Is there any point to full host names in /etc/hosts ? - Networking

This is a discussion on Is there any point to full host names in /etc/hosts ? - Networking ; On Tue, 06 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in article , Stefan Monnier wrote: >> You're adding another chance for spoofing, unless you are able to >> verify that the host claiming to be 'foo.example.com' really is. > ...

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3
Results 41 to 51 of 51

Thread: Is there any point to full host names in /etc/hosts ?

  1. Re: Is there any point to full host names in /etc/hosts ?

    On Tue, 06 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article ,
    Stefan Monnier wrote:

    >> You're adding another chance for spoofing, unless you are able to
    >> verify that the host claiming to be 'foo.example.com' really is.

    >
    >AFAIK dnsmasq will always add its domain name to those names, so if
    >the host requests "foo" he'll get for example "foo.home".


    I don't use dnsmasq, either as a DNS or DHCP server, but that appears
    be the function of the '-s' option.

    >I'm not even sure if "foo.example.com" would be accepted (and turned
    >into foo.example.com.home) or just rejected, but in any case it
    >doesn't seem like a big security risk.


    I was assuming this was 'example.com' - but what do you do if the
    host that _should_ be 'bar.example.com' comes up claiming to be
    'foo.example.com'? Bear in mind that a lot of network cards will
    accept a '/sbin/ifconfig hw ether 01:02:03:04:05:06 eth0' command,
    and thus you can't trust the MAC address. If you are using a switched
    network, and the switch remembers which MAC/IP is on which port, it
    might cause problems, but few people hard-code their switches.

    >> Very true. It was never designed for that function. But don't
    >> forget that this was also the era of the Berkeley 'r' commands, and
    >> the network authentication based on hostnames.

    >
    >I believe this is unfair to DHCP: this is a protocol for LANs, not for
    >the Internet...


    I really haven't met anyone using 'r' commands over the Internet yet,
    but RFC2827 and RFC3704 (plus a minimum of common sense on the part
    of who-ever set up the local network) should eliminate that problem.

    >a very different context. And it's not clear to me what a safer
    >system could look like anyway.


    Context is very important. Where I work, computers are not moving
    around, and we have an adequate number of IP addresses (no need for
    DHCP), and very few of our users have elevated privileges (makes a
    number of tricks harder to pull off). The networks are monitored, and
    punishment for malefactors is harsh. The "average" home user is
    in a different realm, lacking technical skills to configure their
    computer on the cable/DSL/telephone/what-ever connection their ISP
    provides. Much of the security depends on the way the ISP has things
    tightened down, but the results are the same - not much _local_
    spoofing. The problem occurs outside of these situations.

    As for a "safer" system, how about RFC3118 (possibly including
    RFC4030 if the local network needs this)?

    3118 Authentication for DHCP Messages. R. Droms, W. Arbaugh, Eds..
    June 2001. (Format: TXT=35536 bytes) (Status: PROPOSED STANDARD)

    4030 The Authentication Suboption for the Dynamic Host Configuration
    Protocol (DHCP) Relay Agent Option. M. Stapp, T. Lemon. March 2005.
    (Format: TXT=34332 bytes) (Status: PROPOSED STANDARD)

    I have no need for either, so have no experience to say whether or not
    this is the solution. Certainly a word search in the man page of
    dnsmasq fails to turn up a case-insensitive hit for 'authe'.

    Old guy

  2. Re: Is there any point to full host names in /etc/hosts ?

    On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <4731f293$0$3218$8404b019@news.wineasy.se>, David Brown wrote:

    >Moe Trin wrote:


    >> I don't use dnsmasq, but I suspect you want to look at the -A option.

    >
    >It's the -H option (or --addn-hosts, which I use in the conf file). I
    >don't see any -A option.


