RFE: FireKit

Björn Persson bjorn at xn--rombobjrn-67a.se
Fri Jul 24 18:01:14 UTC 2009 

Colin Walters wrote:
> 2009/7/24 Björn Persson <bjorn at xn--rombobjrn-67a.se>:
> > Colin Walters wrote:
> >> If for
> >> example I enable desktop sharing before leaving work, then head to the
> >> airport, and log on there to WiFi, you really don't want the desktop
> >> sharing still enabled.  Nor likely do you want sshd.
> >
> >  – Internal tech support, Randy Hacker speaking.
> >  – Hi Randy, Joe Salesman here. I'm at the airport. Something's wrong
> > with my laptop. The screen just goes black when I try to start Open
> > Office Impress. It worked fine yesterday. If I can't get it to work
> > before I get to the customer's site I won't be able to show the
> > presentation.
> >  – OK Joe, I'll SSH into your laptop and look at the logs. What's your
> > current IP address?
>
> In this case, when the firewall is re-enabled, it would be enabled to
> whatever the system administrator has configured it to do.  In other
> words if they added an explicit passthrough for port 22, that would
> continue to work.

Fair enough. Just don't assume that nobody would want SSH at an airport.

> > Joe might have file sharing enabled to share his documents with his
> > colleagues in his own company, but just because Joe wants to let people
> > see the presentation, that doesn't mean he wants anyone who might be
> > connected to the customer's network to read all his documents.
>
> Hmm?  How would they be able to read all his documents?

Isn't that one thing that the so called firewall is supposed to prevent? Surely 
Vino isn't the only thing you want to block when the network is considered 
untrusted?

> > In one known attack against the concept of trusted networks, an attacker
> > configures his laptop to present itself as a WiFi access point and
> > broadcast a large number of strategically chosen SSIDs. Then he sits down
> > in a public place and waits for unsuspecting laptops to recognize the
> > SSID of their home network and connect automatically.
>
> I believe NetworkManager's connection list is based on the pair of MAC
> address + SSID, not just SSID.

So in a large building with many access points you have to add each access 
point to the connection list individually?

The attack I read about was of course primarily targeted at Windows. Perhaps 
Windows looks only at the SSID. Still, I wonder how long it would take to loop 
through the MAC address ranges of all the big manufacturers of access points.

Björn Persson

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090724/53d276b6/attachment.sig>

More information about the fedora-devel-list mailing list