Full Disclosure mailing list archives
Re: SQL Slammer - lessons learned (fwd)
From: Steffen Dettmer <steffen () dett de>
Date: Mon, 10 Feb 2003 00:53:26 +0100
* yossarian wrote on Sun, Feb 09, 2003 at 19:52 +0100:
My question - must my ISP know all types of traffic legit to me, in order to service me?
I don't think they can. Maybe they can serve AOL customers without any requirements except high color depth, but for people that work with the net, they cannot.
can not setup a FW that suits me 100%, since it has other companies / customers with different needs on the same local loop.
Yep, and the same applies to standard software. Usually I expect my software to be highly customizable, I want to define what key does what action, but many people just consume solutions suited for different requirements in some strange way. Well, so let them do, but they let me do my business. And so I don't expect government or anybody to get to deep into my business. In germany, it's now illegal to serve sex pages in the afternoon I heard, but despite the fact that this is technical impossible I don't see a valid reason for it. And if someone think about some "whitelists", this is also impossible, since I also feel free to apply strong cryptography whereever I want - I do nothing illegal, but I still may be interested in keeping my love letters private.
So even if my ISP were to block most of the dangerous traffic, I still would need a FW, since it cannot block all.
Well, a packet filter helps nothing, so the ISPs need content filters. And content filters don't work for me as long as there is a single false positive.
And since an ISP must make profit, having them doing MY firewall be probably be a lot more expensive than if I do it myself.
Well, I don't think that this is neccesarily true, at least if it concerns non-professional non-security people. You are able to do it in a short time, but most users are not educated to deploy usable security I think. So having experts for security, isn't bad in my opinion, but it's me, the user, that have to do the specification. I work a little in this business, and when I start to promise I protect anybody against anythink, I'm lying, even with best-made firewalling. All we do is risk management. So when requiring impossible things, the ISPs would have the problem: they cannot do technically, noone will pay it, so noone should require it. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: SQL Slammer - lessons learned (fwd) Steffen Dettmer (Feb 09)
- RE: SQL Slammer - lessons learned (fwd) Steve Wray (Feb 09)
- Re: SQL Slammer - lessons learned (fwd) yossarian (Feb 09)
- RE: SQL Slammer - lessons learned (fwd) Steve Wray (Feb 09)
- RE: SQL Slammer - lessons learned (fwd) Bruce Ediger (Feb 09)
- RE: SQL Slammer - lessons learned (fwd) Steve Wray (Feb 09)
- Re: SQL Slammer - lessons learned (fwd) yossarian (Feb 10)
- Re: SQL Slammer - lessons learned (fwd) yossarian (Feb 09)
- RE: SQL Slammer - lessons learned (fwd) Steve Wray (Feb 09)