    -A, --address=//[domain/]
    Specify an IP address to return for any host in the given
    domains. Queries in the domains are never forwarded and always
    replied to with the specified IP address which may be IPv4 or
    IPv6. To give both IPv4 and IPv6 addresses for a domain, use
    repeated -A flags. Note that /etc/hosts and DHCP leases override
    this for individual names. A common use of this is to redirect
    the entire doubleclick.net domain to some friendly local web
    server to avoid banner ads. The domain specification works in the
    same was as for --server, with the additional facility that /#/
    matches any domain. Thus --address=/#/1.2.3.4 will always return
    1.2.3.4 for any query not answered from /etc/hosts or DHCP and
    not sent to an upstream nameserver by a more specific --server
    directive.

    At least that's what it says on the man page I have ;-)

    >> You may need to be careful if you are grabbing updates for windoze
    >> systems, as they frequently use a network bandwidth provider such as
    >> akamai to do the actual delivery. There are other applications in
    >> addition to those used by windoze that MAY use a bandwidth provider.

    >
    >Yes, it's important to be careful to avoid blocking useful domains that
    >also host adverts. On the other hand, windows updates often cause more
    >harm than good, so blocking them might be a good plan!


    I've had reports from my users who have run into this problem with their
    home installations. It's usually overly aggressive filtering/blocking on
    their part. I dunno about windoze - I stopped using that in 1992.

    >I didn't see the -A option you mention, but the -H option loads a whole
    >file, and it's possible to use it many times (thus the downloaded file
    >would be in addition to the dns / dhcp server's own /etc/hosts and
    >another list I have for local machines).


    Above - The man page I have is about 900 lines long, and the -A option
    is about line 250.

    >While I've use lynx a few times, I really don't think there are many
    >others in my company who would be happy with it! I've bullied them all
    >into using Firefox or Opera, and threatened them with wire cutters (for
    >their network cables, of course) if they ever use IE, but there's a
    >limit to my authority :-(


    Well, you could always set up a local proxy server (and block outbound
    access to port 80 from all but that server) and configure it to abuse the
    users who try to connect using IE... but you may not win many friends by
    doing so ;-)

    Old guy

  3. Re: Is there any point to full host names in /etc/hosts ?

    Moe Trin wrote:
    > On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    > article <4731f293$0$3218$8404b019@news.wineasy.se>, David Brown wrote:
    >
    >> Moe Trin wrote:

    >
    >>> I don't use dnsmasq, but I suspect you want to look at the -A option.

    >> It's the -H option (or --addn-hosts, which I use in the conf file). I
    >> don't see any -A option.

    >
    > -A, --address=//[domain/]
    > Specify an IP address to return for any host in the given
    > domains. Queries in the domains are never forwarded and always
    > replied to with the specified IP address which may be IPv4 or
    > IPv6. To give both IPv4 and IPv6 addresses for a domain, use
    > repeated -A flags. Note that /etc/hosts and DHCP leases override
    > this for individual names. A common use of this is to redirect
    > the entire doubleclick.net domain to some friendly local web
    > server to avoid banner ads. The domain specification works in the
    > same was as for --server, with the additional facility that /#/
    > matches any domain. Thus --address=/#/1.2.3.4 will always return
    > 1.2.3.4 for any query not answered from /etc/hosts or DHCP and
    > not sent to an upstream nameserver by a more specific --server
    > directive.
    >
    > At least that's what it says on the man page I have ;-)
    >


    I don't know how I missed that before, but the option is in my man page now!

    As far as I can see, the -H option works like a file full of -A lines,
    and is thus more convenient for me.

    >>> You may need to be careful if you are grabbing updates for windoze
    >>> systems, as they frequently use a network bandwidth provider such as
    >>> akamai to do the actual delivery. There are other applications in
    >>> addition to those used by windoze that MAY use a bandwidth provider.

    >> Yes, it's important to be careful to avoid blocking useful domains that
    >> also host adverts. On the other hand, windows updates often cause more
    >> harm than good, so blocking them might be a good plan!

