Rik Van Riel: ======================================================
"A bigger and secure Internet"
this will be a round-table panel discussion, with
Horacio Peña (HoraPe)
Harald Welte (LaForge)
Antonio Verdejo (Antonio)
and myself, Rik van Riel
you can ask us questions at pretty much any time, but in the channel #qc
so people's comments will not make our things scroll off the screen ;)))
today, we will talk about the topic "A bigger and secure Internet"
and we will have some things to say about various topics
HoraPe and Antonio will be talking in Español (I think)
and LaForge and me in English ;)
if you cannot understand something, please ask in #qc ;)
================================================
ok, time for the first topic
(1) crackers, DoS attacks, security ... responsability of crackers, system administrators and software manufacturers
I understand that LaForge and Antonio have something to say about this topic ;)
LaForge: what do you think about this aspect of Internet security ?
Harald Welte: :) ok.
well, i think this is the first (lower) layer of internet security
only if the network infrastructure is able to do some guarantees, upper layers (applications, authentication, etc.) can work
DoS attacks are a serious problem of the current internet
there is no question about that.
The problem is, that this possibility of DoSing services is inherent to the internet's design
so...
well... the internet was designed in a heterogenous way
everybody is allowed to do everything
it's designed for cooperative communication
now after the widespread usage of the intenet
and after the commercialization,
we have the same evil people in the network, as we have them in the real world
people who spam, DoS, etc.
Rik Van Riel: LaForge: indeed, this is a problem
LaForge: but ... is evil on the internet (breaking in, etc) always the same evil as in the real world ?
Harald Welte: look at what happened to the UseNet over the last 5-7 year
Breaking in is a different case.
*riel_ would like a separation between _abuse_ of the network and _security cracks_
Rik Van Riel: but lets see what Antonio has to say about that ...
Harald Welte: the arguments i have presented are mainly related to DoS, which i consider the biggest problem
Rik Van Riel: indeed, DoS is an evil thing, IMHO
Harald Welte: of course it is evil
Antonio Verdejo: bueno, en primer lugar me disculparan si uso el español para hablar, pero el ingles no es mi lengua nativa y la conferencia podria durar dos dias si tengo que decirlo todo (y bien) en ingles :)
dicho esto, y a proposito de lo que harald comentaba sobre la similitud entre internet y la vida real
hay que dejar bien claro que aunque las similitudes pueden llegar a ser evidentes, el tratamiento no puede ser en ningun caso el mismo
para empezar, como apuntaba riel, el "mal" que se puede hacer en internet no siempre es comparable al que se puede hacer en la vida real
aunque tambien es cierto que las "facilidades" de internet para cometer toda clase de actos, digamos, delictivos (y ahora discutiremos sobre que y que no puede ser considerado delito)
son mayores que en la vida real
y la enorme expansion y popularizacion de internet no ayudan, al menos en este caso
sobre la responsabilidad de los usuarios, los administradores de sistemas y los fabricantes de software, nos hablara ahora horacio
Horacio Peña: no seré tan extenso... quería hacer solo un pequeño comentario acerca de la responsabilidad de los fabricantes
en casi todas las licencias de software se lee algo así como "no somos responsables de nada"
lo que va en la dirección contraria a aquella en la que avanza el derecho actualmente (aclaro que no
soy abogado) que es hacia la "responsabilidad objetiva"
donde, por ejemplo, por el hecho de ser el dueño de un auto que pisa a alguien (aunque no haya habido intención
y ni siquiera culpa -se conducía a velocidades normales y respetando todas las normas de transito)
se es responsable por ser dueño de la "cosa peligrosa"
los sistemas de computacion son mucho mas peligrosos que los autos
manejan aviones, trenes, sistemas medicos, etc.
y quienes los hacen dicen no tener responsabilidad alguna.
encima, en un auto podemos ver cómo funciona, revisarlo, etc. En los sistemas de computación esto no es así, dado que normalmente los códigos fuente están ocultos.
*Antonio comentario: tambien es cierto que, en la mayoria de los casos, desaconsejan explicitamente (porque prohibirlo no pueden) el uso de determinados sistemas para el control en aplicaciones criticas...
