Dr. Michael J. Chudobiak wrote: > On 10/09/2009 02:55 PM, gilpel@xxxxxxxxxx wrote: >> Paul wrote: >> >>> If you have adequate security, your ISP should have no better access to >>> your system/data than any other nefarious twerp on de intertubes. >>> Actually >>> even if you don't have security, your ISP has no better (or worse) >>> access >>> than the twerp. >> >> Then, I'm afraid Fedora's security is not as tight as it's supposed >> to be. >> See my answer to Phil Meyer. > > I would say that Paul's response is not correct. > > Since the ISP is directly in the route of your data they can intercept > it and manipulate it. > > ISPs, for example, may cache popular web sites, or deliberately > disrupt BitTorrent transmissions at certain hours to reduce bandwidth > requirements. This sort of management is probably common, and not > generally malicious. > > ISPs could in theory run something like Wireshark to read your > unencrypted email. (Or they can slurp it all up and send it to the > NSA... read about the famous "secret room" lawsuits for more...) Since > they are in the routing path, they could conceivably even rewrite your > email. > > A malicious employee at an ISP could launch any number of > man-in-the-middle (MITM) attacks. It is not difficult to set up a SSL > MITM attack that will intercept and falsify SSL certificates - causing > an obscure warning in your browser that most people will just ignore. > (This is an issue at wireless cafes). > > The average "nefarious twerp on de intertubes" would not be able to do > these particular things. > > Anyway, it is unlikely that your ISP is messing with you (has such a > case ever been reported?), but it is technically possible. > > - Mike > Anyone can intercept and manipulate your data at any point along its route to or from the destination. The ISP happens to be the nearest point to you which can do this. The ISP's uplink (i.e.: the ISP's ISP) can also do this, right on up the line to the national carrier. Anyone on any network segment along the line could also manage this if the routers were inadequately protected from mischief, and most are not protected at all. It wasn't long ago that a serious flaw in Cisco's IOS threatened 60% of the Internet's infrastructure, as any script kiddie could run the tools spread around on the cracking boards which would break into and reprogram them almost effortlessly. I work at a smaller ISP, and we are being extremely careful about our use of diagnostic tools like wireshark, ntop, nmap, snort, etc. so that we don't get into trouble. If you suspect that your ISP is doing something, you should get in touch with the cybercrime division of your local law enforcement agency, or go to whatever level you deem appropriate. At some level you will find someone experienced and knowledgeable enough to determine what is happening and possibly who is actually doing it, as it may not even be the ISP. As for Fedora's security (which is not the subject of the original post), it is as secure as you make it, and certainly better than that other big-name OS. If you install it with SELinux and the netfilter/iptables firewall enabled, you've already won half the battle. You can find information about netfilter at iptablesrocks.org, and there is also ebtables for layer 2 protection. For maximum security, you can start with the Centre for Internet Security's benchmark scripts to lock down many things that are not done by default on most *NIX distros, which includes Fedora, RHEL, Ubuntu, Debian and just about every other one you can name except for OpenBSD. Install OpenPGP and (if you use Thunderbird) enigmail and learn how to use it well. Then trawl a few security sites and see what else you can pick up. Just remember that Linux is a do-it-yourself OS primarily, so if you want it to be paranoia-level secure, you have to be willing to put in a little effort. Cheers, -- Paul -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
