[RC5] Security risks?

Peter Cordes peter at llama.nslug.ns.ca
Wed Jan 17 19:54:31 EST 2001


On Wed, Jan 17, 2001 at 07:53:47PM +0000, Andreas D. Landmark wrote:
> At 16.01.2001 14:02, you wrote:
> >I've just had this mail from our IT manager:
> >
> >"Due to the increased risk of network intrusion faced by us on a daily
> >basis, it has been decided not to permit applications like distributed
> >network computing to run on our network.
> >It opens a permanent connection to the internet.  This is unacceptable."
> >
> >I've been running dnet here for over a year with the co-operation of my
> >colleagues and the knowledge of some management. We're currently
> >processing around 2000 giganodes on OGR each day.
> >
> >He also refers to ICQ and Napster as possible risks and I know others
> >use them here.
> >
> >Is he overreacting? Can anyone provide me with an argument to persuade
> >him otherwise? I don't know enough about network technicalities to
> >dispute what he says.
> >
> >Steve
> 
> AFAIK there hasn't been any serious securityriscs with d.net clients, and
> considering the client only connects, and doesn't accept connections I can't
> see what security riscs he's talking about.
> BUT the d.net policy clearly states that you need the approval of the system
> owner/admin/whatever to run the client, so if he says no, he says no...
> 
> You could try to persuade him to join d.net instead, or atleast get him to
> set up a keyproxy, that way he could control the "permanent connections
> to the internet" (which isn't true, the perprox or client only connects when
> the buffers are empty/full or you tell it to, which hardly can be regarded as
> permanent?).
> 
> Talk to your IT Manager and ask him if he can set up a keyproxy where he
> can secure it as he pleases, that way he'll have a bit of control, just the
> way we paranoid admins like it...

 Tell your "security expert" <smirk> that dnetc's activity is the same as
what a web browser does when it submits form data and downloads the new HTML
page. It is no more dangerous than having a program that occasionally runs a
submits a search string to topclick.com and saves the results.

 If they really really want to run a port filter to block traffic on certain
remote port numbers, you'll still be able to use dnetc as long as you can
browse the web.  dnetc can talk to keyservers on port 80, or even operate
through an http proxy, if necessary.  If you need a password for the proxy,
dnetc stores it encrypted in the config file.  (obviously you shouldn't let
anybody have the encrypted version, since it is a symmetric cipher and the
key is in the dnetc program, which anyone can get!  It is better than
nothing, so the password isn't actually displayed on the screen when you
edit the file, so passers by will have a hard time unless they can remember
a long string of letters and numbers in their heads.)

-- 
#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter at llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE
--
To unsubscribe, send 'unsubscribe rc5' to majordomo at lists.distributed.net
rc5-digest subscribers replace rc5 with rc5-digest



More information about the rc5 mailing list