[285] in Coldmud discussion meeting

root meeting help first first in chain previous in chain previous next next in chain last in chain last

Re: ports

daemon@ATHENA.MIT.EDU (Fri May 20 13:59:01 1994 )

Date: Fri, 20 May 1994 10:46:57 -0700
From: rayn@q.crossaccess.com (Ray Nawara jr.)
To: coldstuff@MIT.EDU
In-Reply-To: <m0q4X00-0004JFC@glacier> (message from Greg Hudson on Fri, 20 May 1994 12:00:35 -0400)

>> Well, this is just me being paranoid, but a portmapper type thing is
>> a hackers dream come true... the less randome people know about the
>> system the more secure it is.

> Security through obscurity is no security at all.  It's quite easy to
> write a program to connect to all ports on a system, at any rate.

Umm, I wasnt suggesting that obsurity be the only form of security,
but why make things easier on people. its rather standard on secure
systems to block that kind of thing (portscans). But as I said, in
this case, I'm just being overly (although perhaps still rightly so)
paranoid. With standard ports, you could do things like only accept to
the mail port from the trusted mail port, etc, but when we're dealing
with above 1k its not really an issue anyways, as most of this stuff
can be forged. Therefore the security needs to be in how what the port
is used for is trusted (i.e. it shouldnt be trusted at all.)

> Forge IP addresses?  Difficult to do with TCP connections beyond the
> first few packets, unless it's from a site that's down.

Well, actually my comment was in reference to names, not ip's, but
althought its difficult, its not impossible.

>> another thing about portmappers. The general sun style portmapper
>> for rpc is a problem with secrutiy because it can be tricked...

> This is completely irrelevant; what you've said is about a
> particular implementation of a service with the name "portmapper"
> whose functionality has very little to do with what Lynx is
> proposing.

If you read the whole paragraph, I said that it was irrelevant. I was
explaining my previous objections ;)