also sprach Jor-el <jorel@trillian.megadodo.umb> [2002.01.04.1600 +0100]: > I dont know how prevalent this is on other Debian lists, but in > debian-user atleast, quite a few folks, when asking for help with their > networking, post details on their real ip-addresses, hostnames and > sometimes even the way their network is setup. I would think that this is > not a wise thing to do, as it makes it easier for an attacker. in 99% of the cases, i don't have to be a world-class hacker to map out the poster's network. i'd start from the mail headers and work my way further. it's not that difficult and NAT is *not* a security measure. in any case, i humbly believe that the topology and everything else (even firewall rules) should be available to anyone (upon request maybe), and that the entire setup is only secure, if it can still stand against attacks. security by obscurity is nice, but the basis has to be solid and done before you can add obscurity... > What is the best way to warn folks about this practice? One > thought that occurred to me is to write up an entry in the FAQ (is there > such a thing around) and link to it along with the unsubscribe message > that is part of every post sent out by Debian lists. Is there a better > way? I am willing to do the writeup for the FAQ if the person maintaining > the FAQ puts it in, and someone takes care of the mailing list message. i think it's not going to be so effective. people usually post ifconfig outputs (and others), and don't even bother to go through the individual lines. either lists.debian.org runs list mail through a filter, or you just let them be... most have dynamic IPs anyway, and if you have a static IP and you post that IP you either need a hit in the face to learn, or you have a bullet-proof system already. why not warn people of dDoS attacks and leaving their "servers" on their DSL line permanently while not even knowing how to spell "security"... discovering an IP address is very trivial. for instance, you are xx.28.71.21. -- martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck scintillation is not always identification for an auric substance.
Attachment:
pgpflJvdCN6a2.pgp
Description: PGP signature