[VaporWare] adding PSAD to Kindles

[knc1]

I added the [VaporWare] tag to the title before someone else raised the point.

The BBB (Block Big Brother) firewall is the predecessor of a more sophisticated firewall for protecting the Kindles from network intrusions.

The BBB firewall may be all that the majority of users need and/or want.
But for others - the future will be kWall (Kindle Firewall), which (**should**) share the BBB firewall structure.

The question to be discussed in this thread, is if an automatic, dynamic, intrusion detection system should be included with either of the firewalls (BBB or kWall) for the Kindles.

The PSAD (Port Scan Attack Detector) is described here:
http://cipherdyne.org/psad/

(And since I worked on that project in its early days, this is not as much 'vaporware' as it might at first seem.)

[twobob]

"You must spread some Reputation around before giving it to knc1 again."

Unless I do it myself.

Assumption: Safety > inconvenience

Likely end user inconvenience: minimal to none.

PSAD space additions
Initial setup efforts
any usage learning curve or maintenance requirements
additional space overheads

This pathetically inconsequential list would comprise the only inconveniences I can think of at present, no doubt a troll could bring more food.

Compared to that let's consider the
Advantages:

Although PSAD may be a corner case for the average "live on the bookshelf/bedside" Kindle, there will be those who need this and don't know it or need this and don't have it.

In all three cases I see no ACTUAL downside. Other than the "I don't think I need it" people seeing it as wasted time. Well... Horse to water and all that.

Conclusion:

Thus I would utterly recommend ANY well thought-through piece of intrusion detection/prevention and or "security enhancement" software/configuration from a long-time track-record proven industry professional.

It's a no-brainer.

Solid thoughts and work! Shiny things abound!

[knc1]

At the moment, Kindles have a "closed door" policy towards NEW, incoming packets.
But as soon as we start changing that by allowing incoming service connections - -
Then the world will start trying to take advantage of that 'hole' in the firewall.

So I know I am preaching to the choir in the case of anyone who has run a computer service on the 'net.
But for those other folks, who don't know that they need it . . . .

For those who only have e-books on their Kindle, they might not mind if the world borrows a copy.
But for those who have PRIVATE information on their Kindle, this is a serious consideration.

[twobob]

TBH for the VAST majority of people. That "closed door" is a Good Thing™.

Since the proxy protects the 3g and a home router generally at least prevents casual browsing of the average open port DMZ side again - in the main - people are inherently protected, by their own design or that of prescient "others" involved in the decision making process; the process that ultimately governed the overall "fabric" in which the less knowledgeable user would just use their device "As-is".

The same level of protection can't be said of an "out-and-about" kindle. Once one starts to punch holes and then wanders in with the madding crowd at a shared Café or some such... all bets are off and you better known your onions - or know someone who already did that work for you.

"Ways the hurt the Kindle", shall I count the ways? No. Of course it can be done.

Can the Kindle be abused and attacked "Yes, but your home windows laptop is WAY more at-risk"

Should one consider using this? Honestly? I will be once the dust settles on a solid config. Why wouldn't you?

Thanks.

[knc1]

The current USBnetworking policy, as recommended in the README_FIRST.txt file and supported in the scripting, is too use only pub-key authentication over Wifi.

Ah, but guess what is the most popular port in the world to attack:
(ssh == port 22, telnet == port 23):
https://isc.sans.edu/top10.html

And port 21 (ftp) gets at least an honorable mention.

(Click the port numbers in that summary report for details.)