Rik Van Riel: HoraPe: but ... with open source you can do this too
HoraPe: maybe it would be good to discuss something about "full disclosure" and "open source vs. closed source" in security
lets start with the first one
Horacio Peña: un momento
Ricardo J.CardenesHoraPe: And with cars, planes... You can verify all their mechanical parts, looking for defective ones, etc.
Rik Van Riel: ok, lets put in a question from the audience ...
Horacio Peña: existe una propuesta para que las clausulas de "disclaimer" (donde se liberan de responsabilidades) sean consideradas inválidas en los sistemas
Carlos Cortes Piensan Vds. que es mejor para aumentar la seguridad usar sistemas propietario o sistemas abiertos ???
Horacio Peña: comerciales propietarios, y que sean válidas solo en aquellos que sean de software libre.
Ricardo J.Cardenes carcoco says: What do you think is the better way to raise security? Propietary or Open Systems?
Horacio Peña: (o en aquellos que tengan las fuentes disponibles, y modificables, aunque no permitan la redistribución)
Antonio Verdejo: the answer to this question is easy: open source
Horacio Peña: carcoco, personalmente creo que los sistemas libres son teoricamente mas seguros
Rik Van Riel: Antonio: why ?
Antonio Verdejo: como bien dice horape
Harald Welte: the "open" source alone doesn't bring any advantage
Horacio Peña: ya que permiten esa "revisión" de su funcionamiento
Antonio Verdejo: nadie te garantiza que per se un sistema abierto sea mas seguro que uno propietario
Rik Van Riel: LaForge: exactly
Harald Welte: people have to use this "open" source and read it
Horacio Peña: LaForge: yes, you can see what is in
Harald Welte: and believe me, this doesn't happen enough right now
Horacio Peña: LaForge: eso es por lo que dije "teoricamente"
*LaForge just spent one whole day stepping through the linux-pam source
Antonio Verdejo: pero como se puede ver, con el abierto tienes la posibilidad de auditar el codigo
Harald Welte: ok, theoretically. What you really need is some organized code auditing. Like OpenBSD does
Antonio Verdejo: si no personalmente (no creo que nadie se haya revisado el codigo de, digamos, gnupg) si por una grupo de personas
LaForge: exactly, like openbsd
Harald Welte: yes, exactly
weaah LaForge: Can you explain : In what consist this auditing in OpenBSD? Who makes the audit?
Harald Welte: I'm not a openbsd insider at all, so I don't know too much about the details
*riel_ thinks it would be nice to know HOW exactly openbsd achieves security, or just what the practice of "auditing" is
Harald Welte: but what basically happens, is that there is a small group of extremely good people systematically auditing the code
so this team of specialists systematically reads the code (manually) and thinks about it. I'm not aware of any tools
(not aware of them using any tools)
Rik Van Riel: I also think it's just people reading the source
note that this also happens for OTHER systems
only, often the people who read the source also write exploits
Horacio Peña: they use grep sometimes :-)
Rik Van Riel: and sometimes use them
Harald Welte: yes. and it happens in a non-organized manner
Horacio Peña: as when looking for known to be bad functions (gets, for example)
Rik Van Riel: not the script kiddies (who use ready exploits), but the people writing exploits
I wonder what the panelists think about people writing exploits
Harald Welte: it doesn't help if some non-centralized, unknown people are all by themselves reading part of the code
Rik Van Riel: and using them to "demonstrate security problems"
Harald Welte: ideally you want to make sure that every line is systematically read by skilled people
Rik Van Riel: LaForge: what do you think about security-through-exploits and of the people advocating that way of security ?
Harald Welte: I think those exploits are a good thing.
