On Wed, Dec 29, 2010 at 04:20:58AM -0500, Omega -1911 wrote: > > Well, let's see. My system sits behind a firewall. No external services > > are advertised to the internet. All internal addresses are non-routable. > > I do not use or have any wifi. The system sits in my home office. I use > > a Debian Linux system and practice very safe computing. I often > > investigate little-known sites before surfing to them, and never accept > > temptations to click on ads. In fact, I have my /etc/hosts file set up > > to block the vast majority of ad servers (I see a fraction of the ads > > most people see). I never download content of questionable origin, nor > > accept it from others without investigating it first. I have a root kit > > detector installed, which I periodically use. I'm the only person who > > uses this computer. No one who enters this space is more knowledgeable > > than I am about computers (= not capable of hacking a computer). > > Hi Paul - I am interested in knowing how you prevent intrusion with > your firewall when it is a known fact that post 9/11 companies that > develop such leave ports open for "Big Brother" as required. Remember > "Green Lantern", "Carnivore" and the like are roaming around and used > by various agencies. Even though a firewall reports that the ports are > blocked, they aren't. Carnivore was an email sniffing program. I can't find a reference to "Green Lantern" as it relates to computer hacking. As for the "well known fact" that companies leave ports open for the government, it must be well known to people other than me. Such claims are sometimes true, sometimes specious. I'd have to see real evidence first. (Don't get me wrong-- I wouldn't be surprised.) And ports which show blocked but aren't? How does that work? Do routers use some sort of "port knocking" scheme? Beyond all this, the context you're citing is the government snooping on me. The government could seize my computer and have the NSA break my best encryption in probably minutes flat. And they'd have... what? My password to Amazon.com? My password to the Javascript mailing list? Seriously? If the government wants my stuff, they can sit an NSA van outside my house and read the E-M vibrations off my windows or somesuch. I'm really not concerned for two reasons: 1) If they want my stuff, they can get it any time wihout my permission; 2) There's not a blessed thing I can do about it; 3) There isn't anything they'd be very interested in, trust me. I rather doubt they're going to snag my credit card numbers and charge a bunch of stuff at Walmart. Also, I have it from people who know much more about network security than I do that penetrating a LAN like mine (which is pretty standard) is nearly or completely impossible *unless* a user on the inside does something stupid. > > Limiting surfing to only trusted sites does limit vulnerability, but > for the last couple of years, Google, Yahoo, Fbook, Youtube are > compromised by hackers installing "Antivirus 2009", "Antivirus 2010", > etc. viruses. Antivirus 2009 and 2010 are generally not harmful when it comes to snagging user information. That's not what they're meant to do. They are scareware designed to get you to buy software from the company to clean fake virus infections. If Yahoo and the like have their servers compromised because of this software, then they're running Windows on internet servers, which is a bone-headed move anyway. Moreover, if the admins for these servers see warnings because of this, then they should do research before simply believing what some software tells them about their servers. (Although, considering the tech knowledge of a lot of Windows server admins, anything is possible.) And, as I mentioned, I run Linux. If I saw some silly virus warning about my computer, I'd laugh. It's not unheard of, but generally you'd have to do something stupid to get infected with a virus under Linux. After laughing, I'd run a rootkit check. And yawn. > > With a long list of sites improperly setting cookies, passwords and > usernames are easily compromised when a person visits other sites. > Most importantly, how do you verify that the Internet Service > provider has not been compromised? Using SSL to pass passwords is > still not 100 percent safe as people may think because the real > problem lies in what and where the web site stores your information on > the server. How do I know my ISP isn't compromised? Well, how the hell would *anyone* know that? You wouldn't. It's completely within the realm of possibility that my ISP would open, decrypt and read every packet I send through them. Like the government, I doubt my ISP is going to snag my credit card numbers and start charging things at Walmart. Can you imagine the PR debacle if a respected major national ISP/telephone company was caught grabbing sensitive user information and using it for nefarious purposes? And can you imagine what their rates with Mastercard and Visa would go to if such breaches were found in their infrastructure? I deal with credit card companies all the time. They have quite strict rules in place to ensure the data my customers give me is not compromised. And if I violate those rules, well, Mastercard and Visa don't actually *need* my business. Of course, any major corporation can have its data sucked and have to inform its customers that they've been compromised. It's happened before. And if that happens, you do what you can by changing your passwords with that company and looking for errant charges on your credit card statements. We typically *trust* large ISPs and the government not to do anything untoward with whatever information they get from us. When I give my pet sitter the key to my house and go on vacation, I trust him not to rob me blind while I'm away. Perhaps that trust is at times misplaced, but we have no choice if we wish to be on the internet. Connectedness means you have to trust *somebody*. Meanwhile, you remain just paranoid enough to be careful and double-check things. I don't mean to be boastful about my "safeness" from hacking. I'm by no means an expert on security, and most people on this list probably know more than I do about it. But I've been in this game since the CP/M days, and I've loosely followed the trade press in that time. I know what the typical computer user is like, and they're generally a security breach waiting to happen. My computing habits are pristine by comparison. Moreover, I'm much more highly *aware* of security as an issue than most people who operate computers, which puts me 100% ahead of most computer users. I'm sure I'm not *impervious* to hacking or breaches. But the chances are very slim in my case. Yes, it could happen. And if it does, I'll just have to pick up the pieces and figure out where I went wrong. But until then, I feel pretty safe. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
