From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robert White Subject: Re: Hairpin NAT - possible without packet marking? Date: Tue, 4 Jul 2017 10:21:15 +0000 Message-ID: References: <1363a246-966e-59fc-7d5a-efaf12aa6b51@dynator.no> <4c60ba2e-3e52-f55d-96e1-699c7821940d@pobox.com> <6773e78c-f0e6-508d-0a72-d5880705756d@pobox.com> <1402388a-fb32-d7af-bc3a-6f25b8a2f47a@pobox.com> <20170704030739.3746d533@playground> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: <20170704030739.3746d533@playground> Content-Language: en-CA Sender: netfilter-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" To: "Neal P. Murphy" Cc: "netfilter@vger.kernel.org" On 07/04/2017 07:07 AM, Neal P. Murphy wrote: > On Tue, 04 Jul 2017 07:48:36 +0200 > K wrote: > >> What do all the locks in the world help when you invite the burglar in for tea? In other words: most IT departments have the incoming traffic pinned down as you described, but a single executable disguised as a clip of a cute kitty, downloaded and executed by any employee is what nowadays forms the real threat. > > And that's why I maintain that SSL/TLS is the one of the worst things that could've happened to The Internet: our peripheral firewalls are powerless to prevent malware from traversing conns encrypted with SSL/TLS. Well communism would be the perfect form of government if no humans were involved... but humans are involved. Humans are the week point in any system. Imagining you can fix human stupidity by just tightening the screws a little tighter is just fairy dust and unicorn farts. The easiest way to breach a network is to drop thumb drives, cdroms, and urls in the parking lot. Banning encryption isn't going to save a single thing. Make passwords to onerous and they get written on post-it notes. Ban usb drives and people plug in media players. Ban all USB and people will fax shit. Technology cannot fix human engineering. So you build the system to be hard enough for remote nonsense to be easy and then lose the superman complex. Think you can stop things using a ban on TLS? I scoff at you. I'll rot-13 the virus and send it with instructions. I'll shar that puppy and send it with instructions. Hell, I'll just send instructions in plain text and _someone_ in your office will be stupid enough to do _all_ the work. Heck for all your talk I'd bet money that you've never done a full system restore drill on you computers at home or at the office, and at least half of your data isn't even backed up at all,let alone off-site. A system too onerous to use _will_ be subverted. Every time. Period. The only way to keep a computer safe is to turn it off, unplug it, and shred it. So you need to concentrate on doing the best things to stop the most damage. For all that a virus scanner can stop a virus, maybe, if it's already been told about the virus, the most pernicious encoding of a bad idea is a well-phrased meme handed to a neophyte. You can't fix stupid and you cant's solve security through draconian technological intervention.