I have to take serious issue with this recurring meatspace analogy in which a computer (system?, LAN? phone? pda? web-server? fancy refrigerator?) is like a person's private residence. This metaphor seems to me perfectly applicable to a PC in one's livingroom which is only intermittantly connected to the internet. But when you connect a device to the internet, especially when the connection is permenant, doubly so when it is registered in dns, that device becomes part of the internet. So to my mind, running httpd on such a device is much more than installing a door or a window in the side of your house; to my mind it's much more like rolling out a red carpet and hiring a barker to attract passers by.

At home, I run my wireless access point as an open node in a gesture of neighborliness. I could have called it "B-myGuest" or something, but otherwise, the 802.11 protocol provides no mechanism for explicitly inviting people (or machines) to make use of it. I have to rely on people's assumption and recognition that the absence of a lock is an implicit invitation.

This is generally true of any SERVICE you OFFER on a device you have made part of the cloud of such offers by connecting it to the internet.

I think a much better analogy would be to say that a device connected to the internet is like a card table at a bazzar, and that if you set up your table at the bazzar, make a picher of lemonade, set out a stack of paper cups, put up signs saying "Open All Hours" and "Help Yourself", then pour youself a cup and walk away, you ought not then be allowed to come back hours later and subpoena the surveilance video from the ATM across the street in order to learn the identities of the people you're accusing of stealing your lemonade.



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/463/34885#34885