Firewall security: Problems with simple Samba file share 3608

Peter T. Breuer

It's quite tiresome that you keep pretending that this has not been answered multiple times. Whack-a-mole again.. keys can be obtained from stolen usb sticks, backup tapes, careless emails.. as noted at apparently (someone named ptb left a comment; I buttume that was you), but you still choose to pretend otherwise.

Once again you ignore the conditions as presented. Another whack-a-mole strawman.

You can read keys directly from a backup.. nothing more is needed.

Thank you. I'll order it.

Whack-a-mole: this has already been dealt with. There are ways to steal keys that do not involve anything a firewall can protect from. Some of them are things that a good security policy would surely prohibit (safety of backups, for example) but that says nothing about the value of the firewall. This is an attempt at misdirection; sleight of hand for the casual reader.

Peter, do I really have to go back through nearly 200 posts and prove to you that these things have been answered? How painful for both of us - but that's why I put up each of your objections has been "whacked down" there.

If I did take the time to pull your "moles", it would make quite a list..

Again, you are pretending that an entirely different condition exists than that posited. It's easy to construct situations where a firewall is of no value, but that does not change the fact the it is valuable for the conditions stated.

Another whack-a-mole strawman. The stated objective of the firewall is merely to block unknown ip's. No analogy exists to your jewel sensing buttault rifle.

Those are the conditions. Rather simple to understand.

Go back and review, Peter. You wanted to pretend that they needed to have had access to the machine to steal its keys. I immediately suggested theft or loss of usb sticks, backups, etc. The record is here..

Oh, again with the "this is what I say ssh is for". Whack. Whack.

A hammer's normal use is for inserting nails, but it can be a fine way to open walnuts, too. We use tools for whatever we find them useful for: the history of mankind is full of inventing new uses for old devices.

Nor is the concept of restricting services to specific hosts alien to ssh, as has already been pointed out to you - from the same man page you quote. You didn't bother to comment much the last time that was pointed out..

Again, you conveniently forget the conditions we are protecting against: stolen keys, accidental misconfiguration, or fall-back to default configuration due to software flaw. Whack. Whack. How many more times must we see this particular mole?

Peter, Peter, Peter. We keep stating the disagreements, but you never address those. Instead, you keep coming back with the same pile of straw, only rotating the hat he's wearing between a selected set. You pretend that the keys can only be stolen by physical access. That nonsense is dispensed with and the pile of grbutt pops up again wearing the "the probability is too negligible to bother with". We point out that the probability includes conditions that you keep ignoring and that the cost of the protection is nearly zero while the potential cost of not doing this is quite high, and bang! up pops the strawman again but with the "there are no zero day exploit" hat. We knock that down, and by gum, there's the "physical access" hat again. Whack-a-mole, whack-a-mole, whack-a-mole.

The conditions are stated at

If you post again with an argument that is already addressed there, kindly make sure to do so against the conditions stated. Don't pretend part of it doesn't exist.. you have to come up with something new if you want to keep playing at this silliness.

-- Tony Lawrence