--- Nick Borisov <[EMAIL PROTECTED]> wrote: > [...] Allowing an intrunder to deal with your > system even one extra minute may lead to tremendous losses depending > [...] > :-) OK.. Let's see, if I understood this right: 1 minute <-could be-> 1 tremendous loss 50 minutes <-could be-> 50 tremendous losses
But what if a system just contains 5 tremendous chunks of secrets? Then it would not matter if we catch the attacker after 50 minutes or after 51 minutes... Even if we had a preparation time (before the loss starts) of 10 minutes (e. g. to install an evil kernel)... According to my experience attackers are not caught so quickly (and how should one do it? if the software is bad, than every connection could be evil; and of course even unusal connections (e. g. IP was never seen before or very high traffic to a single IP) could be good). I know personally of a case where somebody (mis(?))configured a NFS service (maybe it was a honey-pot, or so?), so that everyone had read/write access as _root_. It was possible to transfer about 20MB of data over about one hour from a single IP, that was never seen there before... The carrier of the system was a research centre (that works for several departments of the federal GERM government) with its own specially trained network/security administrators and a little nuclear power plant... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
