I saw this on usenet and wonder about the validity of this statement.

'Seriously any system is as secure as the services you export, if you
have nothing listening that can do you harm you are secure...'

Disregarding email exploits and exploits through your browser is this
true? Assume the hardware is inviolate.
Thoughts?
Mike


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Wed, Jun 13, 2007 at 23:08:39 -0700, Mike McClain wrote:
>I saw this on usenet and wonder about the validity of this statement.
>
>'Seriously any system is as secure as the services you export, if you
>have nothing listening that can do you harm you are secure...'
>
>Disregarding email exploits and exploits through your browser is this
>true? Assume the hardware is inviolate.
>Thoughts?

I'd argue you are secure if you have no services listening on any ports.
However, there's always the possibility of problems in the kernel and
its networking stack.

/M

--
Magnus Therning (OpenPGP: 0xAB4DFBA4)
magnus@therning.org Jabber: magnus.therning@gmail.com
http://therning.org/magnus

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGcQaEiMWTaatN+6QRAiZbAKCHlkjOwj5x3z0RdKQ4IT ZG2z5B0wCfcVgD
vNTtqRyphAxPdmOI35OxUGw=
=VYlE
-----END PGP SIGNATURE-----

On Wed, Jun 13, 2007 at 11:08:39PM -0700, Mike McClain wrote:
> I saw this on usenet and wonder about the validity of this statement.
>
> 'Seriously any system is as secure as the services you export, if you
> have nothing listening that can do you harm you are secure...'
>
> Disregarding email exploits and exploits through your browser is this
> true? Assume the hardware is inviolate.
> Thoughts?

a port with a listening service is like a locked door with a doorman
inside waiting to open it for whoever knocks. If they know the
codeword he'll open it for them. So the service (as the doorman)
determines how serious the security risk is at the port (door). If
there is no service listening at the port, then there is no way to
open that port.

Of course, since you are running Debian, there are no windows for
things to climb through and open the door from the inside.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGcYNWaIeIEqwil4YRAk87AKCbLOfKZx+fCjEnIZZdKu vCb0X71gCgspwX
/b8IQtD5D+NCq8khljs0uk4=
=9BFm
-----END PGP SIGNATURE-----

Mike McClain wrote in Article <E1HyiVb-0000oC-CZ@playground.mcclains.net>
posted to gmane.linux.debian.user:

> I saw this on usenet and wonder about the validity of this statement.
>
> 'Seriously any system is as secure as the services you export, if you
> have nothing listening that can do you harm you are secure...'
>
> Disregarding email exploits and exploits through your browser is this
> true? Assume the hardware is inviolate.

Generally speaking, yes, this is true. Though security isn't a one-stop
ordeal or something that you can install and make work. It's a continuing
process.

You never want to be running or even have installed anything that doesn't
have any practical use on your system. This is doubly true for network
enabled software, especially if it binds to a port and listens.

"But I can just install a personal firewall and be safe, right?" I wouldn't
trust any user-facing machine to be a firewall, regardless of what the
software (usually snake oil[1]) says. Use seperate hardware for your
firewall, even if it's just an old Linksys router that's had it's firmware
replaced with DD-WRT[2].

[1] http://samspade.org/d/firewalls.html
[2] http://en.wikipedia.org/wiki/DD-WRT

--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Andrew Sackville-West wrote in Article
<20070614180510.GA16458@localhost.localdomain> posted to
gmane.linux.debian.user:

> On Wed, Jun 13, 2007 at 11:08:39PM -0700, Mike McClain wrote:
>> I saw this on usenet and wonder about the validity of this statement.
>>
>> 'Seriously any system is as secure as the services you export, if you
>> have nothing listening that can do you harm you are secure...'
>>
>> Disregarding email exploits and exploits through your browser is this
>> true? Assume the hardware is inviolate.
>> Thoughts?
>
> a port with a listening service is like a locked door with a doorman
> inside waiting to open it for whoever knocks. If they know the
> codeword he'll open it for them.

That's how port-knocking[1] works.

> So the service (as the doorman) determines how serious the security risk
> is at the port (door).

Well, in theory, yes. The problem with this formula is that some services
are promiscuous and don't care who they serve to (http, finger, gopher,
etc).

> If there is no service listening at the port, then there is no way to open
> that port.

Outbound connections require ports, too!

> Of course, since you are running Debian, there are no windows for
> things to climb through and open the door from the inside.

Don't say things like that. What you just said there is like a Windows user
saying, "Why should I stay patched and run antivirus software? It's not
like I use this computer for anything serious..."

--
Paul Johnson
Email and IM (XMPP & Google Talk): baloo@ursine.ca



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

On Sun, Jul 08, 2007 at 11:05:26AM -0700, Paul Johnson wrote:
> Andrew Sackville-West wrote in Article
> <20070614180510.GA16458@localhost.localdomain> posted to
> gmane.linux.debian.user:
>
> > On Wed, Jun 13, 2007 at 11:08:39PM -0700, Mike McClain wrote:
> >> I saw this on usenet and wonder about the validity of this statement.
> >>
> >> 'Seriously any system is as secure as the services you export, if you
> >> have nothing listening that can do you harm you are secure...'
> >>
> >> Disregarding email exploits and exploits through your browser is this
> >> true? Assume the hardware is inviolate.
> >> Thoughts?
> >
> > a port with a listening service is like a locked door with a doorman
> > inside waiting to open it for whoever knocks. If they know the
> > codeword he'll open it for them.
>
> That's how port-knocking[1] works.

you dropped the [1], but I'll google it.

>
> > So the service (as the doorman) determines how serious the security risk
> > is at the port (door).
>
> Well, in theory, yes. The problem with this formula is that some services
> are promiscuous and don't care who they serve to (http, finger, gopher,
> etc).

indeed.

>
> > If there is no service listening at the port, then there is no way to open
> > that port.
>
> Outbound connections require ports, too!

yeah.

>
> > Of course, since you are running Debian, there are no windows for
> > things to climb through and open the door from the inside.
^^
---------------------------------------------------------------^^

>
> Don't say things like that. What you just said there is like a Windows user
> saying, "Why should I stay patched and run antivirus software? It's not
> like I use this computer for anything serious..."

except that it was a joke, and i so indicated. And I haven't drunk the
kool-aid, or at least I've pissed it out by now, so i understand that
I am only learning, and that's the best i can hope for. And its not as
you describe it. What you describe is a completely irresponsible
computer user who should not be allowed to use a computer because of
the damage they are causing to others through their neglect. Whereas,
what I said was that, ignoring the joke aspect, by running an
inherently more secure system, the user is in a better position than
if they were running windows. Granted, it was probably a little
sophomoric, and in the right forum would be considered inflammatory,
but it was certainly not more than what it was, a joke amongst
generally like-minded folks.

A

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGkm1kaIeIEqwil4YRAi7GAJ4mbbidUjB/ihmmxwkqAtubdlRvKgCgk1so
lDbgdlSXI+2sHJeiNW3+v9o=
=qNqO
-----END PGP SIGNATURE-----