Re: Can ISPs be trusted?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dr. Michael J. Chudobiak wrote:
> On 10/09/2009 02:55 PM, gilpel@xxxxxxxxxx wrote:
>> Paul wrote:
>>
>>> If you have adequate security, your ISP should have no better access to
>>> your system/data than any other nefarious twerp on de intertubes.
>>> Actually
>>> even if you don't have security, your ISP has no better (or worse)
>>> access
>>> than the twerp.
>>
>> Then, I'm afraid Fedora's security is not as tight as it's supposed
>> to be.
>> See my answer to Phil Meyer.
>
> I would say that Paul's response is not correct.
>
> Since the ISP is directly in the route of your data they can intercept
> it and manipulate it.
>
> ISPs, for example, may cache popular web sites, or deliberately
> disrupt BitTorrent transmissions at certain hours to reduce bandwidth
> requirements. This sort of management is probably common, and not
> generally malicious.
>
> ISPs could in theory run something like Wireshark to read your
> unencrypted email. (Or they can slurp it all up and send it to the
> NSA... read about the famous "secret room" lawsuits for more...) Since
> they are in the routing path, they could conceivably even rewrite your
> email.
>
> A malicious employee at an ISP could launch any number of
> man-in-the-middle (MITM) attacks. It is not difficult to set up a SSL
> MITM attack that will intercept and falsify SSL certificates - causing
> an obscure warning in your browser that most people will just ignore.
> (This is an issue at wireless cafes).
>
> The average "nefarious twerp on de intertubes" would not be able to do
> these particular things.
>
> Anyway, it is unlikely that your ISP is messing with you (has such a
> case ever been reported?), but it is technically possible.
>
> - Mike
>
Anyone can intercept and manipulate your data at any point along its
route to or from the destination. The ISP happens to be the nearest
point to you which can do this. The ISP's uplink (i.e.: the ISP's ISP)
can also do this, right on up the line to the national carrier. Anyone
on any network segment along the line could also manage this if the
routers were inadequately protected from mischief, and most are not
protected at all. It wasn't long ago that a serious flaw in Cisco's IOS
threatened 60% of the Internet's infrastructure, as any script kiddie
could run the tools spread around on the cracking boards which would
break into and reprogram them almost effortlessly.

I work at a smaller ISP, and we are being extremely careful about our
use of diagnostic tools like wireshark, ntop, nmap, snort, etc. so that
we don't get into trouble. If you suspect that your ISP is doing
something, you should get in touch with the cybercrime division of your
local law enforcement agency, or go to whatever level you deem
appropriate. At some level you will find someone experienced and
knowledgeable enough to determine what is happening and possibly who is
actually doing it, as it may not even be the ISP.

As for Fedora's security (which is not the subject of the original
post), it is as secure as you make it, and certainly better than that
other big-name OS. If you install it with SELinux and the
netfilter/iptables firewall enabled, you've already won half the battle.
You can find information about netfilter at iptablesrocks.org, and there
is also ebtables for layer 2 protection. For maximum security, you can
start with the Centre for Internet Security's benchmark scripts to lock
down many things that are not done by default on most *NIX distros,
which includes Fedora, RHEL, Ubuntu, Debian and just about every other
one you can name except for OpenBSD. Install OpenPGP and (if you use
Thunderbird) enigmail and learn how to use it well. Then trawl a few
security sites and see what else you can pick up. Just remember that
Linux is a do-it-yourself OS primarily, so if you want it to be
paranoia-level secure, you have to be willing to put in a little effort.

Cheers,


--


Paul


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux