[Beowulf] Re: "hobbyists"
smulcahy at aplpi.com
Fri Jun 20 05:32:08 PDT 2008
I resisted the urge to join in on the nuclear tangent but this one
proved too much (and we are indirectly back to talking about the
security of the clusters we look after right?). Besides, we don't have
any nukes in Ireland.
Perry E. Metzger wrote:
> It is, to some extent, a question of how many people are interested in
> a particular attack vector. Internet Explorer is a major attack vector
> for people who make money at this, so they work hard finding the bugs
> in it, of which there are an apparent endless number. I believe that
> more than 250 days last year, Internet Explorer had a known but as yet
> unpatched vulnerability. That's why the overwhelming majority of
> Windows boxes are zombies, including almost certainly most of yours
> unless you are a really unusual sysadmin.
I'm reading this to mean that you think most Windows boxes on most
networks are zombies - is that right? As one of my many roles, I babysit
our company network and I'd love to know how to avoid the scenario
you're painting - other than the usual stuff of keeping the machines up
to date, ensuring people don't run the latest .exe they receive in a
spam and not exposing Windows boxes to the internet. Maybe I should get
MS certified (joke, joke ;) While suggestions to install Linux on all of
them are constructive, I'm afraid we can't avoid running some Windows
boxen on our network.
> If you're smart, you're listening on:
> * DNS, with bind configured to run chrooted and unprivileged
> * sshd running with priv sep
> * ntpd running chrooted and unprived (though not all OSes will allow
> you to do that.)
> * maybe SMTP via postfix, which runs chrooted and unprived
> * and NOTHING ELSE.
> And if you're really smart, those daemons are further tied down with
> various bondage and discipline equipment like apparmor or SE Linux or
> what have you.
Ouch, it's a never-ending battle isn't it?
I think you're largely right about the level of expertise out there for
managing networks though - small companies don't pay someone to manage
their network. Either they have some internal guy who has half a dozen
other jobs or they outsource it, and unfortunately they'll usually
outsource it to the cheapest guy ... who's cheap for a reason.
> If you really believe your local net is very good, run a sniffer on it
> for a while -- or talk to someone who's job is to run one.
I'd love to know how anyone with skype running on their network manages
to see much of anything from the firehose that is a packet trace (and
our network is small). Again, maybe it's just a question of time.
Stephen Mulcahy, Applepie Solutions Ltd., Innovation in Business Center,
GMIT, Dublin Rd, Galway, Ireland. +353.91.751262 http://www.aplpi.com
Registered in Ireland, no. 289353 (5 Woodlands Avenue, Renmore, Galway)
More information about the Beowulf