    >
    > I've had reports from my users who have run into this problem with their
    > home installations. It's usually overly aggressive filtering/blocking on
    > their part. I dunno about windoze - I stopped using that in 1992.
    >
    >> I didn't see the -A option you mention, but the -H option loads a whole
    >> file, and it's possible to use it many times (thus the downloaded file
    >> would be in addition to the dns / dhcp server's own /etc/hosts and
    >> another list I have for local machines).

    >
    > Above - The man page I have is about 900 lines long, and the -A option
    > is about line 250.
    >
    >> While I've use lynx a few times, I really don't think there are many
    >> others in my company who would be happy with it! I've bullied them all
    >> into using Firefox or Opera, and threatened them with wire cutters (for
    >> their network cables, of course) if they ever use IE, but there's a
    >> limit to my authority :-(

    >
    > Well, you could always set up a local proxy server (and block outbound
    > access to port 80 from all but that server) and configure it to abuse the
    > users who try to connect using IE... but you may not win many friends by
    > doing so ;-)
    >


    I intend to set up a proxy server sometime (I'm going to test out squid
    with clamd virus scanning, at least for web-based email sites which
    bypass the normal email scanner). I'll log access by IE rather than
    block it (as the IT man, I have few enough friends...)

    mvh.,

    David


    > Old guy


  4. Re: Is there any point to full host names in /etc/hosts ?

    Rikishi 42 wrote:
    > On 2007-11-05, Send wrote:
    >> Rikishi 42 wrote:
    >>> On 2007-11-03, Send wrote:
    >>>> Rikishi 42 wrote:
    >>>>> This is the situation: a friend and I both use a broadband router with a few
    >>>>> machines behind them, at our respective homes. We each picked a name for our
    >>>>> 'domain'. His is fictional. Mine also exists on the net, but with only the
    >>>>> www and ftp of rikishi42.net defined in the DNS, not my home machines.
    >>>>>
    >>>> stealing - Using some one elses domain name is unethical. Bottom line
    >>>> "IT'S NOT YOURS"
    >>> Yes it is. Read the headers...

    >> Are You trolling Read Youyr own post You said & I Quote
    >> "Mine also exists on the net"

    >
    > Exactly. So where is the stealing? It's *mine*.



    Saying "His is fictional. Mine also exists on the net" implies you
    borrowed it "also exists on the net" does not infer that you purchased
    and registered the domain.


    >
    >>>> 192.168.xxx.xxx addresses are private network addresses and usually not
    >>>> forwarded upstream by a router. Can you imagine what would happen if
    >>>> everyone using the same addresses allowed all their network traffic to
    >>>> reach the www. They would be mass collisions Not to mention that your
    >>>> private network is no longer "private".
    >>>>
    >>>> Be forewarned of the security implications
    >>> Are you on medication? Or did you just miss the original post?

    >> What You have trouble reading ... The original is Quoted DUA

    >
    > We are not putting the 192.168.x.x addresses in any DNS, nor using trough
    > the Internet.
    > I use it, between my machines.
    > He uses it between his machines.


    You Said "He's added 2 of my PC's in the /etc/hosts of his laptop, for
    use when he visits and connects it to my LAN."


    Again "visits and connects it to my LAN" is not saying he is Physically
    in your home connecting wires to your router. he could just as easily
    be visiting and connecting to your LAN via the internet


    > He's added 2 of my machines into his laptop's /etc/hosts, so he can use it
    > when he's visiting me, and connects to my LAN. From my home, in my home.
    >
    > Never is that non-routable range used on the Net, for $DEITY's sake.
    >
    >>>>> My guess is that, upon finding that rikishi42.net exists, there is an
    >>>>> attempt to get the address from the DNS, skipping hosts all together.
    >>>>>
    >>>>> But do I presume correctly, or is there more to it?
    >>>>>
    >>>> Why bother with all this ? Do it right. Just use the name & IP address
    >>>> that has been assigned to you by your ISP. If you are assigned a
    >>>> dynamic (IP address changes from time to time) which they normally are
    >>>> then use a FREE service like DynDns and have your own "REAL" domain ...

