EmbeddedRelated.com
Forums
The 2024 Embedded Online Conference
   Forums    More Forums    comp.arch.embedded  

Ubuntu 6.06 criticisms from a programmer

Started by CBFalconer October 14, 2006
Reply by arachnid October 17, 20062006-10-17
On Tue, 17 Oct 2006 09:04:03 -0500, Don Seglio wrote:


> Forced by law? Isn't that a bit extreme and intrusive,


Nope. NAT firewalls are mundane technology nowadays. If there were a law
requiring them in all devices, mass-production would lead to inexpensive
chipsets. I would be very surprised if it added more than $10 to the final
cost. That's pretty cheap for the amount of protection it provides. I'd
pay a whole lot more than that to have a NAT firewall built into my laptop
so I didn't have to carry an extra box around.


> do you think that the government can protect an fool from itself?


I worked in R&D for 25 years. IMNSHO, "RTFM!" is usually just a way to
blame the user for the designers' own failure to meet the needs of his
target audience.
Reply by notbob October 17, 20062006-10-17
On 2006-10-17, arachnid <none@goawayspammers.com> wrote:


> I worked in R&D for 25 years. IMNSHO, "RTFM!" is usually just a way to
> blame the user for the designers' own failure to meet the needs of his
> target audience.


Since you were in R&D, what do you know of real world manufacturing?
First of all, anything actually requiring a manual has customers, the
proper term for "target audience", and are finally determined by the
constraints of costs and marketability.  Second, end users are not the
only "customers".  There is also support/maintenance to consider,
though they seldom are.  Third, and by no means last, documentation is
never written with the customer in mind.  That's primarily the realm
of legal with an over-the-shoulder peek by marketing and middle
management.  Any relevance to the actual use of the product is
strictly coincidental.  There are "manuals" written for support.  These
are much more relevant.  Consequently, it pays for the end user to get
his hands on a service manual, if possible.

nb
Reply by Whoever October 17, 20062006-10-17

On Mon, 16 Oct 2006, arachnid wrote:


> On Mon, 16 Oct 2006 19:26:59 +0100, Steve at fivetrees wrote:
>
>> And I agree re a hardware firewall, for all the reasons mentioned, and a few
>> more. To be clear, this will usually take the form of a NATing router, i.e.
>> it separates two networks (the Internet and the LAN), and provides
>> controlled traffic between the two. With this setup, it's the router that's
>> online, not the clients. It will block unsolicited traffic - i.e. anything
>> other than what you ask for. Properly setup, the benefits in terms of
>> security of a router mean you're pretty safe from direct attack - whether
>> with Linux, OpenBSD, or Windows.
>
> NAT firewalls should be required by law to be built into any consumer
> device that's designed for connecting a computer to the Internet.


You use the term "NAT firewall", but in fact, there is no such thing. 
There are routers that include both NAT and firewall capabilities, but it 
is important to understand that NAT is not a firewall. 
So, looking at the 2 components:

firewall: universally a good idea for security assuming that it is 
properly configured. Stateful firewalls provide excellent security against 
many threats.

NAT: unfortunately, NAT has some negative side effects. It breaks some 
end-to-end security, forcing ugly hacks such as NAT-T. It is quite 
possible that with IPV6, NAT will be much less prevelant.

Also, there are different types of NAT (symmetric, asymmetric). Some break 
other protocols such as SIP, requiring other ugly hacks such as proxies.
Reply by Steve at fivetrees October 17, 20062006-10-17
"David Brown" <david@westcontrol.removethisbit.com> wrote in message 
news:4534ebf4$0$8095$8404b019@news.wineasy.se...

> Don Seglio wrote:
>> Forced by law? Isn't that a bit extreme and intrusive, do you think that 
>> the government can protect an fool from itself? These are the same kind 
>> of people that respond to Spam to get them to stop and are bewildered by 
>> the increase in Spam, feel free to educate them, but leave government out 
>> of it. The only thing government is good at is to force you to pay ever 
>> increasing taxes, so they can have more money to waste.
>>
>
> You can't force people to use sensible behaviour on the internet (well, 
> you could introduce a "drivers license", but that would be a bit much). So 
> you can't force people to use a firewall.  But it's not unreasonable to 
> require ISPs to supply a firewall with every broadband connection (as I 
> said, they could easily make a half-decent one on their side of the 
> connection).  Remember, every time somebody connects an unprotected 
> windows machine to the net, it costs you and me time and money through 
> increased spam, viruses, worms, attacks bots, and other nasties.  And 
> every time an ISP offers a customer a broadband connection without a 
> firewall, they are acting irresponsibly - the average customer does not 
> know anything more than the ISP tells them, and will suffer the 
> consequences.  The only thing that stops ISPs giving out firewalls is the 
> cost, which would put them at a disadvantage compared to their 
> competitors.  Regulations requiring firewalls to be provided would keep 
> the playing field even.


Just to put this in perspective a little, I now run greylisting as a 
first-line defence against spam. (See wikipedia for details.) It basically 
separates real mailservers from p0wned Windows machines. Since I turned this 
on, my (and my clients') spam has reduced by around 99.8%.

This probably means that most spam is down to trojans/worms. I.e. insecure 
Windows machines connected directly to the interweb.

I'm with David. NAT'ed firewalling should be a legal requirement. Period.