First, they demonstrate that there is really a prloblem, not only theoretically
Second, it pushes the software authors / vendors into solving the problem fast
but of course, this exploit should be sent to the software authors first, giving them a few days to fix their problems, and then publically released
There is no advantage of immediately releasing an exploit, without giving people the change to fix it before
I don't see where the security advantage should be in this case
Antonio Verdejo: weahh: for example, in theo's words: "we went through our source tree and fixed all the strncpy() errors..."
o sea, errores en programacion que llevan a usar funciones cuyo comportamiento no es conocido al 100%
strncpy(), strncat()...
lo que da lugar a los conocidos "buffer overruns", por ejemplo
Rik Van Riel: well, I have something to argue against the publishing of exploits
I agree it is good to inform the world of security problems
after all, the REALLY dangerous people will know exploits, no matter if they are published
Horacio Peña: oops, eso no era a ti
Harald Welte: yes, but how much do you loose if you give the vendor 2 days to fix his problem.
Rik Van Riel: but ... is it really good to give a ready-to-use exploit to thousands of script kiddies before there is a fix ?
is it really good to bring thousands of system administrators in trouble because you want to show the world that there is a problem ?
*riel_ is also curious what the people in #qc think about this
Rik Van Riel: lets hold a small vote
who in #qc thinks that publishing exploits is bad because it is dangerous for system administrators ?
Harald Welte: i strongly oppose releasing exploits before the authors had enough time to fix
Horacio Peña: I prefer that exploits aren't published before the fix is made
Rik Van Riel: LaForge: I agree with that, but ... what is "enough time" ?
Horacio Peña: but when the authors have had notice and won't acted on it
it depends
Harald Welte: when the authors don't react, it's their problem.
Horacio Peña: sometimes it's needed to publish the exploit so the author wake
Rik Van Riel: but it is also the problem of the users
Harald Welte: "enough time" will depend on the problem
Antonio Verdejo: por ejemplo... un buen comportamiento seria interesarse por el error, y hacer ver que se esta trabajando en ello, como dice LaForge
Harald Welte: if it is a simple buffer overflow / etc., 2 days should be enough in any case
Horacio Peña: they have had the problem when choosed that program :-)
Rik Van Riel: I guess it is good to warn users when the manufacturer does not fix security problems ... ;)
Horacio Peña: yes, and normally the exploits are being used before they get to the public
so there is not a real benefit on hiding them
for too much time
Ricardo J.Cardeneshiding it only make you sure that "someone", "sometime" will discover it, and will use it in an evil way, while your customers are not advised
Antonio Verdejo: you know that "security through obscurity" isn't a good idea
Ricardo J.CardenesIt's only matter of time :)
Rik Van Riel: Antonio: could you explain to us what exactly "security through obscurity" means ?
Antonio Verdejo: of course
la cuestion es
es un sistema con agujeros de seguridad mas seguro si estos no se conocen?
o sea, ocultismo
la traduccion seria algo asi como "seguridad por la via del ocultismo"
de alguna forma, los sistemas propietarios son abanderados de esta filosofia
lo que ocurre es que tarde o temprano, y mas aun sin tener acceso al codigo, esos errores aparecen
como decia ricardo, es solo una cuestion de tiempo
Ricardo J.CardenesSo, some people think that hiding (obscuring) your code will stop potential attackers from knowing about potential errors on their code... But... Don't you think it's only a poor excuse for not publicy showing their failures?
weaah question: Can be considered "ilegal" made public a security bug (not the exploit)?
Rik Van Riel: Ricardo: agreed ... _I_ also think it is a poor excuse
Ricardo J.Cardenes}:)
Rik Van Riel: but
weaah has a good question
maybe it could be illegal in some countries to publish security bugs
Harald Welte: weaah: ia am not a lawyer, but if it could be considered illegal, the legal system of this particular country is horribly broken
Rik Van Riel: with, for example, the DMCA in the USA it is already illegal to do reverse engineering of programs
Ricardo J.CardenesIt may be illegal in countries where "reverse engineering" is illegal
Rik Van Riel: so maybe it is also illegal to publish security bugs
Horacio Peña: isn't DMCA in the USA enough to do that illegal?
Harald Welte: well, the US have all kinds of weird legislation, that's why I never would want to live there.
