[Beowulf] Re: "hobbyists"

Fri Jun 20 05:32:08 PDT 2008

Hi,

I resisted the urge to join in on the nuclear tangent but this one 
proved too much (and we are indirectly back to talking about the 
security of the clusters we look after right?). Besides, we don't have 
any nukes in Ireland.

Perry E. Metzger wrote:
> It is, to some extent, a question of how many people are interested in
> a particular attack vector. Internet Explorer is a major attack vector
> for people who make money at this, so they work hard finding the bugs
> in it, of which there are an apparent endless number. I believe that
> more than 250 days last year, Internet Explorer had a known but as yet
> unpatched vulnerability. That's why the overwhelming majority of
> Windows boxes are zombies, including almost certainly most of yours
> unless you are a really unusual sysadmin.

I'm reading this to mean that you think most Windows boxes on most 
networks are zombies - is that right? As one of my many roles, I babysit 
our company network and I'd love to know how to avoid the scenario 
you're painting - other than the usual stuff of keeping the machines up 
to date, ensuring people don't run the latest .exe they receive in a 
spam and not exposing Windows boxes to the internet. Maybe I should get 
MS certified (joke, joke ;) While suggestions to install Linux on all of 
them are constructive, I'm afraid we can't avoid running some Windows 
boxen on our network.

> If you're smart, you're listening on:
> 
> * DNS, with bind configured to run chrooted and unprivileged
> * sshd running with priv sep
> * ntpd running chrooted and unprived (though not all OSes will allow
>   you to do that.)
> * maybe SMTP via postfix, which runs chrooted and unprived
> * and NOTHING ELSE.
> 
> And if you're really smart, those daemons are further tied down with
> various bondage and discipline equipment like apparmor or SE Linux or
> what have you.

Ouch, it's a never-ending battle isn't it?

I think you're largely right about the level of expertise out there for 
managing networks though - small companies don't pay someone to manage 
their network. Either they have some internal guy who has half a dozen 
other jobs or they outsource it, and unfortunately they'll usually 
outsource it to the cheapest guy ... who's cheap for a reason.

> If you really believe your local net is very good, run a sniffer on it
> for a while -- or talk to someone who's job is to run one.

I'd love to know how anyone with skype running on their network manages 
to see much of anything from the firehose that is a packet trace (and 
our network is small). Again, maybe it's just a question of time.

-stephen

-- 
Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center,
GMIT, Dublin Rd, Galway, Ireland.  +353.91.751262  http://www.aplpi.com
Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)