From owner-freebsd-questions Tue Nov 6 11: 5:54 2001 Delivered-To: freebsd-questions@freebsd.org Received: from aries.ai.net (aries.ai.net [205.134.163.4]) by hub.freebsd.org (Postfix) with ESMTP id BBE9F37B419 for ; Tue, 6 Nov 2001 11:05:49 -0800 (PST) Received: from blood (pool-138-88-101-216.res.east.verizon.net [138.88.101.216]) by aries.ai.net (8.9.3/8.9.3) with SMTP id OAA03460; Tue, 6 Nov 2001 14:15:36 -0500 (EST) (envelope-from deepak@ai.net) Reply-To: From: "Deepak Jain" To: "Erik Trulsson" , "Anthony Atkielski" Cc: "Ted Mittelstaedt" , "FreeBSD Questions" Subject: RE: Lockdown of FreeBSD machine directly on Net Date: Tue, 6 Nov 2001 14:09:40 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 In-Reply-To: <20011106180650.A72863@student.uu.se> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Especially in the case of telnet -- For years telnetd was considered secure enough to be open to the world, and then all of a sudden it wasn't. No matter how secure you think your design is, there is no ability to predict/detect new holes that may appear in existing, stable applications. I don't have any doubt that the telnetd code was audited numerous times by numerous experts and still the bug wasn't recognized. The most secure machine is the least useful machine. Conversely, the most useful machine is often the least secure. IF you don't want your machine's data compromised, unplug it from everything, bury it in a vault in the desert somewhere and never go back for it. Deepak Jain AiNET -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Erik Trulsson Sent: Tuesday, November 06, 2001 12:07 PM To: Anthony Atkielski Cc: Ted Mittelstaedt; FreeBSD Questions Subject: Re: Lockdown of FreeBSD machine directly on Net On Tue, Nov 06, 2001 at 10:58:35AM +0100, Anthony Atkielski wrote: > Ted writes: > > > I don't care how much money you throw at a security > > crack, what counts is the persistence. > > In the world of IT, it is possible to apply perfect solutions to security holes. > In other words, it is possible to build perfectly secure systems. It's > expensive and requires people who are truly dedicated to making a system secure, > but it is quite possible. And systems secured in this way cannot be cracked by > any amount of persistence. Not so. There is no such thing as 100% security. It is possible to build systems that are extremely secure such that to make them even more secure would cost more than it is worth and such that to crack them would require huge amounts of resources (time, money, people and/or hardware) but they can be cracked. > > Example: Telnet passwords. To log in with Telnet, you must provide the > password of the account you wish to log into. No password, no access. No > amount of persistence will force Telnet to let you in without the correct > password. This protocol is thus completely secure. This is case where persistence is exactly what is needed to crack the system. One simply tries every possible password until one succeeds. Such an attack will of course take a very long time to execute and any competent sysadmin should notice it fairly quickly if he/she checks the logfiles. Yes, you still need the correct password to get in but what the attack does is to find it. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message