On Tue, Apr 15, 2014 at 10:00 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > > > Am 15.04.2014 18:51, schrieb Andrew Lutomirski: >> On Tue, Apr 15, 2014 at 9:44 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >>> >>> >>> Am 15.04.2014 17:40, schrieb Andrew Lutomirski: >>>> On Tue, Apr 15, 2014 at 7:42 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: >>> >>> >>>> How about having an API where things like DLNA can simply >>>> not run until you're connected to your home network? >>> >>> you can prove that this will always happen the right way? >>> you can implement software *for sure* knowing the fact >>> what my home network is? if you can do that you get rich! >> >> Does the firewall really help? > > yes, because there is no single port reachable after the > installation and you can at least install security updates > released after the GA of the current Fedora setup until > you have a port open This is true even without the firewall. I'd argue that one of the Workstation release requirements should be that a default installation opens no ports to the outside world. >> Your already-known-to-be-malicious television can mess with >> ARP or DHCP, intercept an HTTP request, and CSRF the crap >> running on your computer. > > my television can do a CRSF? If you browse to a page served by your television, it can certainly send you a CSRF payload. Whether or not it works depends on whether any services running on your box are vulnerable. > my television can send me a mail and click on a link there? Probably. But it can certainly hijack any HTTP request you send and replace the contents. > > don't talk about things which are *obviously* out of your business > http://en.wikipedia.org/wiki/Cross-site_request_forgery > > and no my television can do nothing because my television is blocked > on any incoming port on my computer - guess by what: the firewall Which doesn't matter *at all*, because it's attacking your *outgoing* traffic. If you have a firewall between your television and the rest of your network, you win. But Fedora can't help you with that, no matter what its default policy is. --Andy -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
