[lug] TSIG overflow

charles at lunarmedia.net charles at lunarmedia.net
Thu Mar 1 04:56:14 MST 2001

On Wed, 28 Feb 2001, Sean Reifschneider wrote:

> If they aren't capable of securing their Linux machine even to the
> point of using a respectable password, you'd better start offering
> them services to make sure that they *ARE* covered if you don't want
> them to leave.  For example, our hosting includes the option of us
> doing security upgrades at no cost -- all of our clients have taken
> advantage of that.
> Are they using telnet to access the machine?  The easiest thing to do
> is show them that when they do that, it's fairly trivial to watch the
> traffic.  You *ARE* running a switched network to help cut down on
> such sniffing as well, aren't you?

	i would rather not turn this thread into a basics of colocation
	discussion. suffice it to say that we do indeed offer our
	staff to customers as a resource for configuring and securing
	their hosts. we offer each client their own broadcast domain as
	well as each individual machine its own collision domain. we
	offer a selection of acls to be applied to the group's default
	gateway interface, the minimum of which blocks rfc1918 space and
	spoofed packets in and outbound. we allow the customers to
	subscribe to a newsletter the company puts out listing the newest
	exploits, the patches to fix them and where they can be found to
	download. in the end however, it is ultimately the choice of the
	customer on how to handle their individual configurations.

	the integrity of my company is the last thing that should be
	questioned. it is very easy to write off a difficult client as
	not worth the effort or too troublesome to deal with. our
	philosophy is that as long as they have put their faith and
	money into our network, its not an unreasonable request to see
	exactly what happened when a machine is compromised and to give
	them more than just text as resolve that it can be prevented
	from occurring again.

	with all due respect, i would prefer to stay with my initial
	question rather than stray into company policy. i understand the
	skepticism of anyone being asked 'where can i find this exploit?'
	and knew the risk of heat i would recieve for doing so.
	but i would prefer to hear no response than one that addresses
	the company's approach to clientele. moreoever, if the
	conversation is inappropriate for the list, i'd encourage the
	moderator to please advise me. i'm not trying to rock the boat
	or to start ill feelings between list members. i'm just trying
	to find a resolution for my task at hand.


More information about the LUG mailing list