Antonio Verdejo: weaah: el creo que habria que enfocarlo mas bien en terminos de "etica", no de "legalidad", porque, al fin y al cabo, algo es "ilegal" si va contra la ley
y las leyes, aunque lentamente, son algo cambiante... lo que hace unos años era delito, hoy puede no serlo, al menos de cara a la ley
el problema, pienso, es que internet y todo lo que sucede a su alrededor va demasiado rapido como para que un mastodonte como es el sistema legal le vaya a la zaga
amen el hecho de que la mayoria de los que legislan sobre las "nuevas tecnologias" no suelen tener una vision "desde dentro"
Horacio Peña: un abogado al que conozco (y que si ve las cosas desde dentro) dice que en realidad las nuevas tecnologías
son resultados de otros parametros (de la sociedad), y que por tanto conocociendo esos parámetros
se puede legislar para tecnologías que no existen todavía
por supuesto que si se legisla siguiendo a la tecnología todo será un desastre, porque las leyes llegaran cuando dejen de tener sentido
pero si se legisla hacia el futuro ya no existe ese problema...
Antonio Verdejo: pero horape, yo creo que tampoco es el problema, no se puede legislar sobre tecnologia, asi, tal cual, si no sobre el uso que se le da a esa tecnologia
Horacio Peña: (y si, los legisladores están haciendo desasstres)
Antonio Verdejo: todos los vendedores de, digamos cuchillos, deberian estar en la carcel por esa regla... :)
Horacio Peña: no, y los que agarran una computadora y la usan para matar a alguien a golpes no deben ser considerados
como "delincuentes informaticos"
Horacio Peña: (cosa que sí se da según algunos proyectos de ley)
Rik Van Riel: ===============
ok, lets go back to our original topic
of "security" ;)
we seem to have drifted a bit
I guess we should move on to the next topic of our round table discussion ....
(2) email security ... spammers, open relays, ...
ok, I think we all agree that spamming is bad
but ... do we agree on the actions we take against spam?
is it ok to blacklist an entire server because spam is sent through that machine ?
do spammers really have a "right to free speech" ?
Ricardo J.CardenesIt's a really difficult question.
Rik Van Riel: "free speech" is a nice argument ... but do they have free speech in MY MAILBOX ?
Harald Welte: I am really opposed to this whole spamming thing. If they have a right of speech - ok. But not a right of speech which involves 4 Million people who didn't ask them for speaking.
Ricardo J.CardenesI remember an article from Borja_ (one of UniNET gurus ;-)), published in a newspaper talking about spam.
Horacio Peña: the free speech right doesn't include you talking inside my house
Ricardo J.CardenesHe focused on the economics of spam
Horacio Peña: if i didn't invite you there
Ricardo J.CardenesAnd why spam was bad for the spammed
Because spam == wasted bandwidth
Rik Van Riel: not for the spammer
Ricardo J.CardenesExactly
Rik Van Riel: it is not their money, and they make money
Ricardo J.CardenesThey get lots for nothing
Rik Van Riel: so the bandwidth is used perfectly for them ;)
Ricardo J.CardenesThey spend little money for a ton of advertised people
Rik Van Riel: so I guess we all agree spam is bad
BUT ... how can we fight the spam ?
what are acceptable methods for fighting spam ?
one method of distributing spam, for example, is using "open relays"
Harald Welte: apart from closing open relays I think there is not much you can do
Ricardo J.CardenesI think it's difficult to fight agains spam with today's e-mail technology
Rik Van Riel: those are mail servers on the internet which allow anybody to send email to everybody
so spammers use those machines, which are configured wrong
there are a few lists of such open relays
Antonio Verdejo: Ricardo: no necesariamente...
Rik Van Riel: see www.orbl.org and orbz.gst-group.co.uk, for example
Ricardo J.CardenesAntonio: Well... I know :-)
Horacio Peña: i disagree that open relays are bad configured machines
Antonio Verdejo: riel_ but, in fact, they are a list of spammers too
Rik Van Riel: and some people configure their machines to refuse mail from ANY MACHINE which COULD SEND spam
Horacio Peña: in the good times open relays were a good thing
Rik Van Riel: Antonio: many of those machines have never sent spam
it is a very effective method of reducing spam
Harald Welte: horape: i agree with you
Rik Van Riel: ... but, is it a good method ?
Antonio Verdejo: bueno, como decimos en españa, a veces pagan justos por pecadores...
