2009/7/24 Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx>: > Colin Walters wrote: >> If for >> example I enable desktop sharing before leaving work, then head to the >> airport, and log on there to WiFi, you really don't want the desktop >> sharing still enabled. Nor likely do you want sshd. > > – Internal tech support, Randy Hacker speaking. > – Hi Randy, Joe Salesman here. I'm at the airport. Something's wrong with my > laptop. The screen just goes black when I try to start Open Office Impress. It > worked fine yesterday. If I can't get it to work before I get to the customer's > site I won't be able to show the presentation. > – OK Joe, I'll SSH into your laptop and look at the logs. What's your current > IP address? In this case, when the firewall is re-enabled, it would be enabled to whatever the system administrator has configured it to do. In other words if they added an explicit passthrough for port 22, that would continue to work. > Joe might have file sharing enabled to share his documents with his colleagues > in his own company, but just because Joe wants to let people see the > presentation, that doesn't mean he wants anyone who might be connected to the > customer's network to read all his documents. Hmm? How would they be able to read all his documents? > In one known attack against the concept of trusted networks, an attacker > configures his laptop to present itself as a WiFi access point and broadcast a > large number of strategically chosen SSIDs. Then he sits down in a public > place and waits for unsuspecting laptops to recognize the SSID of their home > network and connect automatically. I believe NetworkManager's connection list is based on the pair of MAC address + SSID, not just SSID. Now yes, of course someone could discover the MAC and SSID of a particular access point at a company, then when a mobile worker goes to a coffee shop, fake being that network. But at this point we're getting into very targeted attacks. And I would argue that accepting this is a valid tradeoff versus the even more serious problem of people who disable the firewall to get things to work and then never re-enable it. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
