On Wed, 3 Feb 1999, Robert Ward wrote: > We designed this box with being able to access the CLI or HTTP interface > from the WAN in mind. This feature allows for remote management and trouble > shooting of the WebRamp, and has proved to be an essential tool to our > support department. If security is a concern change the Administrative > password on your WebRamp, and do so frequently. IMHO, when you ship someone a preconfigured machine of some kind, and they don't express any particular interest or knowledge about the possibilities of that machine being controlled remotely, the default should be for that machine not to be controllable remotely -- not for anyone in the world to be able to control that machine remotely. > 2) This is true for every M3/M3t/M3i/300 user who is not using Visible > Computers or telnet Local Servers. I would approximate this number to be in > the 90% or higher range. The number of customers who have actively tried to > disable incoming telnet sessions that we are aware of is much lower than 1%. This is probably a good rule of thumb. 99% or more of the people out there won't even think about security. It's a betrayal, a fraud, an injustice to put backdoors into your products by default, then give people the ability to turn them off -- knowing that more than 99% of them will never use it. Imagine getting a new car. Like more than 99% of car owners, you don't read the owner's manual. After six months, the car's brakes stop working in traffic; it kills your wife and kids, along with the occupants of several dozen other cars of the same model in that city block. You call the manufacturer to complain. "Didn't you read the manual?" they say. "On page 66, it explains that the car is rigged to disable the brakes when it receives a particular radio signal, but you can turn it off with a switch inside the glove compartment. It's not our fault if terrorists use this feature to blow up buildings, and if you didn't bother to read the manual. We put it in to help our mechanics when the brake pedals get stuck." > 3) There are workarounds readily available. . . . which, as you point out, more than 99% of your customers don't even know about, and therefore more than 99% of your customers are wide open. I hope you get your irresponsible sorry asses hauled into court for this, you pathetic slimeballs. -- <kragenat_private> Kragen Sitaker <http://www.pobox.com/~kragen/> Computers are the tools of the devil. It is as simple as that. There is no monotheism strong enough that it cannot be shaken by Unix or any Microsoft product. The devil is real. He lives inside C programs. -- philgat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:32:38 PDT