Date: Tue, 6 Nov 2001 04:56:50 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Anthony Atkielski" <anthony@atkielski.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: RE: Lockdown of FreeBSD machine directly on Net Message-ID: <004d01c166c2$8063d780$1401a8c0@tedm.placo.com> In-Reply-To: <001401c166a9$9b976120$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Anthony Atkielski [mailto:anthony@atkielski.com] >Sent: Tuesday, November 06, 2001 1:59 AM >To: Ted Mittelstaedt; FreeBSD Questions >Subject: Re: Lockdown of FreeBSD machine directly on Net > > >Ted writes: > >> I don't care how much money you throw at a security >> crack, what counts is the persistence. > >In the world of IT, it is possible to apply perfect solutions to >security holes. >In other words, it is possible to build perfectly secure systems. It's >expensive and requires people who are truly dedicated to making a >system secure, >but it is quite possible. I'm not arguing that, although all the security people are going to jump down your throat because such a statement isn't true. But I'll leave it to them to explain that, I'm sure that they will. >And systems secured in this way cannot be >cracked by >any amount of persistence. > Only as long as they remain completely static. Assume for the sake of argument that you start out with a perfectly secure system. Well if that system contains any human component in it at all, your screwed. Humans are unpredictible and even when you have them checking each other there's always the possibility of collusion. Conditions change and people change and overall people make mistakes. The most secure system is only as good as it's weakest link and humans are pretty weak links. >Example: Telnet passwords. To log in with Telnet, you must provide the >password of the account you wish to log into. No password, no access. No >amount of persistence will force Telnet to let you in without the correct >password. This protocol is thus completely secure. > There's a number of problems here. For starters Telnet is both an application program and a protocol. Your not making it clear what your talking about. The protocol itself may be perfectly secure but what matters when your talking about server security is not the protocol, it's how it's implemented. If that is done wrong then the server is screwed. >> And this is something that money can't buy, and it's >> something that amateur crackers can get, if they are >> self-disciplined. > >It is useless to them. I suppose it dissipates their nervous >energy, but unless >they find someone who is running a system in an insecure way, they >are wasting >their time. > You are not going to find anyone that will guarentee that the most secure system will never in it's lifetime ever be run in an insecure manner. The cracker knows they may not succeed, ever. But they also know that the chance exists that even the most secure system will be run in an insecure manner at some point. >> You simply cannot buy that kind of persistence >> for any amount of money. > >Sure you can. The criminals who steal cellphones are persistent because it >_pays_ to be persistent; they aren't doing it for fun. > But they also are not subject to the cost-benefit reasoning, because it's real easy to show that it takes less effort to get a job and earn money the way your supposed to than by eeking out a living stealing cell phones. If they were subject to the cost benefit line of reasoning they would give up shortly after starting their career stealing cell phones. It's precisely because they are willing to ignore the obvious - that they are working harder to steal cell phones than by just getting a job - that they succeed in stealing them. >> You can't get that kind of dedication from a professional, >> it simply isn't there. > >Anyone who steals things in order to make a living for himself is a >professional. > Sorry but this isn't true. A professional earns money. Stealing is not earning money. Stealing is not "making a living". Check your dictionary definitions please. >> It only comes from those 1-in-1000 amateurs, like >> your "script kiddies" > >There must be a lot of amateurs in the world, if only one in a >thousand has the >persistence to steal your cellphone, and yet dozens of them pass >your car each >night. > The percentages are much different for petty criminals and computer theft. There are a lot fewer fanatical crackers out there than persistent common thieves. > >> I mean, it's laughable to think that the professional >> crackers are really any good - if they were then the >> US Government would have killed bin Laden years ago. > >Why? No cracking is necessary in bin Laden's case, since he >generally has not >used much in the way of security to begin with (at least from an IT >standpoint). > cracking is necessary because his minions have been documented to regularly use encrypted communication, a lot of it on the Internet. If your going to assinate someone you must know where that person is going to be at some point in the future. Therefore you must tap into the communications infrastucture of the people that support bin Laden so that when they plan future locations for him to be at that you can set up the hit. Of course, today the situation is too far gone because the support network for the guy has all gone to ground and the reports are that they are shuttling him around constantly. > >> someone screwed up and they were right there at >> the hole, exploiting it. > >What hole? They didn't compromise any security system that I'm aware of. > :-) True because you can't call that piss-poor excuse for airport security we have a "security system" :-) > >> If that system has a fanatic who has devoted his life >> to gunning it, then at that time, the system will be >> cracked, simple as that. It doesen't take a million >> dollars. All it takes is persistence. > >So you reformat the disks and restore from a backup, and you're back in >business, and your fanatic can spend another twenty years trying to >compromise >the system for a few hours again. > Unless of course, his compromise kills you. Or perhaps the computer he breaks into goes haywire and takes out the medical network in the hospital it's in. No problem. > >> Anyway, the moral to be learned here is that the second >> you start going down the "cost benefit" reasoning when >> it comes to security, your wasting your time. > >On the contrary, it's the correct way to manage a system. For example, if it >costs more to secure a system against intrusion than it does to just restore >from backup if an intrusion occurs, then you can afford to be a little more >casual about security, and if someone breaks in, well, you just restore >everything and you're back in business. > Yes, this applies exactly to the airlines. After all, all the airlines lost when the 2 planes were flown into the WTC is 2 planes, and about 2.5 million dollars X number of passengers. (2.5 is the figure that the airlines used on a per-person dollar figure when calculating how much they have to pay out to survivors of passengers killed in a plane crash.) That couldn't have been much more than, say, half a billion? And all covered by their insurance anyway. At least - that's the reasoning they used for not beefing up security. Funny how it turned out to NOT WORK when put to the test. So what the hell if you run a computer on the Internet that's broke into by spammers that use it to pump 2-3 million e-mail messages out to hosts on the Internet? It's only going to cost you a few hours of time to restore from backup. Fuck everyone else and all their hundreds of hours and thousands of dollars of blown productivity and network time cleaning up after the spew. It's not your time so they can shove it up their ass. I think your attitude towards security is a great one. We should all see more of it on the Internet. > >What's wrong with hiring minimum-wage security scanners? All they need is >persistence, not competence ... right? > There's been some news articles published recently that mention studies that show a direct coorelation between how well paid the security scanners are and how much stuff they catch. The better paid ones catch more things. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004d01c166c2$8063d780$1401a8c0>