User: Password:
|
|
Subscribe / Log in / New account

Bug reports: information or spam?

Bug reports: information or spam?

Posted Apr 15, 2012 0:07 UTC (Sun) by dlang (subscriber, #313)
In reply to: Bug reports: information or spam? by josh
Parent article: Bug reports: information or spam?

the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

We also aren't talking about making all programs that communicate talk multiple protocols, we are talking about a specific use-case, submitting bug reports. By definition, when you are submitting a bug report, something is broken. As such, you should support multiple ways to submit the bug so that you can work around whatever is broken.

Also, the networks in question are only "broken" if you think that every computer in existence should be able to talk freely to every other computer in existence. This model of reality disappeared (if it ever really existed) decades ago. Security and Access restrictions are not only just the reality, they are very desirable in many cases.


(Log in to post comments)

Bug reports: information or spam?

Posted Apr 15, 2012 1:11 UTC (Sun) by josh (subscriber, #17465) [Link]

> the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

What makes a network that only allows outbound HTTP different than a network that only allows some obscure protocol outbound, or a network that allows no outbound access at all? Should reportbug support DNS-based transmission to get through networks that block HTTP?

> Also, the networks in question are only "broken" if you think that every computer in existence should be able to talk freely to every other computer in existence. This model of reality disappeared (if it ever really existed) decades ago. Security and Access restrictions are not only just the reality, they are very desirable in many cases.

Disallowing inbound access makes sense for security. Disallowing outbound access (with the *possible* exception of port 25 on networks with a pile of infected spam-sending systems that can't just be kicked off the network) makes a network broken.

Bug reports: information or spam?

Posted Apr 15, 2012 1:41 UTC (Sun) by dlang (subscriber, #313) [Link]

>> the networks where e-mail is blocked are not likely to allow SSH tunnels, VPNs, or Tor connections out either.

> What makes a network that only allows outbound HTTP different than a network that only allows some obscure protocol outbound, or a network that allows no outbound access at all? Should reportbug support DNS-based transmission to get through networks that block HTTP?

no, you should not implement DNS-based transmission, ping based transmission, or other weird new protocols.

But for a bug reporting tool, you should support the common data communication protocols.

> Disallowing inbound access makes sense for security. Disallowing outbound access (with the *possible* exception of port 25 on networks with a pile of infected spam-sending systems that can't just be kicked off the network) makes a network broken.

Here I (and most security people) just disagree with you. It all depends on the purpose of the network, if the network is not intended to talk to the Internet, creating the ability for it to talk directly to the Internet is a bad idea.

Bug reports: information or spam?

Posted Apr 15, 2012 3:31 UTC (Sun) by josh (subscriber, #17465) [Link]

> But for a bug reporting tool, you should support the common data communication protocols.

SMTP is pretty common. :)

(Note, by the way, that I'm not attempting to argue against the implementation of HTTP for other reasons; I just think "because there are networks that block SMTP" doesn't seem like a good enough reason.)

> Here I (and most security people) just disagree with you. It all depends on the purpose of the network, if the network is not intended to talk to the Internet, creating the ability for it to talk directly to the Internet is a bad idea.

On the contrary, I agree that air-gapped networks potentially make sense. If you want a restricted network with *no* outbound access, by all means have one. And if your network should not provide access to the Internet, don't try to report bugs from that network. :)

But don't create a network that allows *some* traffic out without allowing *all* traffic out; any sufficiently creative and annoyed developer who just wants to get work done will find a way to turn whatever traffic you do allow through into a real Internet connection, as will anyone trying to get malicious activity through.

Bug reports: information or spam?

Posted Apr 15, 2012 3:54 UTC (Sun) by dlang (subscriber, #313) [Link]

security isn't the practice of preventing all possible activities (turning the computer off and sealing it in a faraday cadge will do that), it's a matter of managing risk and slowing down the attacker long enough to catch and stop them.

a network that can do some things, but not all things is a very reasonable, and very common situation.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds