[App_rpt-users] toy throwing time?
Stephen - K1LNX
k1lnx at k1lnx.net
Mon Sep 12 20:46:50 UTC 2016
>
> I realize keepng up with the Asterisk code base is a lot to ask, but for
> one thing it buys you is security. While it is certainly true that
> "improvements" do introduce new security holes, a more mature and current
> Asterisk is more likely to have fewer security holes.
>
> Since many nodes face the public internet, it would certainly be
> catastrophic if a black hat were to have the ability to knock any public
> facing AllStar node in the world off the air by exploiting a previously
> undisclosed vulnerability. Combining such an exploit with a router exploit
> to get to private networks of nodes is a real possibility, and there are
> LOTS of people around the world, including some big players, that invest
> heavily in having such a toolset ready for when it would benefit them.
>
> Having what is essentially a static code base makes it easier for those
> folks. I know that sounds rather paranoid, but just sayin....
>
I don't refute that. Security is a real threat and something that everyone
should keep fingers on, but I really have to ask myself, if I was so
concerned about something being attacked why is it on the internet in the
first place? If my box were to get owned, I most likely would discover it
in a timely manner and take corrective action anyhow, which would probably
involve me laughing at it, wiping the drive, and restoring my configs from
backup. This is pure hobby to me, not a mission critical production system.
It's no excuse to have any insecure software or protocols running on any
platform whatsoever, but I know of no single product in existence that has
ever been made 100% bullet proof and secure out of the box, so that leads
me to wonder what the real threat vector is here besides the "what if"
factor. Believe me, as a security conscious guy who locks down his own
servers and gear, I totally get it, but I view app_rpt in a different light
because it's only existence in life for me is to control a repeater and
provide network connectivity to other nodes.
All in all, I like things where they are now, and if progress can be made
on a newer platform, great, but otherwise the work others have done to this
point on it has been phenomenal and I am in 100% support and appreciative
of it.
73
Stephen
K1LNX
On Mon, Sep 12, 2016 at 1:04 PM, Willem Schreuder <willem at prinmath.com>
wrote:
> On Mon, 12 Sep 2016, Stephen - K1LNX wrote:
>
> What exactly does it gain for us?
>>
>
> I realize keepng up with the Asterisk code base is a lot to ask, but for
> one thing it buys you is security. While it is certainly true that
> "improvements" do introduce new security holes, a more mature and current
> Asterisk is more likely to have fewer security holes.
>
> Since many nodes face the public internet, it would certainly be
> catastrophic if a black hat were to have the ability to knock any public
> facing AllStar node in the world off the air by exploiting a previously
> undisclosed vulnerability. Combining such an exploit with a router exploit
> to get to private networks of nodes is a real possibility, and there are
> LOTS of people around the world, including some big players, that invest
> heavily in having such a toolset ready for when it would benefit them.
>
> Having what is essentially a static code base makes it easier for those
> folks. I know that sounds rather paranoid, but just sayin....
>
> 73 -Willem AC0KQ
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.keekles.org/pipermail/app_rpt-users/attachments/20160912/202d7656/attachment.html>
More information about the App_rpt-users
mailing list