    >
    > And just how many IP's do you get from your ISP? I get 2, and that just not
    > enough. Hence the used of a broadband router.
    >
    >>>> they have several domain you can pick from other than dyndns.org. There
    >>>> are programs you can run that will update the Dyndns listing
    >>>> automatically when your ISP changes your IP address.

    > Since they aren't used on the Net, there is no point in DynDNS.
    >
    >>>> Dns lookup Work ... Other friends anyware can reach your machine and you
    >>>> will NOT be blocked by upstream routers.
    >>> You *are* stoned out of your mind, aren't you. :-)
    >>>
    >>>
    >>> Please, please read the original post, and grep it.

    >> You asked for the help

    > Yep, and I appreciate all help I've gotten. I'll be examining my friends
    > nsswitch config, first.
    >
    > You had misunderstood the question so much, it amased not only me, but
    > other's as well. If you want to understand, please read the original post,
    > and _all_ the answers people posted. But I allready suggested that, and you
    > didn't bother, did you? :-)


    I suggest you spend less time Sleeping in "ENGLISH Class"
    State it more Prescisely! so it's not unclear


    >
    >> .. Go play with your dolls somewhere OFF Usenet
    >> INTERNET

    > Usenet INTERNET ? Weird.
    >
    >


  5. Re: Is there any point to full host names in /etc/hosts ?

    On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <473236ae$0$3209$8404b019@news.wineasy.se>, David Brown wrote:

    >Moe Trin wrote:


    >> At least that's what it says on the man page I have ;-)

    >
    >I don't know how I missed that before, but the option is in my man
    >page now!


    I just grabbed the page off the 'net, as it's not installed on any of
    the systems here. The source appears to be
    http://www.thekelleys.org.uk/dnsmasq...smasq-man.html.

    >As far as I can see, the -H option works like a file full of -A lines,
    >nd is thus more convenient for me.


    That's one way to do it. Our DNS servers are updated via a dumb script
    that uses a file very much like the hosts file as a source, but it also
    creates the separate forward and reverse zones, and then kicks the
    primary name server to update things. We don't have external IPs in
    the zone files as we aren't authoritative for them.

    >> Well, you could always set up a local proxy server (and block
    >> outbound access to port 80 from all but that server) and configure
    >> it to abuse the users who try to connect using IE... but you may not
    >> win many friends by doing so ;-)

    >
    >I intend to set up a proxy server sometime (I'm going to test out
    >squid with clamd virus scanning, at least for web-based email sites
    >which bypass the normal email scanner).


    Why do you need web-based email sites? Doesn't your company run it's
    own mail system? Here, both Security and HR would be going ballistic
    if our users even tried accessing those sites, never mind attempting
    to do business through them. Company policy prohibits personal use of
    computers or network, which is why we've got "Employee Association"
    owned computers in the break areas and they're on a separate network
    completely isolated from the company.

    >I'll log access by IE rather than block it (as the IT man, I have few
    >enough friends...)


    You have friends... Wow. ;-) Seriously, I'm lucky here as
    we don't use windoze at this facility - it's limited mainly to the
    corporate and the regional sales offices which are on different subnets
    thankfully. We also don't allow visiting computers. That eliminates a
    lot of network problems.

    Old guy

  6. Re: Is there any point to full host names in /etc/hosts ?

    Moe Trin wrote:
    > On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    > article <473236ae$0$3209$8404b019@news.wineasy.se>, David Brown wrote:
    >
    >> Moe Trin wrote:

    >
    >>> At least that's what it says on the man page I have ;-)

    >> I don't know how I missed that before, but the option is in my man
    >> page now!

    >
    > I just grabbed the page off the 'net, as it's not installed on any of
    > the systems here. The source appears to be
    > http://www.thekelleys.org.uk/dnsmasq...smasq-man.html.
    >
    >> As far as I can see, the -H option works like a file full of -A lines,
    >> nd is thus more convenient for me.

