite things like

http://ecommerce.internet.com/outlook/article/0,1467,7761_504441,00.html

	In a report released by the Computer Security Institute (CSI)
	and the Federal Bureau of Investigation, a survey of over 500
	technical security specialists showed that 44 percent of network
	intrusions are insider jobs performed by unauthorized users and
	not outside.  Consultants put the figure much higher, stating
	that between 70 and 80 percent of their clients' systems had
	been breached in some way by insiders.

etc.

-- 
Seth David Schoen <schoen@loyalty.org>  | And do not say, I will study when I
Temp.  http://www.loyalty.org/~schoen/  | have leisure; for perhaps you will
down:  http://www.loyalty.org/   (CAF)  | not have leisure.  -- Pirke Avot 2:5



More information about the linux-elitists mailing list