RE: [fw-wiz] A little paranoia for the weekend...

From: Ben Nagy (ben_at_iagu.net)
Date: 07/30/03

  • Next message: Dave Piscitello: "[fw-wiz] PhD programs" 
    To: "'Joseph Steinberg'" <Joseph@whale-com.com>, <firewall-wizards@honor.icsalabs.com>
Date: Wed, 30 Jul 2003 11:54:14 +0200

    > -----Original Message-----
    > From: firewall-wizards-admin@honor.icsalabs.com
    > [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
    > Of Joseph Steinberg
    [...]
    >
    > Web-based remote access (SSL VPN etc.) can be secure if implemented
    > properly.

    Not on an unsecured public terminal they can't. This is just an illustration
    of the classic motif - If bad people have unrestricted physical access to a
    PC then you can't trust it anymore. End of story. Even with pixie dust.

    > The incident mentioned in the article referenced below
    > illustrates why you
    > need a "virtual shredder" that wipes all of the footprints
    > from an access
    > device as part of any SSL VPN implementation.

    I don't mind the odd bit of vendorism slipping in (hey I might need to do it
    myself one day), but this is a touch too much for me.

    The features listed in your brochurelink are nice. I like them, they're
    useful (assuming they work as advertised >;).

    The direct implication that they would have ameliorated this attack in ANY
    way is wrong, and I find it almost deceptive. I don't like that at _all_.

    If you can tell me how your product would have stopped the keylogger from
    capturing all of the user credentials (and other information) as they were
    entered at the keyboard (at a much lower level than the web browser, and one
    that the browser has no access to) then I will shut my mouth. If not....well
    maybe it's not me that should.

    There are a lot of people in vendorspace who post here. The well respected
    ones don't always hide their allegiance but they take care in certain areas:

    1. IF they talk about their own stuff, they don't overstate what the
    products do, and they don't make hand-waving marketing comments

    2. They often answer general questions that they happen to have insight
    into, without plugging anything

    3. They don't give the impression that they are just here to plug their kit
    whenever it seems to fit

    It 'aint my place to tell you what you can and can't post, or to define the
    One True List Etiquette According to Ben. What I can say, though, is that if
    this stuff annoys me enough to post a rant then it's a safe bet that it does
    the same thing for a couple of thousand other readers (not a big
    percentage), and maybe that doesn't reflect so well on your company and
    solutions.

    ben

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Dave Piscitello: "[fw-wiz] PhD programs"