    >
    > That's one way to do it. Our DNS servers are updated via a dumb script
    > that uses a file very much like the hosts file as a source, but it also
    > creates the separate forward and reverse zones, and then kicks the
    > primary name server to update things. We don't have external IPs in
    > the zone files as we aren't authoritative for them.
    >
    >>> Well, you could always set up a local proxy server (and block
    >>> outbound access to port 80 from all but that server) and configure
    >>> it to abuse the users who try to connect using IE... but you may not
    >>> win many friends by doing so ;-)

    >> I intend to set up a proxy server sometime (I'm going to test out
    >> squid with clamd virus scanning, at least for web-based email sites
    >> which bypass the normal email scanner).

    >
    > Why do you need web-based email sites? Doesn't your company run it's
    > own mail system? Here, both Security and HR would be going ballistic
    > if our users even tried accessing those sites, never mind attempting
    > to do business through them. Company policy prohibits personal use of
    > computers or network, which is why we've got "Employee Association"
    > owned computers in the break areas and they're on a separate network
    > completely isolated from the company.
    >


    You are in a much bigger company than ours, and with much stricter
    rules. There's always a certain amount of tradeoff between security and
    functionality and flexibility (the most secure computers have no network
    access of any kind, for example) - the trick is getting the maximum
    realistic security while still providing the functionality and
    flexibility you want for the users. Given the size of our company, and
    the openness and freedom we like to have, together with the technical
    abilities of the users (they are at least fairly competent, and have no
    problem following rules and guidelines), we have a rather different
    view. People are free to use browsers as they want, as long as they are
    responsible. Using non-IE browsers means they have to work harder to
    get malware onto their machines - having a virus scanner in the path
    would make it even harder.

    >> I'll log access by IE rather than block it (as the IT man, I have few
    >> enough friends...)

    >
    > You have friends... Wow. ;-) Seriously, I'm lucky here as
    > we don't use windoze at this facility - it's limited mainly to the
    > corporate and the regional sales offices which are on different subnets
    > thankfully. We also don't allow visiting computers. That eliminates a
    > lot of network problems.
    >


    We have a wireless network for visiting computers, or other "unsafe"
    machines (such as laptops that may be used off-site).

    > Old guy


  7. Re: Is there any point to full host names in /etc/hosts ?

    On Thu, 08 Nov 2007 09:27:28 +0100, David Brown rearranged some electrons
    to say:

    >
    > You are in a much bigger company than ours, and with much stricter
    > rules. There's always a certain amount of tradeoff between security and
    > functionality and flexibility (the most secure computers have no network
    > access of any kind, for example) - the trick is getting the maximum
    > realistic security while still providing the functionality and
    > flexibility you want for the users. Given the size of our company, and
    > the openness and freedom we like to have, together with the technical
    > abilities of the users (they are at least fairly competent, and have no
    > problem following rules and guidelines), we have a rather different
    > view. People are free to use browsers as they want, as long as they are
    > responsible. Using non-IE browsers means they have to work harder to
    > get malware onto their machines - having a virus scanner in the path
    > would make it even harder.
    >


    Big or small, every company needs to worry about liability. So, what if
    one of your 'responsible' employees downloads some 'objectionable'
    material? If someone happens to see it, you're opening your company up
    for a harassment lawsuit. Sad to say, but it happens....


  8. Re: Is there any point to full host names in /etc/hosts ?

    On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <4732c5f2$0$27838$8404b019@news.wineasy.se>, David Brown wrote:

    >Moe Trin wrote:


    >> Why do you need web-based email sites? Doesn't your company run it's
    >> own mail system? Here, both Security and HR would be going ballistic
    >> if our users even tried accessing those sites, never mind attempting
    >> to do business through them. Company policy prohibits personal use of
    >> computers or network, which is why we've got "Employee Association"
    >> owned computers in the break areas and they're on a separate network
    >> completely isolated from the company.