Harald Welte: look at Usenet, how spam is handled there
Rik Van Riel: LaForge: could you explain to us why you think it is bad to block mail from open relays ?
Harald Welte: in Usenet, you cannot handle it at all. There is no way of closing open relays
Ricardo J.CardenesAntonio: DUL is including entire pools of dial-up IPs only because "they can be used to..."
Harald Welte: I mean, I agree that in the old times open relays were good
Antonio Verdejo: Ricardo: i'm not saying dul is the perfect solution
Harald Welte: and theoretically they are still a good thing, from a technical point of view
open relays really fit in the cooperative spirit of the early internet
but as i said in the beginning, unfortunately now everybody has internet access, and you have the evil people of the real world in the net
so how do you want to solve this problem?
a) create an alternative, small tunnel-based net for educational people
Antonio Verdejo: Ricardo: but see it in a minor scale, that is, sysadmins making our own "black list"
Harald Welte: b) have cryptographic authentiation everywhere
c) ?
having a small 'new' net (like 6bone / mbone / ...) on top of the net would restore some of the original spirit
however, you exclude a lot of people :)
Ricardo J.CardenesBut with the time, the small new net will grow :-)
And spammers will go into the new net :-)
Harald Welte: cryptographic authentication everywhere has the problem that there will be no anonymity in the network anymore (not even considering the problems of the global PKI, etc)
ricardo: yes, and it would be a ever-ongoing on loop
Ricardo J.Cardenes:)
giantux que significa "DUL"?
Rik Van Riel: ok, let me give a quick overview of the various "spam block" lists
Harald Welte: ricardo: But still I think it is a viable solution
Rik Van Riel: the most famous one is RBL
the Realtime Blackhole List
this list contains sites which are known spammers
they sent lots of spam and are blacklisted by a lot of people
the goal of the list is to force people to stop spamming
a second list is DUL, the Dial Up List ... this list can be used to block dial-up users from sending email directly, forcing them to go through their ISP's mail server
this means the ISP (provider) has better control over spammers
a third kind of list is RSS, ORBS, ORBL, ORB UK, etc...
these lists list "open relays"
mail servers which can be abused by spammers to send email for free
many people use these lists to block email from every suspect host
even if the host has never sent spam before
this is bad because you can block a lot of good email, but it is good because you can block spam BEFORE it happens
so we have RBL (blackhole of known spammers)
DUL (prevent spam from dialup lines)
ORBS, RSS, ORBL and ORB UK (block email from machines which can be used to send spam)
weaah riel_ : what do you think that a lot of sysadmins don't use RBLs?
Rik Van Riel: I think everybody should CHOOSE if they want to use RBL and other anti-spam lists or not
personally I use RBL, RSS and the ORBS variants
but not DUL, for example
the lists just give me the information I need to protect my servers
what you do with your servers is your business
"spammers have the right to free speech, but I have the right to choose from where I receive email and from where I do not receive email"
Horacio Peña: lo que haces con tus servers no es asunto tuyo... sino de tus usuarios
el uso de estas listas para filtrar correo normalmente lo deciden los ISP
con lo que estos filtran qué correo puede o no aceptar sus usuarios
(e incluso emitir, en los casos en que bloqueen los envíos directos de mail)
Esto vuelve a los ISPs responsables de los correos que llegan a sus usuarios (tanto
porque pueden filtrar correo legitimo, como porque implicitamente se estan
responsabilizando de que el correo que dejan pasar es legitimo y pueden ser
responsables en caso de dejar pasar spam)
Por esto, ha de tenerse mucho cuidado al implementarlo. De todos modos, es mi
opinión que los equipos que operan como "open relay" no están mal configurados, y
que son útiles para internet
dado que permiten diagnosticar problemas (de la misma manera que ahora se ha puesto
de moda no permitir que los servidores de dns respondan a consultas hechas por quienes
no son clientes, bloqueando otro de los métodos de diagnostico de la red)
Antonio Verdejo: pienso que la idea de ese tipo de listas no es mala, pero un control mas "personalizado" a nivel de proveedor (isp) o incluso de administrador de sistema, confeccionando una lista propia, puede ser mas efectivo, a la par que menos problematico con la regla del "justos por pecadores" (dial-up users, etc...)
