[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] RE: 'On my Soap Box'

Subject: Re: [cobalt-security] RE: 'On my Soap Box'
From: John Bailey <support@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 6 Mar 2001 21:00:16 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tue, 6 Mar 2001, Mark Anderson wrote:

> Infact the opposite is true - there is such
> a wealth of information available that admins have no excuse
> for having bad security. To be a good hacker/cracker (choose
> your media buzzword)

There is a difference between the widely accepted definition of 'hacker'
and that of 'cracker', you know.

> the attacker has to have a level of skill
> and knowledge that exceeds that of the admin.

There are other issues to take into account though.  For example, after
the bind problems came to light, it took Cobalt 3(?) days to get upgraded
.pkg files out (please note I'm not having a go at Cobalt here).  During
those three days, many RaQs and Qubes all over the net remained
vulnerable.  More knowledgable(?) admins had compiled their own
replacements the minute they heard about the problem, but many admins
don't know how to wield a "./configure ; make install".  I think that this
problem is more widespread on Cobalt machines, as they're sold on a 'you
can administer it all though this web interface' basis.  I know of a lot
of people who got a harsh lesson in reality during those days, either by
getting their machines compromised, or by being forced to learn admin
tasks they hadn't originally thought they'd need.

> An attacker sees the same mail on Bugtraq and tries it on a few
> machines to see what he can get with a little effort. Not only
> is it likely that the exploit code will have been gutted and
> cease to actually work, but the attacker would need an equal
> skill level as the original coder to fix it.

I'd say that that depends on how badly the code's been gutted ... but
aside from that,  I don't think that most script kiddies are in the habbit
of collecting code from bugtraq.  They let someone else do the hardwork
(be it writing the exploit or correcting kludged code) then they just
point and root.

> What I'm trying to point out is that protecting a server is
> fall-off-my-chair-laughing easy. However to be a remotely good
> attacker, it takes time, skill, intellect and a few drops of
> luck.

I take issue with that point in it's entirity.  For a start, not all bugs
get posted to BugTraq straight away .. how can you patch against bugs
you're unaware of ?  Even given that you know that a vulnerability exists
and needs patching, it's only easy to you because you're familiar with
linux.  As I think everyone on this list should be painfully aware, it
can take no skill at all to be an effective cracker.  Kits such as Ramen,
which are self propogating are a case in point.

The bottom line that is all comes down to is (and this is quoted from a
source I don't remember) that the admin has to be lucky all the time, the
cracker only once.

To take a better known quote to finish .. "Your confidence is your
weakness".

John

Follow-Ups:
- Re: [cobalt-security] RE: 'On my Soap Box'
  - From: Norm Duncan

References:
- [cobalt-security] RE: 'On my Soap Box'
  - From: Mark Anderson

Prev by Date: Re: [cobalt-security] RE: 'On my Soap Box'
Next by Date: Re: [cobalt-security] RE: 'On my Soap Box'
Previous by thread: Re: [cobalt-security] RE: 'On my Soap Box'
Next by thread: Re: [cobalt-security] RE: 'On my Soap Box'

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index