hi ya john
On Wed, 26 Jun 2002, John Galt wrote:
> On Wed, 26 Jun 2002, Alvin Oga wrote:
> >
> >if an attacker got in ... as a user .... game over... they got in ???
> > - question is what damage can they do as "user" ...
>
> that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
> using standard security practice at that point, it's just for
> convenience's sake, the user had a few things screened, including a
> rootshell, probably because of the traditional Conventional Wisdom of not
> permitting any remote logins of root. I find this kind of ironic in
> another sense, as Dug Song is the author of a Man in the Middle tool that
> works against older SSHes....
think some folks are "better" targets ( or rather a more visible target )
than relatively anonymous machines at home on at dsl or att cable ???
> >if an attacker get in the same way as root... game is really over...
> >as they now have complete control of yoru machine..
> > - i prefer to disallow root logins...
> >
> >( assumption in the above is that they can get in thru an existing
> >( vulnerability .. either as root or a user ..
> >
> >-- patch the original vulnerability .... fix it first ...
> > worry about the "follow-me around folks" later ...
> > ( like those in the van outside your home/office listening
> > ( to the wireless connections...
humm .. bad choice of words ... lots of places to "fix vulnerabilities"
not just "patching" apps...
> This "wisdom" is where things start to fall flat. The only successful
> security approach is layered--don't run unnecessary services, patch things
> immediately, use strong authentication wherever possible, and maintain
> strict separation of privileges via ACLs, capabilities, or other methods.
yupp.. more the merrier ... wish i can play more with different
stuff for experimenting and watching what happens
> other layers can include external things like IPSEC, switched networks,
> firewalls, and such. The most obvious rule here is don't rely on any one
> layer. Your above statement really relies on the patch vulnerabilities
> layer, which means you violated the obvious rule.
wasnt meant to violate the "obvious rule"...but yes... more things and
more layers... mroe bends.. more curves.. more traps the merrier ..
which requires more time too and more $$ too ...
i like to split all that up into...per their budget...
- 5 minute security precautions..
- 5 hr security precautions.. good enuff for most ...
- 5 days security precautions.. better for most ...
- 5 weeks ... hummm...type slow and explain a lot to them ??
- but no matter which ...its always ongoing...
job security !! until you lose one big battle with one good [cr/h]acker...
have fun
alvin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
