Sam Ruby perfectly summarizes my thoughts on desktop web servers. But before you read that, read posting to radio.weblogs.com without using Radio 8?, a discussion forum on radio.userland.com. Kevin Altis (who originated the thread) pointed me to it, which prompted me to write Multiple Radio installations, which prompted the following email exchange:
From: Dave Winer
To: Mark Pilgrim
Subject: Interesting
Date: Fri, 22 Mar 2002 13:02:56 -0800Please explain why Movable Type is less likely to get hacked than Radio.
Dave
From: Mark Pilgrim
To: Dave Winer
Subject: Re: Interesting
Date: Fri, 22 Mar 2002 16:27:51 -0500Sorry if this wasn’t clear. It’s not Radio that will get hacked, it’s the computer that is running Radio. An default Windows 98 installation with a cable modem, visible on the Internet as a “full peer” (i.e. not firewalled or otherwise protected), will be found and hacked within minutes by automated script-kiddie-level scans. Not because it’s running a server of any kind, but because Windows clients are by default so insecure that they should never be visible on the public Internet.
Movable Type could certainly have its own bugs (like Radio or any other product), but the server it’s installed on is presumably professionally managed and running an operating system that is designed to withstand the public internet.
Cheers.
-Mark
From: Dave Winer
To: Mark Pilgrim
Subject: Re: Interesting
Date: Fri, 22 Mar 2002 13:31:03 -0800That’s what the glass palace guys used to say about people and PCs.
Dave
From: Dave Winer
To: Mark Pilgrim
Subject: Re: Interesting
Date: Fri, 22 Mar 2002 13:38:53 -0800There’s a problem with your story. No one is going to push back saying “I run such a system, and have for years, and have never been hacked.” Dave
From: Mark Pilgrim
To: Dave Winer
Subject: Re: Interesting
Date: Fri, 22 Mar 2002 16:56:21 -0500Anyone who says that probably has been hacked, they just don’t know it. If someone doesn’t know enough to install a simple firewall (ZoneAlarm is free and works on all versions of Windows), then they don’t know enough to realize they’ve been hacked and are being used as a zombie for distributed denial-of-service attacks, spreading spam, spreading Code-Red-like worms, or whatever.
And what about the problem of Radio violating the ISP’s terms of service? My RoadRunner cable modem TOS explicitly forbids me to connect the cable modem to any computer acting as a public server of any kind. Doesn’t Radio (in remote admin mode) qualify?
http://twcnc.com/road_runner/terms.htm
-Mark
From: Dave Winer
To: Mark Pilgrim
Subject: Re: Interesting
Date: Fri, 22 Mar 2002 20:04:05 -0800Mark, you got it totally right, people need firewalls, and ZoneAlarm is a big seller.
About terms of service, fine, that may be a problem for anyone who wants to remote access their desktop through HTTP.
BTW, about people being hacked and not knowing it, do you have any evidence that any Radio user has been hacked?
Dave
From: Mark Pilgrim
To: Dave Winer
Subject: Re: Interesting
Date: Sat, 23 Mar 2002 00:03:38 -0500No. All the Radio users I know run Radio behind firewalls — which works wonderfully. I don’t know anyone who remotely administers Radio. But I *do* know someone (my girlfriend) who got hacked within days of getting her cable modem. (We learned very quickly about firewalls.)
That’s the main point here: full peers (especially in the hands of uninformed users) are inherently dangerous. The only way Radio fits in is that the only way to use it fully in two places at once is to turn one of those places into a server. As I’ve suggested on my weblog and in other private email today, if what you want is a server, use Manila at Weblogger (or some other server-side solution). I believe that’s what Kevin (who originally started the discussion thread) is going to do.
-Mark
Now then, as I was saying, Sam Ruby perfectly summarizes my thoughts on desktop web servers. they’re great for the user sitting at the desktop. But desktops should not be visible on the public internet, because being visible on the public internet is dangerous. Publicly-visible desktops running servers are doubly dangerous. This is not Radio-specific advice; in fact, Radio has an excellent security record (as far as I know), and its default configuration (no Remote Access) is the most secure option. But other programs have not fared as well. AOL Instant Messenger had an exploitable hole, but AOL got lucky and was able to work around it on the server side. IIS had an exploitable hole which caused thousands of cable/DSL subscribers to unwittingly propogate Code Red at high speeds. And Userland has shown poor turnaround time patching security holes in their other products.
I strongly urge everyone (including Radio users) to run personal firewall software such as ZoneAlarm, and to take the time to research how to set up your home network securely. I run ZoneAlarm on my own laptop; when I run AmphetaDesk, I allow it to be a server, but only for the local network (a very narrow IP range defined in my ZoneAlarm configuration), not for the public internet. If I ran Radio, I would set it up exactly the same way. And I take these precautions even though my entire home network sits behind a hardware firewall that blocks all incoming traffic, period. If I absolutely, positively could not live without remote Radio access, I would set up Radio to always authenticate, set up a secure tunnel (so my Radio username and password were not sent in clear text), and set up my firewall to forward all traffic on port 5335 to my Radio computer. If that sounds beyond the scope of your expertise, don’t turn on Radio’s Remote Access features.
Bottom line: desktops can be servers, but they should not be public servers, because desktops should not be public at all. Unfortunately, the only way to fully utilize Radio from two different desktops is by turning one of those desktops into a public server. Don’t do that. Running a public server is hard, and it doesn’t magically get easier just because the server comes with a friendly installer and a checkbox that says “check here to activate extra super-cool features”. Use whatever software you want, but use it responsibly, or don’t use it at all.
§
I am no longer accepting public comments on this post, but you can use this form to contact me privately. (Your message will not be published.)
§
firehose ‧ code ‧ music ‧ planet
© 2001-8 Mark Pilgrim