Login

Redecentralize

We’ve had enough of digital monopolies and surveillance capitalism. We want an alternative world that works for everyone, just like the original intention of the web and net.

We seek a world of open platforms and protocols with real choices of applications and services for people. We care about privacy, transparency and autonomy. Our tools and organisations should fundamentally be accountable and resilient.

Home

Parent
Adam Ierymenko [LibreList] Re: [redecentralize] snow: a new distributed secure virtual network 2014-07-04 12:31:33 (5 years 7 mons 22 days 23:34:00 ago)
But firewall! But security! But... umm... yeah.

(1) I call what you describe "everything protocols" -- SSH for example can basically do everything. As a result of the firewall cargo cult we are in an arms race with ourselves to defeat our own security measures. We block things, then design protocols to get around that, then block those, rinse and repeat. It's so unbelievably dumb.

(2) Yup.

(3) Maybe infosec companies encourage this kind of thing to sell more complex and expensive products? Nah... probably just stupidity.

Nuke the infosec profession and start over.

On Jul 4, 2014, at 12:27 PM, David Geib <trustiosity.zrm@gmail.com> wrote:

> Unfortunately the cargo cultists think the blanket-block-all firewall is (a) necessary and (b) effective and will shriek and scream bloody murder if you suggest dispensing with it.

The thing that amazes me about it is nobody seems to think about the consequences.
1) Enterprise blocks everything at the firewall.
Result: Employees come up with hacky work-arounds that impair security just so they can do their jobs, like using some unauthenticated proxy or VPN server run by some anonymous third party.
2) App developers respond to everything but port 80 and 443 being blocked by running their non-HTTP app over those ports and unnecessarily using a central server to connect two endpoints.
Result: Central server becomes a single point of compromise for millions of users' communications.
3) Enterprise starts using DPI to actually verify that something on port 80 is HTTP to block the people running other apps on it.
Result: All the apps start actually using HTTP, now your messaging app is vulnerable to XSRF for no good reason. Meanwhile they add kitchen sink support to the HTTP protocol in order to support all of this, increasing the attack surface dramatically. Meanwhile in order to do DPI against HTTPS the enterprise has had to install CA certs on all the endpoints and establish a proxy server that actually has the CA private key on it *and* has all the traffic going through it, which gives one target an attacker can compromise and use to compromise all the communications in your entire organization.

No part of this can be considered a security improvement.




On Fri, Jul 4, 2014 at 3:02 PM, Adam Ierymenko <adam.ierymenko@zerotier.com> wrote:
I sort of hate the infosec profession... it's full of cargo cult thinking by people who don't *really* understand the mechanics of what's going on on a network. I worked infosec for a bit and never saw one single real world threat that the firewall really did anything to protect us from. All the malware I saw came in via HTTP "pull", e-mail, and file sync.

The only real-world threat the firewall still does anything to protect us from is the threat of a worm exploiting a true remote hole in a common local service. That threat could be mitigated if OSes did a better job running services in isolation... just kill the offending infected service container, and the system is left untouched. That threat could also be mitigated by smart firewalls that can respond selectively to attacks without just blanket-blocking everything.

Unfortunately the cargo cultists think the blanket-block-all firewall is (a) necessary and (b) effective and will shriek and scream bloody murder if you suggest dispensing with it.

On Jul 4, 2014, at 11:09 AM, Joakim Stai <joakimstai@gmail.com> wrote:

The FAQ was a great read, cool project overall :)

Amen to what Adam said.


On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko <adam.ierymenko@zerotier.com> wrote:

Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
A: Please remain calm. Each device being addressable from one another is the way the Internet was designed to work and is the way IPv6 works, so this is something you will want to adjust to rather than resist. You will likely want to employ some kind of endpoint firewall, e.g. iptables on Linux. It is possible to identify traffic from snow based on the IP address range your device uses for it.

Hah!

Thank you. The firewall is an obsolete and ineffective security hack that needs to die. Apps and OSes should be secure. OSes should implement app and service isolation properly. Authentication should be done with crypto.

On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com> wrote:

I released a development version of a new piece of software today that may be of interest to this list. If anyone is willing to try it and provide comments or bug reports it would be appreciated.
https://github.com/zrm/snow






: