Quote:
Originally Posted by Penthux
For how long do you basically think this "bloody great big hole" will be a security risk, exactly? And be precise...
|
Wow. Dude. That was
harsh.
Not even kewl for the other readers who might not grasp the gravity of what he said, and which you categorically dismissed
based upon your 20ms gaping hole (repeating every ten minutes with regularity too).
I think that's
*precise* enough, yet perhaps only for the hardware you're running on. The
*Gaping Hole* might exist for much longer durations on other peoples machines.
Gazl is absolutely, and unequivocally correct.
Your cronjob, when coupled with the way in which your firewall script inits, creates a:
Quote:
"...bloody great big hole"
|
It's
not a tiny hole - it is a "
bloody great big hole", meaning,
The machine is wide open like a high schooler first timing on vodka and orange juice.
Now, how significant is that? Like Gazl indicated, probably not that big a deal for a casual surfer at an Internet Cafe.
But the facts are that they hand out awards at Black Hat events for pw3n'ing NASA and NIST boxes. 20ms is... Oh, about 1/12th the distance of the round trip between an earth station and a geostationary satellite - Not very far at all for someone with an army of irc war bots that control thousands of machines.
Are you going to simply dismiss, because it is not the most likely scenario, that
all the Dark Lords of Hacking in Europe aren't actually getting together at this very moment for a "
hacking adopters of Penthux's firewall killing cronjog conference"?
Such would not be wise. Indeed, maybe even foolish to assume it would never happen.
You might as well just pop your mail from 110 or better yet, why not use telnet on 23 to admin all your boxes - because it's really not that
**Likely** that someone would think that anyone could be stupid enough to manage forward facing hosts with shells from telnet seesions on the open internet!
Okay now that I have your arrogantly begrudging attention, let's talk about a couple of other things. First, that of course I didn't have much concern for the
complete lack of firewall whatsoever for X period of time when someone runs your cronjob (Yes, that does indeed meet the definition of a "
bloody great big hole").
My concern, in contrast to that which Gazl focused on, was the issue with whacking the stats - the complete reset. I thought that was just... Well, I won't say anything overtly negative, and although it might just be me, but I tend to like looking at live data.
You only succeeded in pointing one thing out of any relevance here: That
people who powerpost several times a day might miss the mark when it comes to the conveyance of their message.
After all, they're going pretty fast. I can recall a few occasions where Gazl (myself, and many others too), made a post to help someone, and when I looked at it noted, "Oh that's not really the problem, he missed it because he didn't take enough time to really see what the OP was saying" - even then, I will note that he (or whomever else powerposted) usually had some tidbit that I said, "
Now that's pretty kewl, and even though it doesn't pertain directly to the matter at hand, I'm adding that to my arsenal of tools for later!".
It's a real shame you missed that opportunity Penthux. It truly is.
You see, what you could have taken his constructive criticism to task on was in soliciting other kewl ideas for what your cronjob was hastily attempting to accomplish - thereby improving even more, an already sweet little ditty you've whupped out.
Things like, how 'bout writing to a PID file and then... (Yah, don't even go there dude, we already know that's not ideal). Or the use of cgroups - a very elegant solution that I use myself in place of some of those other methods.
But no. you flamed someone trying to offer you support and most all of the posts to this thread since have been a bit soured as a result of your condescension.
@Gazl: I've actually got a bone to pick with you too here.
When a firewall is completely OFF, we call that a "
bloody great big hole".
Why would you, for the sake of civility with an ungrateful and arrogant scripter, risk the potential security of those less aware than you, by
retracting a true statement, and further, saying it wasn't so, when it was?
Shame on you too (but only a little bit)
Next time, please, just offer your condolences and move on - because you were right to point that out (It doesn't even matter how insignificant the time slice was), and retracting what you said was more a disservice to n00bs than a service to the decorum of the forums.
Just my
here, but still, someone taking offense at the
way in which you bring up a point
is no reason to retract a valid point.
I hope that helps, And I hope you don't take my post too personally either Penthux - That's just my way of offering constructive criticism for your lack of social skills
Kindest regards,