    >
    >You are in a much bigger company than ours, and with much stricter
    >rules. There's always a certain amount of tradeoff between security
    >and functionality and flexibility (the most secure computers have no
    >network access of any kind, for example) - the trick is getting the
    >maximum realistic security while still providing the functionality and
    >flexibility you want for the users.


    I was thinking you were using a web-based email sites for business.
    That doesn't give the right impression to customers.

    For _personal_ use, that is a decision the company management has to
    make. Yes, there is the obvious abuse situation (I visited a
    supplier recently, and noted one system in a technician's office that
    was displaying current stock exchange tickers - hardly an appropriate
    use).

    >Given the size of our company, and the openness and freedom we like
    >to have, together with the technical abilities of the users (they are
    >at least fairly competent, and have no problem following rules and
    >guidelines), we have a rather different view. People are free to use
    >browsers as they want, as long as they are responsible.


    There is also a difference in the legal climate. In the USA, the mere
    hint of anything sexual _can_ bring on lawsuits - with the federal and
    state governments being interested parties. Most company legal staffs
    recommend a zero-tolerance on the part of management, just to avoid
    those legal problems.

    >Using non-IE browsers means they have to work harder to get malware
    >onto their machines - having a virus scanner in the path would make
    >it even harder.


    The employee association systems in break areas are all running the
    same basic Linux install as used locally. The employees are familiar
    with it and have no problems. The systems are set so that users can
    not save anything (the user's home directory is read-only) and there
    is no removable media. You can _read_ your personal mail, but you
    can't save it locally. This eliminates a LOT of problems.

    >We have a wireless network for visiting computers, or other "unsafe"
    >machines (such as laptops that may be used off-site).


    We're an R&D facility, so visiting computers are simply not allowed.
    Company systems that may come or go get a clean install each time.
    Sales people who visit either lock up the computers in lockers in
    the lobby, or use them only in the lobby. We don't even get usable
    cell-phone or radio/TV broadcast coverage in the buildings - which is
    a mixed joy.

    Paranoid? Who, us???

    Old guy

  9. Re: Is there any point to full host names in /etc/hosts ?

    Moe Trin wrote:
    > On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    > article <4732c5f2$0$27838$8404b019@news.wineasy.se>, David Brown wrote:
    >
    >> Moe Trin wrote:

    >
    >>> Why do you need web-based email sites? Doesn't your company run it's
    >>> own mail system? Here, both Security and HR would be going ballistic
    >>> if our users even tried accessing those sites, never mind attempting
    >>> to do business through them. Company policy prohibits personal use of
    >>> computers or network, which is why we've got "Employee Association"
    >>> owned computers in the break areas and they're on a separate network
    >>> completely isolated from the company.

    >> You are in a much bigger company than ours, and with much stricter
    >> rules. There's always a certain amount of tradeoff between security
    >> and functionality and flexibility (the most secure computers have no
    >> network access of any kind, for example) - the trick is getting the
    >> maximum realistic security while still providing the functionality and
    >> flexibility you want for the users.

    >
    > I was thinking you were using a web-based email sites for business.
    > That doesn't give the right impression to customers.
    >


    I absolutely agree - it's hard to take professionals seriously if they
    have gmail or hotmail email accounts (at least, for professionals in a
    technical area).

    > For _personal_ use, that is a decision the company management has to
    > make. Yes, there is the obvious abuse situation (I visited a
    > supplier recently, and noted one system in a technician's office that
    > was displaying current stock exchange tickers - hardly an appropriate
    > use).
    >


    Yes, that's a matter for administration. I don't make the law, I only
    enforce it.


    >> Given the size of our company, and the openness and freedom we like
    >> to have, together with the technical abilities of the users (they are
    >> at least fairly competent, and have no problem following rules and
    >> guidelines), we have a rather different view. People are free to use
    >> browsers as they want, as long as they are responsible.

