Login

Redecentralize

We’ve had enough of digital monopolies and surveillance capitalism. We want an alternative world that works for everyone, just like the original intention of the web and net.

We seek a world of open platforms and protocols with real choices of applications and services for people. We care about privacy, transparency and autonomy. Our tools and organisations should fundamentally be accountable and resilient.

Home

Parent
Adam Ierymenko [LibreList] Re: [redecentralize] snow: a new distributed secure virtual network 2014-07-04 12:02:36 (6 years 9 mons 2 days 19:11:00 ago)
I sort of hate the infosec profession... it's full of cargo cult thinking by people who don't *really* understand the mechanics of what's going on on a network. I worked infosec for a bit and never saw one single real world threat that the firewall really did anything to protect us from. All the malware I saw came in via HTTP "pull", e-mail, and file sync.

The only real-world threat the firewall still does anything to protect us from is the threat of a worm exploiting a true remote hole in a common local service. That threat could be mitigated if OSes did a better job running services in isolation... just kill the offending infected service container, and the system is left untouched. That threat could also be mitigated by smart firewalls that can respond selectively to attacks without just blanket-blocking everything.

Unfortunately the cargo cultists think the blanket-block-all firewall is (a) necessary and (b) effective and will shriek and scream bloody murder if you suggest dispensing with it.

On Jul 4, 2014, at 11:09 AM, Joakim Stai <joakimstai@gmail.com> wrote:

The FAQ was a great read, cool project overall :)

Amen to what Adam said.


On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko <adam.ierymenko@zerotier.com> wrote:

Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
A: Please remain calm. Each device being addressable from one another is the way the Internet was designed to work and is the way IPv6 works, so this is something you will want to adjust to rather than resist. You will likely want to employ some kind of endpoint firewall, e.g. iptables on Linux. It is possible to identify traffic from snow based on the IP address range your device uses for it.

Hah!

Thank you. The firewall is an obsolete and ineffective security hack that needs to die. Apps and OSes should be secure. OSes should implement app and service isolation properly. Authentication should be done with crypto.

On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com> wrote:

I released a development version of a new piece of software today that may be of interest to this list. If anyone is willing to try it and provide comments or bug reports it would be appreciated.
https://github.com/zrm/snow




: