[Dshield] DShield's Public Goals

josh@theoubliette.net josh at theoubliette.net
Thu Jan 5 19:40:29 GMT 2006


(**note -- when I started writing this note, I intended it to be short and
make a simple point, but soon found myself on my
security-evangelical-soapbox...so delete this mail here if you like and if
you read on...you've been warned.)

in reply to
***begin paste***
> I'm not so sure. Changing the port only works for people trying to
> workaround
> blocked ports so that they can run a server, right? If 25 is blocked
> outbound
> (except to their ISP's SMTP), how would the nitwits get the spam out?
> Ultimately, a sender has to be able to connect to 25. What am I missing?
***end paste***

Not to put too fine a point on it, but what if I, as a security
professional, know how to run a mail server more securely than my ISP
(less spam, less viruses, RFC-compliant)?  I would like to be able to do
so and not be limited by the fact that they either don't have the time or
knowledge or simply choose not to implement a quality solution with
security first over simplicity.

I simply don't trust my ISP when it comes to security, as it is not in
their cost/pricing model and when they happen to do it, they typcially get
something wrong that only gives the illusion of security.  Worse yet, I
might be forced to live with their rotten choice of products to implement
security.  I'm sure many of us will testify to being forced to use an
inferior security product for some reason or another.

When it comes to my home network, thank you, but I'll do my own security
and more often than not, better than nearly all ISPs can.  I think that
many of us would agree that home users are probably what is being
discussed here...those that may not have the knowledge or technical skill
to do the *right thing.*  ...because a large corporation would certainly
not accept having their SMTP traffic forced through the ISP's gateway due
to the ISP's rules on port blocking.

There are choices out there for home users that are becoming more like
ASPs than ISPs, with many services offered to enhance the user's ability
to compute securely, but that is an opt-in thing and certainly not in the
realm of *required* as you are discussing.

In a way the internet (and security of it) is a virtual representation of
the the world...what is right and sensible for you, may be completely
contrary to my beliefs (political, religious, security, business, or
other).  When you walk onto the street, do you wear a bullet-proof vest? 
Likely not.  Of course, it certainly could be much safer to do so,
depending on where you live, but it wouldn't save you from getting run
over by a bus.  That is about what I think of port blocking...it might
save you from a bullet aimed directly at you, but it won't save you from
getting run over by a bus.  Only common sense and general awareness is
going help.

Lastly, to make this meandering post even longer, I see internet security
much like many other addictive problems...as many *12-step programs* will
recommend; the first step to a cure is to admit you have a problem.  What
you are recommending is a cure to a symptom.  That symptom, in and of
itself, is not the problem.  The problem is that people don't believe they
have the disease, insecurity on the internet.  *I'm fine...what would
hackers want with my stuff?*  Those of us that work in the field see the
disease daily and treat our patients as best as we can.  The best security
can often be thwarted by one unaware user.  When you hear one of your
users say "Wow...I didn't realize..."   ...that's the problem, and it's
much bigger than port security.

Josh



More information about the list mailing list