[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RE: 'On my Soap Box'

Subject: Re: [cobalt-security] RE: 'On my Soap Box'
From: Felix Schueren <fs@xxxxxxxxxxxxx>
Date: Wed, 7 Mar 2001 09:36:06 +0100
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tue, Mar 06, 2001 at 03:08:27PM +0000, Mark Anderson wrote:
> > Did I not say that 'security through obscurity' was a bad thing?
> > And that being paranoid was the way to do things?
> > Sorry Mark, I fail to see what your argument is here. You've 
> > basically agreed with exactly what I said in the first place!
> 
> No I haven't.
> 
> You claimed that little to no intelligence was needed to root
> an online server (assuming basic skill levels for admins). This
> is just not true. Infact the opposite is true - there is such
> a wealth of information available that admins have no excuse
> for having bad security. To be a good hacker/cracker (choose
> your media buzzword) the attacker has to have a level of skill
> and knowledge that exceeds that of the admin. 
> 
> Example:
> 
> A vulnerability is documented on Bugtraq. I update the software
> mentioned, with a patch or fresh install of latest version. Problem
> solved. 
> 
...and of course, as we all know bugs and exploits only work once published
on Bugtraq. Because exploits have to be approved by the bugtraq team before
crackers can use them.


> An attacker sees the same mail on Bugtraq and tries it on a few
> machines to see what he can get with a little effort. Not only
> is it likely that the exploit code will have been gutted and
> cease to actually work, but the attacker would need an equal
> skill level as the original coder to fix it. 
> 
True, in a fashion. If one reads bugtraq and the likes regularly and is
quick on installing the new (S)RPMs, one is fairly secure from script
kiddies and the like. But it's *not* an "I read bugtraq, I'm invincible"
world out there.

> What I'm trying to point out is that protecting a server is
> fall-off-my-chair-laughing easy. However to be a remotely good
> attacker, it takes time, skill, intellect and a few drops of
> luck. 
> 
...as I said, keeping Script kiddies out isn't that hard. Keeping someone
out who really wants to get your server is. 


> Do you see where we disagree now ?
Do you see what a fool show you're putting on? You're claiming that it's
*easy* to secure a server and keep it that way. It isn't. The only secure
server (as has been said often, but obviously not often enough) is a box w/o
any means to access it. I may be stressing the point, but you're just
talking about "1337  5(r1p7  |<1dd135", and even with them you may be too
slow one day.

Regards,

Felix

-- 
-----------------------------------------------
    Felix Schüren, e-mail: fs@xxxxxxxxxxxxx
     Leitung Technik/Systemadministration

ONE-2-ONE Advertising + Telecommunications GmbH
Theodor-Heuss-Str. 92-100, 51149 Koeln, Germany
Telefon (01805) 6632-66 Telefax (01805) 6632-33
info@xxxxxxxxxxxxx     http://www.one-2-one.net
Geschaeftsfuehrer:Mike Behrendt,HRB 28495 Koeln

References:
- [cobalt-security] RE: 'On my Soap Box'
  - From: Mark Anderson

Prev by Date: [cobalt-security] Re: OpenSSH 2.5.1 and OpenSSL Issue
Next by Date: Re: [cobalt-security] Linux kernel vulnerabilities
Previous by thread: Re: [cobalt-security] RE: 'On my Soap Box'
Next by thread: Re: [cobalt-security] RE: 'On my Soap Box'

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index