[cobalt-security] RE: 'On my Soap Box'

[Mark Anderson <cronus@xxxxxx>]

> Did I not say that 'security through obscurity' was a bad thing?
> And that being paranoid was the way to do things?
> Sorry Mark, I fail to see what your argument is here. You've 
> basically agreed with exactly what I said in the first place!

No I haven't.

You claimed that little to no intelligence was needed to root
an online server (assuming basic skill levels for admins). This
is just not true. Infact the opposite is true - there is such
a wealth of information available that admins have no excuse
for having bad security. To be a good hacker/cracker (choose
your media buzzword) the attacker has to have a level of skill
and knowledge that exceeds that of the admin. 

Example:

A vulnerability is documented on Bugtraq. I update the software
mentioned, with a patch or fresh install of latest version. Problem
solved. 

An attacker sees the same mail on Bugtraq and tries it on a few
machines to see what he can get with a little effort. Not only
is it likely that the exploit code will have been gutted and
cease to actually work, but the attacker would need an equal
skill level as the original coder to fix it. 

What I'm trying to point out is that protecting a server is
fall-off-my-chair-laughing easy. However to be a remotely good
attacker, it takes time, skill, intellect and a few drops of
luck. 

Do you see where we disagree now ?