Mailinglist Archive: opensuse (4446 mails)

< Previous Next >
Re: [opensuse] Re: don't set Reply-to!! (was NO PERSONAL REPLIES...)
  • From: Joachim Schrod <jschrod@xxxxxxx>
  • Date: Fri, 8 Dec 2006 12:21:31 +0100
  • Message-id: <17785.19131.197920.231157@xxxxxxxxxxxxx>
>>>>> "JE" == Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx> writes:

JE> On Dec 8 2006 02:04, Joachim Schrod wrote:
>>
>> To quote Jon Postel in RFC 761, the TCP definition from Januay 1980,
>> the last two lines on page 12:
>>
>> be conservative in what you do, be liberal in what you accept from
>> others.
>>
>> Words to keep in mind, they served us well in more than 25 years --
>> RIP Jon Postel.

JE> You know where this RFC attitude brought us - Web browsers accepting
JE> broken HTML, resulting in sloppy non-standard pages that display in
JE> less than average of the browsers.

And, so what? It made the Internet usable for millions of users. And,
for the record, I think that's a Good Thing(tm). I'm again that
elitism that would have prevented my mother, aged 71, to be able to
learn sending emails and surfing the Net three years ago when she
retired. She will never understand that there's a difference between a
Web browser and a Mail client, that's completely blurred to her, it's
all `that Internet thingy' -- but so what? Who cares, as long as she
can communicate with her relatives?

JE> Especially when it comes to
JE> security, e.g. firewalls, it's better to turn the RFC quote:

JE> Be conservative in what you accept and be
JE> liberal in what you do.
JE> [http://jengelh.hopto.org/p/jen_ipfw/TECH.txt]

I have worked for more than 10 years as CEO of a security consulting
company, I work on the Internet since 1992 and have been a member of
several IETF working groups, and I have planned the connection of
whole countries to the Internet. From my experience, I can only say:
To use that sentence in the context of firewalls is not sensible, and
seems to be made tongue-in-cheek without thinking it through.

Be liberal in what you do?

E.g., allowing broken IP packets to leave one's network?
E.g., with spoofed source IP addresses?
E.g., allowing outgoing IRC packets for all systems?
Or any other outgoing connections that does not conform to business
and usage rules? Like, you know, those connections that enables bot
networks in the first place because it allows them to be controlled
from the outside.
If more institutions, people, and operating systems default
installations would implement egress filtering, we would have much
less security problems in the first place.

And you tell me that my attitude brings us bad HTML pages?
Your attitude helps to build bot networks and hackers.

You can guess yourself what I think is worse.

Joachim

PS: Please reply to the list. I don't consider this a private
discussion.

--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: jschrod@xxxxxxx
Roedermark, Germany
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >