On Fri, May 25, 2001 at 01:19:45PM -0700, Eric Robinson wrote:
> So I stand at least partially corrected. I should not have advised Nontakorn
> Roongphornchai to eschew reformatting his hard drive without qualifying
> myself thusly: If you think your server may have suffered effects beyond the
> ones analysts associate with the "fuck USA" attack, or you simply cannot
> afford to take the chance, then by all means, rebuild from scratch.
You're still looking at this from the wrong angle.
You're saying, "Unless you know the attack was more than the one
outlined in the CERT advisory, patch and replace the affected files."
In other words, you are *assuming* you know the extent of the
compromise.
We're saying, "Unless you know the attack was *nothing more* than the
one outlined in the CERT advisory, rebuild from scratch." In other
words, we are stating that we do *not* know the extent of the
compromise.
Your point of view relies on an unproven assumption, and the amount of
work required to prove that assumption is great -- greater than the
amount of work involved in wiping and starting from scratch.
You are advising someone to trust an altered system when they do not
know (even if they suspect with good cause) the extent of the
alterations. This borders on the willfully negligent.
--
Devin L. Ganger <[EMAIL PROTECTED]>
find / -name *base* -exec chown us:us {} \;
su -c someone 'export UP_US=thebomb'
for f in great justice ; do sed -e 's/zig//g' < $f ; done
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
