On Mon, 27 Oct 2003 kenw@kmsi.net wrote:
I said "low hanging fruit". I didn't say "top-to-bottom security analysis".
If I fixed every computer on the Internet today, tomorrow Microsoft would sell 17,000 new insecure installs of Windows. Low-hanging fruit would be to get Microsoft to change its defaults. Then instead tomorrow, there would be 17,000 new "secure" installs of Windows.
Does NOBODY remember that thread?
I remember it well. I also remember ISPs removing the filters after a few hours/days due to customer complaints because the applications they wanted to use across the Internet stopped working. Why shouldn't people be able to use NETBIOS, or Telnet or FTP or any other insecure protocol across the Internet? The security problems aren't due to the packets crossing the Internet. The security problems happen when the packets reach an insecure end-host. It is possible to use NETBIOS securely across the Internet withOUT a VPN. I wouldn't recommend it, but I don't understand why ISPs should prohibit the use of any particular 16-bit port number in a TCP/UDP header.
And if all ISPs were doing all these thing (as you try to imply) we'd all be a lot better off, wouldn't we?
And are you implying ISPs aren't doing anything?
So, am I advocating bad measures?
Naive measures.