On Tuesday, August 27, 2019 5:05:57 PM MST Chris Murphy wrote:
On Tue, Aug 27, 2019 at 5:24 PM John Harris
<johnmh(a)splentity.com> wrote:
>
>
> On Tuesday, August 27, 2019 8:23:01 AM MST Chris Murphy wrote:
> > Windows is enable by default with two "zones" or "policies"
(I can't
> > even tell from their own UI what to call this), one for private
> > networks, and another for guest/public networks.
>
>
>
> I don't have a mac, so I can't confirm this, but Apple suggests that
> there's
nothing bound to listen by default.
There are no services enabled by default either. No ssh, no file
sharing, no VNC, no printer sharing, etc. macOS does have Bonjour
(mDNS) enabled by default, and while it's not self announcing, it is
listening for other device/services that are.
That's similar to Workstation.
> If that's the case, and I imagine it's
> difficult to run real software on Mac which might bind stuff (because of
> those
"app" things they've got, I presume), that might be a
legitimate
> thing for Macs. We're not Apple, and we're not rolling
out MacOS. I
> personally believe that's a horrible idea for Mac systems as well, even
> if they don't bind anything by default, which we do.
Difficult to run real software ... I don't understand what that means
or how it manifests. I run all kinds of real software on macOS and it
works fine.
> This sounds like a misunderstanding as to what firewalls, and the various
> types of firewalls, are. By default, Fedora uses firewalld, which is not
> an application firewall, which is what you've described. "I dunno if
> this network is trustworthy! Do you know if it's trustworthy?!" is a
> legitimate decision for the end user or sysadmin to make. It is not "a
> buck passing interface", the Fedora install has no possible way to know.
> The end user or sysadmin would.
That actually isn't clear at all. And I am the end user and sysadmin.
I'm at home, I have my own AP, but none of the equipment is under my
direct control, it's centrally managed by a company I don't even pay.
So, is it trustworthy? Maybe. Maybe not. I have no practical way of
knowing without digging into Fedora Security spin and learning a bunch
of things I don't presently know - which for sure sounds really
fascinating, and I like that this spin exists, but there are only so
many hours in the day!
Workstation ships with sshd enabled by default, unless something has changed.
Regardless, on Workstation, user programs can certainly easily bind ports,
which, with the GNOME spin's firewall configuration, are open to the world at
this point.
What does the Fedora Security lab have to do with anything? Are you interested
in pentesting?
--
John M. Harris, Jr. <johnmh(a)splentity.com>
Splentity
https://splentity.com/