Insecurity and the Internet

As I mentioned before, I recently started playing with a Slim Devices Squeezebox and the SlimServer software that goes with it.

 

This I’m hugely impressed with – not only because it’s written in platform-neutral perl (and thus, just worked out of the box with my IRIX64 Octane. The IRIX O2 that I’m running it from now took a little hacking – but that’s perl’s fault rather than Slim Devices).

 

However, getting to the point, it does unwittingly reveal one of the limitations of the internet: the lack of a security-based focues of many sites. For example, SlimServer and the Squeezebox has the ability to play streams from Live365. This iniitially confused me because the site design causes Privoxy to kill the section of the page where you sign up and log in, and then because once I’d signed up (and had to jump through hoops to avoid also signing up for spam, by which point I was starting to doubt whether the service was worth it) I still couldn’t play streams. On trying, the Squeezebox would just hang for a while.

 

As with most network-related random hangs, this proved to be a firewall issue, and reducing the SPI firewall in my Intertex IX66 router (possibly my favorite peice of hardware ever!) to “Low” fixed the problem – at the risk of accepting all internet traffic and performing no outbound filtering.

 

The Live365 Wiki (not the help forum – you have to sign up to even view this*) has the following entry for firewall settings:

 

Our broadcasts run on many ports ranging from 4000 – 32000.

We would like to run on port 80, but since we have tens of thousands of broadcasts, we need more ports.

 

Oh, well that’s okay then… so long as you’d like to implement a more sensible streaming policy, it’s fine if you require 28,000 ports to be opened just to listen to music. Someone sell these people a load-balancer

 

* This seems to be a grow trend nowadays, and it’s one of the few things which I consider unforgivable on a website. There’s no reason to prevent people form having read-only access to a forum, other than if you want to try to sell the information collected during sign-up to advertisers…

 

How can the average man in the street* possibly be expected to protect himself from Internet attacks and from becoming part of a botnet if reputable sites routinely require enormous holes to be blown in firewalls for access to services? If the industry can’t take security vulnerabilities seriously and build sites and services which are secure by design (on the client as well as the server end) then is it any wonder we’re in the mess we now find ourselves?

 

* Is there a gender-inspecific form of this phrase? 😀

 

In regards to live365, I did find Radio Panic (with what looks like a DNA-inspired logo ;)) which seems to have a really good playlist. But will I listen very often when I have to first disable my firewall?