1995-10-12 - Re: NYT on Internet Flaws

Header Data

From: “Philip J. Nesser” <pjnesser@rocket.com>
To: jsw@netscape.com
Message Hash: cfca9f2a4ba9739940048270a65033fd6b45c4ec59c8293ddcf398ed995612db
Message ID: <199510120001.RAA17707@oac1.rocket.com>
Reply To: <307C4D2F.150B@netscape.com>
UTC Datetime: 1995-10-12 00:03:05 UTC
Raw Date: Wed, 11 Oct 95 17:03:05 PDT

Raw message

From: "Philip J. Nesser" <pjnesser@rocket.com>
Date: Wed, 11 Oct 95 17:03:05 PDT
To: jsw@netscape.com
Subject: Re: NYT on Internet Flaws
In-Reply-To: <307C4D2F.150B@netscape.com>
Message-ID: <199510120001.RAA17707@oac1.rocket.com>
MIME-Version: 1.0
Content-Type: text/plain


>From: Jeff Weinstein <jsw@netscape.com>
>Date: Wed, 11 Oct 1995 16:03:11 -0700

>Patrick Horgan wrote:
>> 
>> > From: "K. M. Ellis" <kelli@zeus.towson.edu>
>> >
>> > This one is _really ripe_ for a response to the editor.  Ideas?
>> >
>> > We could start something off-list if there are several interested in
>> > co-authoring.
>> >
>> I'd love to see something in there about most commercial sites being behind
>> firewalls without nfs access across the firewall.  This greatly reduces the
>> risk from the nfs problems.  If you get your binary via nfs from a trusted
>> host inaccessible from the internet, then if you have this problem management
>> can handle it as an employee problem;)  There are ways to make secure
>> firewalls, it's fairly well understood.  Sometimes people point to things
>> like the hack Mitnick did last Christmas, but his attack took advantage of
>> a couple of things a security expert shouldn't have allowed, first and
>> foremost two machines were accesible from the internet, and one of them
>> trusted root logins from the other without a password:(

>  It might also be worth noting that people accessing the net
>via an ISP from home do not typically use NFS either.

>	--Jeff

It might be even better to note that the amount of NFS traffic that passes
outside of a given local network/geographical area is small NFS does
reasonably poorly from a performance perspective over WAN connections in
general so most organizations don't use it for more local are use.
WUarchive allowed it for a while but it was infinitely slow compared to
ftp.  I suspect that a protocol analysis of a major interchange point
(MAE's, NAP's, etc) would show NFS traffic at far less than 1% of the
total.  

The NFS threat should be delegated to that class of problems which are
characterized as locally insecure, which can be easily exploited by a
malicious user (internal or external who has broken in), locally useful,
something which can be made better (kerberos version for example), but
generally isn't for ease of use.

--->  Phil


(BTW my 'mount ftp.netscape.com:/pub /mnt' command failed for some reason,
can you look into it :-)





Thread