Date: Tue, 6 Nov 2001 01:10:05 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Anthony Atkielski" <anthony@atkielski.com>, <questions@FreeBSD.ORG> Subject: RE: Lockdown of FreeBSD machine directly on Net Message-ID: <000201c166a2$d2ed80c0$1401a8c0@tedm.placo.com> In-Reply-To: <00cc01c165f5$824a8800$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>-----Original Message----- >From: Anthony Atkielski [mailto:anthony@atkielski.com] >Sent: Monday, November 05, 2001 4:29 AM >To: Ted Mittelstaedt; questions@FreeBSD.ORG >Subject: Re: Lockdown of FreeBSD machine directly on Net > > >Ted writes: > >> ... your making a mistake if you assume that >> crackers all operate off a cost-benefit basis. > >The ones with the resources to crack seriously secure systems don't have much >choice but to consider cost vs. benefit, as such resources are quite >expensive, >and even the richest organization cannot afford to allocate them >with no regard >to potential benefits. There may be kiddie crackers out there willing to >dedicate all their time and energy to breaking into an arbitrary system, but >they don't have the hardware necessary to, say, factor an RSA modulus, so >they'll never get very far. > I don't care how much money you throw at a security crack, what counts is the persistence. And this is something that money can't buy, and it's something that amateur crackers can get, if they are self-disciplined. For example, recently my cell phone was stolen out of my car - I left it in the car overnight while it was parked in my driveway. Well, I happen to own a house in a city area where there's a lot of petty theft and so I'm well aware of the problem and so I can count on the fingers of one finger the number of times I've left the phone overnight in the car over the past 5 years. But, the fact is that the one time in some 2000 days that I forget and leave the phone in the car, it gets stolen. There is only ONE POSSIBLE way that this can happen. Simply put, this is that EVERY SINGLE NIGHT FOR THE PAST 5 YEARS there has been some petty criminal that has walked by my house at 2 am and peeked in the car, looking for something to steal. In fact, most likely there's a number of petty criminals that look EVERY NIGHT. You simply cannot buy that kind of persistence for any amount of money. The only way that it comes is if the person doing the breaking and entering is totally dedicated to breaking and entering, and thinks about it and works on it every single waking hour and day of his life. You can't get that kind of dedication from a professional, it simply isn't there. It only comes from those 1-in-1000 amateurs, like your "script kiddies" The crackers that an organization has to really fear aren't the governmentally funded professionals that have million dollar budgets, like your implying. Those can easily be offput by a cost-benefit kind of defense. I mean, it's laughable to think that the professional crackers are really any good - if they were then the US Government would have killed bin Laden years ago. Anyone can see this. The crackers that an organization really has to fear are those one-in-one thousand amateur "script kiddies" that get a bug up their assholes and spend their lifetime attempting to gun you. Those are the folks that simply will try attempt after attempt, no matter how futile it is, for years and years and years and years, every single day and every single hour of their lives. Ultimately they will get you because normal people cannot be 100% viligant all the time, and one day the target is going to make a mistake, and when that happens the fanatic cracker is going to be right there and make his kill. Look at the people that blew up the twin towers. They were ordinary people. They didn't have million dollar budgets. What they did have was fanatical persistence over a period of almost a generation. Two decades ago they got a bug up their butts to blow up the WTC. They first tried it with a bomb in the basement. That failed but they simply didn't give up. Instead they just kept working at the problem, for years and years and years until eventually someone screwed up and they were right there at the hole, exploiting it. >> Sometimes people decide to be assholes and >> attempt to gun you just because they are >> assholes, and they don't care how long it >> takes or how much trouble it takes to do it, >> or what happens to themselves while doing it. > >For the same reason (namely, an antisocial behavioral pattern), they usually >never have access to the tools needed to break into really secure systems. > But that's assuming that those "really secure systems" stay really secure forever, that that's just simply an invalid assumption. All systems wear out and get replaced. Software all gets upgraded. People quit and are replaced by new inexperienced hires that don't completely understand protocols. People get in a hurry and skip security steps. Interiors get redecorated with new carpets and someone blocks open a door. Things _always_ change and people _always_ make mistakes. Ultimately during one of those changes someone is going to screw up and create a hole, even if it's for only a day. If that system has a fanatic who has devoted his life to gunning it, then at that time, the system will be cracked, simple as that. It doesen't take a million dollars. All it takes is persistence. >You could compare it to many other domains, such as drag racing or something. Well, as I used to drag race as a hobby this should be interesting... >While some hotheaded young males may be willing to devote their lives to >building the ultimate dragster, their tempers and instability and generally >dysfunctional personalities prevent them from ever earning or >gaining access to >the resources required to actually build the ultimate dragster. Instead they >spend their lives tinkering with whatever pieces of junk they can collect for >nothing or for whatever meager funds they manage to acquire. Such people are >more of a nuisance than a serious threat. > Well, for starters the drag racing community is set up to keep those people from ever getting anywhere for good reason. It's extremely dangerous to get in a drag racer, even ET bracket racing, when the fellow in the next car to you has a temper and is unstable. Races with people like that have been known to end halfway down the track in a collision caused by one car veering into the other. I've been in lots of ET pits where one of the racers saw something in another car that he didn't like and 15 minutes later there's a group of officials surrounding the car and putting the driver off the track. Your wasting your time if you think that they are going to let you bring a piece of junk with shit falling off it onto a drag track. Hotheaded young males with tempers and dysfunctional personalities can't spend their lives tinkering with junk they collect for nothing because they are shortly banned from all the tracks in the area. But, on the other hand I have seen racers consistently win drag races, at least ET brackets, with meager funds. Once again, what's required is persistence. ET races are won by the most consistent racers, and if a fellow has meager funds and wants to win drag races, all that is necessary for him to do is show up every week at the track during racing season, for 5-10 years. At the end of that he will have had so much practice that he can easily be consistent enough to win. Indeed, the reason that I stopped racing wasn't the money at all, it was simply that once I realized what kind of a time commitment it would take to be any good at it, I felt like I was wasting my time to only show up once a month or so. Anyway, the moral to be learned here is that the second you start going down the "cost benefit" reasoning when it comes to security, your wasting your time. It's the same logic that the airlines used when they ran out and hired all those security scanners at minimum wage, and the results are no different than if they simply didn't bother having security scanners at all. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000201c166a2$d2ed80c0$1401a8c0>