    >
    > There is also a difference in the legal climate. In the USA, the mere
    > hint of anything sexual _can_ bring on lawsuits - with the federal and
    > state governments being interested parties. Most company legal staffs
    > recommend a zero-tolerance on the part of management, just to avoid
    > those legal problems.
    >


    Here in Norway, there is not nearly the same sort of issues, and
    therefore there is no need for IT to worry about it.

    >> Using non-IE browsers means they have to work harder to get malware
    >> onto their machines - having a virus scanner in the path would make
    >> it even harder.

    >
    > The employee association systems in break areas are all running the
    > same basic Linux install as used locally. The employees are familiar
    > with it and have no problems. The systems are set so that users can
    > not save anything (the user's home directory is read-only) and there
    > is no removable media. You can _read_ your personal mail, but you
    > can't save it locally. This eliminates a LOT of problems.
    >


    When you need a more controlled system (effectively treating the users
    as the general public), that makes a lot of sense. I know everyone in
    our company, so it's a very different scale.

    >> We have a wireless network for visiting computers, or other "unsafe"
    >> machines (such as laptops that may be used off-site).

    >
    > We're an R&D facility, so visiting computers are simply not allowed.
    > Company systems that may come or go get a clean install each time.
    > Sales people who visit either lock up the computers in lockers in
    > the lobby, or use them only in the lobby. We don't even get usable
    > cell-phone or radio/TV broadcast coverage in the buildings - which is
    > a mixed joy.
    >
    > Paranoid? Who, us???
    >


    Just because you're paranoid, does not mean they're not out to get you.

    mvh.,

    David


    > Old guy


  10. Re: Is there any point to full host names in /etc/hosts ?

    On Sun, 11 Nov 2007 23:06:02 +0100, David Brown rearranged some electrons
    to say:

    > You make it sound as though there are gangs
    > of crackers working round the clock on ways to break into my networks,
    > using a combination of essentially unrelated client and server attacks.


    And you think there aren't?

  11. Re: Is there any point to full host names in /etc/hosts ?

    On Sun, 11 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
    article <47377e7c$0$3208$8404b019@news.wineasy.se>, David Brown wrote:

    >Moe Trin wrote:


    >> For _personal_ use, that is a decision the company management has to
    >> make. Yes, there is the obvious abuse situation (I visited a
    >> supplier recently, and noted one system in a technician's office that
    >> was displaying current stock exchange tickers - hardly an appropriate
    >> use).

    >
    >Yes, that's a matter for administration. I don't make the law, I only
    >enforce it.


    While to a minor extent, it's a "bandwidth" and "what are we paying
    you for" issue, there may be security issues as well. Our users do
    not have the permission to install software, so that issue is slightly
    reduced. Still, one has to be careful. I note that Bugtraq is reporting
    a Macintosh (OSX - but not sure which release) trojan - some pr0n site
    that gets the user to install a plugin to see the pictures better or
    something.

    >> In the USA, the mere hint of anything sexual _can_ bring on lawsuits
    >> - with the federal and state governments being interested parties.


    >Here in Norway, there is not nearly the same sort of issues, and
    >therefore there is no need for IT to worry about it.


    Lawsuits are an all-to-common problem here. Even if the company wins
    in court, the plaintiff is rarely able to reimburse the wasted legal
    costs (lawyers are not cheap). It's a threat we live with.

    [employee association systems for "personal" use]

    >> This eliminates a LOT of problems.

    >
    >When you need a more controlled system (effectively treating the users
    >as the general public), that makes a lot of sense. I know everyone in
    >our company, so it's a very different scale.


    It keeps the company out of the individual's personal business. It's
    also self-policing, as the employees themselves make sure the systems
    aren't abused.

    >> Paranoid? Who, us???

    >
    >Just because you're paranoid, does not mean they're not out to get you.


    "When they _are_ out to get you, always check your paperwork."

    Old guy

+ Reply to Thread
Page 3 of 3 FirstFirst 1 2 3