From owner-freebsd-questions@FreeBSD.ORG Mon Jun 22 15:36:13 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C23311065673 for ; Mon, 22 Jun 2009 15:36:13 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from mail.potentialtech.com (internet.potentialtech.com [66.167.251.6]) by mx1.freebsd.org (Postfix) with ESMTP id 6D17D8FC1A for ; Mon, 22 Jun 2009 15:36:13 +0000 (UTC) (envelope-from wmoran@potentialtech.com) Received: from vanquish.ws.pitbpa0.priv.collaborativefusion.com (pr40.pitbpa0.pub.collaborativefusion.com [206.210.89.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.potentialtech.com (Postfix) with ESMTPSA id 5857FEBC0A; Mon, 22 Jun 2009 11:36:12 -0400 (EDT) Date: Mon, 22 Jun 2009 11:36:10 -0400 From: Bill Moran To: "Gary Gatten" Message-Id: <20090622113610.422cab85.wmoran@potentialtech.com> In-Reply-To: <70C0964126D66F458E688618E1CD008A0793F062@WADPEXV0.waddell.com> References: <20090619111234.6883afd2@gom> <20090619143935.6c28be98.wmoran@potentialtech.com> <20090619183535.006433d1@gom> <20090622085952.9ef38eab.wmoran@potentialtech.com> <70C0964126D66F458E688618E1CD008A0793F062@WADPEXV0.waddell.com> X-Mailer: Sylpheed 2.6.0 (GTK+ 2.14.7; i386-portbld-freebsd7.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org, prad Subject: Re: backdoor threat X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 15:36:14 -0000 In response to "Gary Gatten" : > OK - this thread is scaring me. Anything that involves a "backdoor" > threat is very concerning - I keep looking over my shoulder to make sure > no one is sneaking up on me! My job here is done ... In my experience, most people don't take the steps necessary to really secure their systems. But it's all a tradeoff. If I'm running an online banking site, then I'm going to go all out to ensure that all the required steps are made to secure the system, otherwise I'm not going to stay in business very long. But if I'm selling ringtones over the internet, or running a site for flash games that makes money off banner ads, how diligent should I be? I mean, if someone breaks in, how much do I lose? I'm not storing anyone's credit card numbers, so I just have to deal with a couple days of downtime while I fix the server. And chances are nobody is going to break into my system anyway, since I don't have anything worth stealing. Of course, the flaw in that reasoning is that while you may not care, the rest of the internet is getting bombed by the botnet that you've joined by your carelessness. The counter-argument to that is that you can't afford what it would cost to _really_ secure a system like that. And it's not justified if the information isn't sensitive anyway. So, yes. Keep looking over your shoulder. _Someone_ is sneaking up on you. -- Bill Moran http://www.potentialtech.com http://people.collaborativefusion.com/~wmoran/