en mi caso, es lo que uso... una minilista de "spammers" que en algun momento han mandado a usuarios de mi servidor correo no solicitado
Horacio Peña: Antonio, avisa cuando termines que quiero retrucar :-)
Antonio Verdejo: es un metodo mas "granular" y permite un filtrado mas selectivo...
horape, retruca :)
Horacio Peña: el problema que tienen estas listas "caseras" es que son mas lentas
esto es, cuando un sistema corrige sus problemas y deja de generar spam
las listas como la RBL se enteran en seguida
mientras que aquellas hechas manualmente pueden no enterarse nunca
(normalmente quienes dejan de generar spam han sido avisados de que figuran
en la RBL, pero no en las listas "caseras" y por tanto avisan de los
Rik Van Riel: HoraPe: one problem
Horacio Peña: cambios a la RBL, pero no a los administradores que los han filtrado motu propio)
Rik Van Riel: HoraPe: if we have the spammers in RBL, but we do not block open relays ... the spammers can STILL send out spam
HoraPe: I agree that open relays can be useful for debugging, but the potential for abuse by spammers is too big, IMHO
Horacio Peña: i was comparing the "big list" approach against the "homegrown one"
Antonio Verdejo: tienes razon en parte, pero a eso es a lo que me referia con "granularidad": al menos en mi caso suelo generar las listas en base a direcciones concretas, casi nunca denegando a dominios o host especificos
Horacio Peña: ah, you're talking about the old issue
yes, i understand that, the real world is ugly and so we have to close the relays
but they were very useful
(now there is the idea that an open relay is by itself bad, it's bad just because the spammers abuse them)
Rik Van Riel: they are also bad for the people who own them
an open relay can be VERY expensive to have
Horacio Peña: yes, when spammers abuse them, but not when they're used well
Rik Van Riel: you have to pay the bandwidth, your own email can get very slow, your company can get cut off by the ISP, etc...
because of this I support the lists which block open relays BEFORE they send out spam
Horacio Peña: Open relays aren't practical now, but aren't bad by themselves, that's what i'm trying to say.
I do too.
I use ORBS.
Rik Van Riel: not only for myself, to make sure that spam is blocked before I get it, but also to encourage the administrator to fix their problem
Antonio Verdejo: HoraPe: bajo ese punto de vista, una maquina "crakcers wellcome" no es mala de por si...
Rik Van Riel: ORBS no longer exists ...
Ricardo J.CardenesAntonio: }:)
Horacio Peña: but i remember with nostalgy the "good old times" when i could debug if my new server was working by going thru the MIT mail servers
Rik Van Riel: but http://www.orbl.org and http://orbz.gst-group.co.uk have good alternatives
Horacio Peña: I used ORBS...
Antonio Verdejo: HoraPe: la seguridad es una cuestion sobre todo de "compromiso"
Maria Jesus Coma a question.... no podrian los genios de la informática, inventar algo "diferente" a lo que hay, para evitar el spam?
Horacio Peña: Antonio, no, no una maquina "crakcers wellcome", pero sí los sistemas con usuario guest
de la misma manera que son tan útiles los looking glasses (esencialmente, routers con usuario guest)
poder "ver la red" desde otra ubicación es muy bueno, los open relay permitian hacer eso en cierto modo
Antonio Verdejo: no deja de ser lo mismo, una cuestion historica la del usuario guest... otra cosa es el uso que se haga de ella (o de el)
de lo que hay que ser consciente es que, por mas que nos pese, la "edad dorada" de internet llego a su fin con el advenimiento de los oportunistas que no han visto en ella mas que otra herramienta de hacer dinero
Maria Jesus ComaI disagree !
Antonio Verdejo: explain it
Horacio Peña: no estoy hablando de el historico usuario guest, sino de aquellos sistemas que lo tienen intencionalmente
para permitir usar la red desde otro lugar
Maria Jesus Comala edad dorada de internet llega a partir de ahora, cuando millones de personas interconectadas, van a hacer posible la "aldea global"
Antonio Verdejo: no me referia a eso MJesus
si no a los tiempos en los que no tenias que estar dedicando la mayor parte de tu jornada a mantener tus sistemas a salvo de indeseables
Maria Jesus Coma:)) ahora no ?
