Re: RFE: FireKit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2009/7/24 Björn Persson <bjorn@xxxxxxxxxxxxxxxxxxxx>:
> Colin Walters wrote:
>> If for
>> example I enable desktop sharing before leaving work, then head to the
>> airport, and log on there to WiFi, you really don't want the desktop
>> sharing still enabled.  Nor likely do you want sshd.
>
>  – Internal tech support, Randy Hacker speaking.
>  – Hi Randy, Joe Salesman here. I'm at the airport. Something's wrong with my
> laptop. The screen just goes black when I try to start Open Office Impress. It
> worked fine yesterday. If I can't get it to work before I get to the customer's
> site I won't be able to show the presentation.
>  – OK Joe, I'll SSH into your laptop and look at the logs. What's your current
> IP address?

In this case, when the firewall is re-enabled, it would be enabled to
whatever the system administrator has configured it to do.  In other
words if they added an explicit passthrough for port 22, that would
continue to work.

> Joe might have file sharing enabled to share his documents with his colleagues
> in his own company, but just because Joe wants to let people see the
> presentation, that doesn't mean he wants anyone who might be connected to the
> customer's network to read all his documents.

Hmm?  How would they be able to read all his documents?

> In one known attack against the concept of trusted networks, an attacker
> configures his laptop to present itself as a WiFi access point and broadcast a
> large number of strategically chosen SSIDs. Then he sits down in a public
> place and waits for unsuspecting laptops to recognize the SSID of their home
> network and connect automatically.

I believe NetworkManager's connection list is based on the pair of MAC
address + SSID, not just SSID.

Now yes, of course someone could discover the MAC and SSID of a
particular access point at a company, then when a mobile worker goes
to a coffee shop, fake being that network.  But at this point we're
getting into very targeted attacks.  And I would argue that accepting
this is a valid tradeoff versus the even more serious problem of
people who disable the firewall to get things to work and then never
re-enable it.

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux