Date: Tue, 29 May 2001 16:38:44 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Robert Withrow <witr@rwwa.com> Cc: Seth <seth@psychotic.aberrant.org>, Vivek Khera <khera@kcilink.com>, stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends Message-ID: <200105292338.f4TNciU32058@earth.backplane.com> References: <200105292324.TAA73334@ns1.rwwa.com>
next in thread | previous in thread | raw e-mail | index | archive | help
:
:
:dillon@earth.backplane.com said:
::- Putting on my security hat... no. All you are doing is forcing
::- the hacker to use some more obscure and possibly less detectable way
::- to compromise the machine. So, in fact, you could be making the
::- problem *worse*.
:
:Maybe your security hat needs cleaning? The whole game is played by raising
:the cost of hacking. Using your theory, we should eliminate all passwords.
:*Then* we'd be pretty sure no hacker would trouble himself by using any
:obscure hacking methods. (Of course, that would be like windows, wouldn't
:it?)
No, I didn't say that at all. Using my theory, you don't eliminate all
passwords, you move them off the machine (e.g. move to NIS or something)
so if a hacker breaks into your multi-user box with a compromised password,
he has no way to get the *REST* of the passwords (crypted or not) and
break them offline. So moving the passwords off the machine (or removing
them) accomplishes something real.
Setting schg on a file does not. You think this would slow a hacker
down? You think it's raising the bar? It might raise the bar a millimeter
or so if the hacker is even more stupid then your typical script kiddie.
Otherwise, no.
A prudent sysad implements security features that actually have a
reasonable effect. Setting schg on a file doesn't. It might give
you a false piece of mind, but it will have no positive effect and
almost certainly have a major negative one.
At BEST we monitored hackers all the time. Do you want to know what
they did when they got frustrated? 'rm -rf /' is what they did...
fortunately, at BEST, the only times they did that was when they
couldn't break root so all they did was wipe the user's account. Once
a hacker breaks root, all you can do is mitigate the damage... but
before you can mitigate it, you have to *detect* that your machine
has actually been compromised. The easiest way to detect 98% of
compromised machines is to locate modified binaries or new suid
binaries. Take that away and you've just blown 98% of the effectiveness
of your security system.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200105292338.f4TNciU32058>