Antonio Verdejo: si, de un tiempo a esta parte...
Rik Van Riel: -------------------------------------------
ok, time to close up the discussion with some final words from the participarts
first, LaForge will give us some advice on network security
Harald Welte: well, obviously there is no solution for network security on the internet. And ther will not be network security unless we want to give up one or more of the basic principles of the network
As long as the internet is centralized and there is no regulation authority, we will have to live with a little bit of chaos in the network
as long as the internet is not centralized and there is no authority, that is :)
and yes, this will further hurt commercial users of the network
but we have to remember those people, whose business is based on the internet, that it is not their internet, but everybodies network,
and nobody will ever guarantee any public internet security.
Rik Van Riel: LaForge: thank you
Harald Welte: We have to make the best out of this situation, but there is no solution.
*riel_ will now tell a little bit about host (server, client) security
Rik Van Riel: I agree with LaForge ... basically the internet is like the Wild West(tm) ;)
it is not a safe place, even behind firewalls you are not safe
this means you have to keep your machine at home safe
and, of course, your servers
I guess the most important thing to do is update your software on a regular basis
every few days, or every week, you should read the news
and if there is a security bug, update your software
another strategy is to not run software you do not need, mostly on servers
if there is a bug in, for example, SAMBA and you are not running samba, there is no problem
but if you are running it but not using it, you are at risk ... for no benefit
so the advices I give to people on the internet:
1) keep your software up to date with security fixes
2) do not run software you do not need on your server, it only increases security risks
========================
ok, now Antonio will tell us something about email security ;)
Antonio Verdejo: mi consejo es sencillo
usad siempre que podais (o que vuestro destinatario pueda)
herramientas de cifrado
gnupg a poder ser, y pgp si no os queda mas remedio
y si por alguna razon vuestros destinatarios no las usan, instadlos a hacerlo :)
eso es todo
para terminar, me voy a permitir el lujo de citar una frase
que me parece genial, a proposito del tema que tratamos aqui,
es de Gene Spafford y dice asi:
"El unico sistema autenticamente seguro es el que esta desconectado, desenchufado, y empaquetado en un recipiente hermetico de titanio, guardado en un bunker de hormigon, rodeado de gas nervioso y custodiado por guardias muy bien armados y magnificamente pagados. E incluso asi, yo no me jugaria la vida por el..."
ahora si, that's all...
ahora si, that's all...
Rik Van Riel: ok, than you Antonio
Rik Van Riel: as the last speaker, HoraPe will tell us something about security in general
Horacio Peña: Esa frase es citada por todos quienes se dedican a la seguridad informática,
seguida normalmente por un "ese es el estado ideal, pero como unos molestos llamados
usuarios necesitan que las cosas funcionen no podemos lograrlo" y tras esto recomiendan
sacar todo lo que se pueda.
Riel ha dicho "another strategy is to not run software you do not need"
y es una sugerencia muy buena, pero hay que tener cuidado de no sacar más
de lo permitido.
El objetivo no debe ser "sacar todo lo que se pueda" sino "permitir todo lo que haga
falta, y luego sacar el resto" Las redes y los sistemas están hechos para ser usados
mas que para ser seguros. Un sistema seguro, pero desconectado dentro de un
bunker, no sirve de nada.
Es así que en los años que he trabajado en seguridad he llegado a la conclusión
antagónica a la sabiduría establecida que propone la paranoia y quitar todo lo
que se pueda.
Por esto, recomiendo que cuando deban trabajar sobre la seguridad de un sistema recuerden que el
sistema debe ser usado y que debe atenderse a que pueda usarse primero que a que
sea seguro.
Esto es todo, gracias por su atención.
Antonio Verdejo: parafraseando a laforge, nadie puede garantizar un buen funcionamiento de internet :)
Rik Van Riel: ===============================================
OK, I would like to thank H(oraPe), LaForge and Antonio for their participation in this round table
and I would like to thank everybody else for their time