Steve
http://www.fivetrees.com
Reply by Steve at fivetrees October 17, 20062006-10-17
"notbob" <notbob@nothome.com> wrote in message 
news:DPKdncjg-pYeu6jYnZ2dnUVZ_rudnZ2d@comcast.com...

> On 2006-10-17, arachnid <none@goawayspammers.com> wrote:
>
>> I worked in R&D for 25 years. IMNSHO, "RTFM!" is usually just a way to
>> blame the user for the designers' own failure to meet the needs of his
>> target audience.
>
> Since you were in R&D, what do you know of real world manufacturing?
> First of all, anything actually requiring a manual has customers, the
> proper term for "target audience", and are finally determined by the
> constraints of costs and marketability.  Second, end users are not the
> only "customers".  There is also support/maintenance to consider,
> though they seldom are.  Third, and by no means last, documentation is
> never written with the customer in mind.  That's primarily the realm
> of legal with an over-the-shoulder peek by marketing and middle
> management.  Any relevance to the actual use of the product is
> strictly coincidental.  There are "manuals" written for support.  These
> are much more relevant.  Consequently, it pays for the end user to get
> his hands on a service manual, if possible.


wtf?

Steve
http://www.fivetrees.com
Reply by Steve at fivetrees October 17, 20062006-10-17
"Whoever" <nobody@devnull.none> wrote in message 
news:Pine.LNX.4.64.0610171357350.19817@localhost.localdomain...

>>
>> NAT firewalls should be required by law to be built into any consumer
>> device that's designed for connecting a computer to the Internet.
>
> You use the term "NAT firewall", but in fact, there is no such thing. 
> There are routers that include both NAT and firewall capabilities, but it 
> is important to understand that NAT is not a firewall. So, looking at the 
> 2 components:
>
> firewall: universally a good idea for security assuming that it is 
> properly configured. Stateful firewalls provide excellent security against 
> many threats.
>
> NAT: unfortunately, NAT has some negative side effects. It breaks some 
> end-to-end security, forcing ugly hacks such as NAT-T. It is quite 
> possible that with IPV6, NAT will be much less prevelant.
>
> Also, there are different types of NAT (symmetric, asymmetric). Some break 
> other protocols such as SIP, requiring other ugly hacks such as proxies.


Huh?

NAT == network address translation. IOW, providing a controlled connection 
between two networks.

If you can control the connection (e.g. OpenBSD's pf packet filter), what's 
missing?

Steve
http://www.fivetrees.com
Reply by notbob October 17, 20062006-10-17
On 2006-10-17, Steve at fivetrees <steve@NOSPAMTAfivetrees.com> wrote:

>
> wtf?


nice summary.  ;)

nb
Reply by Steve at fivetrees October 17, 20062006-10-17
"notbob" <notbob@nothome.com> wrote in message 
news:mbKdnTYDm6gPy6jYnZ2dnUVZ_tWdnZ2d@comcast.com...

> On 2006-10-17, Steve at fivetrees <steve@NOSPAMTAfivetrees.com> wrote:
>>
>> wtf?
>
> nice summary.  ;)


:)

Steve
http://www.fivetrees.com
Reply by Florian Diesch October 17, 20062006-10-17
CBFalconer <cbfalconer@yahoo.com> wrote:


> Hadron Quark wrote:
>> CBFalconer <cbfalconer@yahoo.com> writes:
>> 
>> *snip*
>> 
>> Dont forget the resources at :
>> 
>> http://www.linux-on-laptops.com/ibm.html
>> 
>> And apologies if this is the second time I have posted this link -
>> nntp server issues.
>> 
>> Interestingly enough I ordered a Thinkpad X30 on friday and hope
>> to get it tomorrow :) Thinkpads are great pieces of HW. And at the
>> price for yesterdays bosses throwaways they are wonderfully cheap
>> bits of HW for running a Linux distro.
>
> Thanks for that link = will check it next time on line.  I am
> starting to lean towards keeping this machine (a T30).  My two
> major problems remain:
>
> 1.  Suppressing the touchpad sensitivity.
> 2.  (later) getting the modem internet link alive.


Maybe you'll find some information on <http://www.thinkwiki.org/>


   Florian
-- 
<http://www.florian-diesch.de/>
Reply by Paul Gotch October 17, 20062006-10-17
In comp.arch.embedded Steve at fivetrees <steve@nospamtafivetrees.com> wrote:

> NAT == network address translation. IOW, providing a controlled connection 
> between two networks.


No. NAT is an evil hack which was invented to preseve IP address space by
allowing hosts on a privately addressed unroutable network to speak to the
outside world of public routable IP addresses via a single public IP address.

In the most part this has the effect that you can make connection outward
bound but not inward bound which is why people confuse it with a firewall
(as most firewalls will be setup to prevent inward connections)

Most things sold as "firewalls" for PCs are actually application policy
tools or crude intrusion detection systems rather than firewalls.


> If you can control the connection (e.g. OpenBSD's pf packet filter), what's 
> missing?


An understanding of how IP works?

-p
-- 
"Unix is user friendly, it's just picky about who its friends are."
 - Anonymous
--------------------------------------------------------------------
You might also like... (promoted content)
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
Check out Memfault's New Sandbox!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference - Register Early and Save with Promo Code ER2024!
The 2024 Embedded Online Conference