I take greater care to make my Linux systems secure than windwoes systems. Why? I don't care about the windwoes systems. toss them in the trash, blow on a new build, reconnect and wait for the next disaster.<br><br>My Linux systems provide a toolset that is not available on any windwoes system and that toolset can wreak havoc on the entire Internet. So I keep that toolset as locked down as I can make it.<br>
<br>The only way to really secure a windowes system is to remove the power cord and weld the hard drive motor so it won't spin. Barring that, put the OS on a replaceable drive with an offline spare in storage. User files are stored on a Samba system that is scanned hourly. Bugged windwoes systems gets the new drive and the old drive is wiped and rebuilt to support remote user data.<br>
<br>Or run Linux and windwoes in a VM only. Once installed and fully patched, take a VM snapshot. Keep user data on Linux system via a shared folder. When windwoes gets screwed, restore from the snapshot.<br><br><div class="gmail_quote">
On Tue, Jan 22, 2013 at 2:43 PM, Brian MacLeod <span dir="ltr"><<a href="mailto:nym.bnm@gmail.com" target="_blank">nym.bnm@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA256<br>
<br>
</div><div class="im">On 1/22/13 1:38 PM, Ron Frazier (ALE) wrote:<br>
> The TOS at most institutions forbid guest access to wired ports.<br>
> But, we won't mention that. I don't know about this specific<br>
> institution.<br>
<br>
<br>
</div>It is forbidden to connect a network device to such ports. If it were<br>
policy to forbid any guest access to wired ports, then that connection<br>
would not be there. What they should do is wall that off behind the<br>
same security as the wireless, but that's an operational choice by<br>
Emory and it's not going to change here. I know at Tech and at my<br>
previous institution (Georgia Gwinnett), all publicly exposed network<br>
ports were either dead or secured/throttled as the wireless was.<br>
<div class="im"><br>
<br>
<br>
> Un natted connections sound a bit disturbing. I would think the<br>
> whole institution would be running on a giant nat. Even so, I<br>
> think a Windows machine should be OK as long as the OS firewall<br>
> was running.<br>
<br>
<br>
</div>I can't even begin to state how wrong this is. The vulnerabilities<br>
(even with OS firewall on) are far too great to allow this type of<br>
connection. But honestly, a lot of this part of the discussion would<br>
be moot if the wired connection provided was secured as above.<br>
<br>
Just because I have a box running linux, I take great caution<br>
connecting to such networks because who knows what will come at my box<br>
as soon as I connect.<br>
<div class="im"><br>
<br>
<br>
> Re VPN, I was running hotspotvpn on Windows the other night at the<br>
> meeting on the wireless. I was using HTTP protocol as far as what<br>
> the menu says. I assume it was using SSL on 443. I think it runs<br>
> OpenVPN under the covers.<br>
<br>
<br>
<br>
</div>Right...so...same result...<br>
<br>
bnm<br>
<br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)<br>
<div class="im">Comment: Using GnuPG with Thunderbird - <a href="http://www.enigmail.net/" target="_blank">http://www.enigmail.net/</a><br>
<br>
</div>iQE4BAEBCAAiBQJQ/uv5Gxhoa3A6Ly9rZXlzZXJ2ZXIudWJ1bnR1LmNvbQAKCRD5<br>
XCJY/q4Y6D94B/46sy9RLBGPFIuGxbvqtLRUPbhrEFKByVhuM2f4tKfNVxaBk6Lk<br>
Y67o9Btu1ezuB2dKSp4JsWPBCCFik3Nip9AMkYAw6YT3C+cYajo290cacWrA0t/1<br>
jZegT4gxEFkjSfSN5uGqH5cx7ATbmobbxokEhROOuszuiBSnGXj9cOFlDF2B09aM<br>
K+b4u/H4s6VMDKilfaRzi60IRWFsvTQ/zYzN98GkpV30MNB759EiZDH68uC9FiWo<br>
7669vOXhAcahJDO/oxrVx6dBsMFm2DzM/o6vM5Y/YAzkzT7qKi1nwT5dDcy7M5AJ<br>
YdaLt4GmrGw44n6Njp8oDsTQo3nj+vuTjxni<br>
=r36A<br>
<div class="HOEnZb"><div class="h5">-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>