I have now had time to read up on all of the posts that I have been to
busy to read for the last week or so. So, it is now time for me to open
my big mouth:
Paul Lussier wrote:
>
> In a message dated: Wed, 21 Jun 2000 12:09:20 EDT
> "Jerry Feldman" said:
>
> >There are a bunch of very good issues raised. In an engineering
> >environment, the engineer frequently needs to test on his/her own
> >system. Many times there is a need for the engineer to have thew ability
> >reconfigure the system as necessary without bothering the system
> >admin people. Outside of this environment, there is usually no need for
> >users to have special priviledges. The issue should be "if you modify a
> >system, you must take responsibility for that".
Two points here:
1) No, engineers do *NOT* "need to".. Engineers *WANT* to. Testing is a
lab function. Therefore, the box that they are testing on should be in a
lab that is not connected to the rest of the network. There is a big
difference. So far, all of the people who are saying that root needs to
be shared have proven themselves wrong. Jerry and Bob have both stated
that it would be "an inconvenience to not have root". Well, if you can
say that it is an inconvenience, then that means you already know that
it can be done, you just don't want to spend the time or the effort to
do it.
If an engineer develops something, stores it on a system that is then
compromised, and the product is stolen by a competitor and patented,
then what has the engineer done? The engineer has been completely
unproductive. They have not developed a thing, they haven't improved
time-to-market, and they have not shown any reason to be employed. But
what they will do when they find out: Blame the sysadmin for not
securing the network. Been there, seen it happen. When personal
convenience overrides the security of the company, it's time to sell out
the stock options and move on to a new company.
2) Personal responsibility is a really nice theory in this day and age.
However, since the box they are testing on is connected to the CAT5, the
CAT5 is connected to switch, the switch is connected to the router, and
the router is connected to the firewall, then that engineer that is
arrogant enough to demand root needs to take responsibility for
EVERYTHING that that system affects. When they misconfigure a system and
cause a data storm and bring down the network for an entire company,
THEY need to fix it. When the system is misconfigured and causes an IP
conflict with the webserver and their company loses web-presence, THEY
can fix it... Basically, it's nice to say that the engineer will be
responsible for fixing the box that they break, but how about everything
else that they break because of it. Neither the world nor the network,
begins and ends at the corners of an engineers desk.
>
> Kevin Mitnick supposedly caused DEC (supposedly) huge monetary damages. He
> would not have been able to do so had the network been properly secured. Now,
> I'm not maintaining that some engineer requiring root access is to blame, but
> I am trying to show an example of how easily networks are compromised.
>
Actually, I will say that an engineer *WANTING* root WAS to blame in the
Mitnick case. Kevin Mitnick's forte was not cracking, but rather, social
engineering. He would call a company (such as DEC, Motorola, Sun, etc.)
and pose as an engineer working off site. He would ask for the root
password to a server, router, or whatever because he needed to fix
something. Since it was common practice in these companies to give out
the root password, they didn't think twice about giving it to him. It
wasn't good cracking that got him in, it was poor security.
> Also, I find it interesting that an individuals personal needs seem to always
> over-ride the greated good of the company. Does no one ever think about
> what's more important in the long run anymore? Do people just not care?
> I'm really curious about this. In a day and age when our personal privacy is
> constantly being invaded and stripped away, I find it amazing that people are
> more concerned with things that inconvenience them than what is the "right"
> thing to do for everyone or how can they change the way they do things to make
> they're life a little more secure.
Again with the needs thing. It is actually very basic: people want what
they want, when they want it, and they like to think that they are
important enough to demand and get it. Engineers, managers, Vice
Presidents, etc. Security is something they pay someone else to worry
about. It's a marketing thing. They want to be able to tell customers
that they are secure so they will be trusted. "It's good PR to tell
people that you are secure, but in practice, it just get's in the way"
(a quote from a senior vice president in company that shall remain
nameless).
> DEC (or Compaq) I'm sure is like any other company out there, where
> time-to-market is the most important thing above all else. However, what
> would have happened had Sun gotten a hold of the plans for Alpha early on and
> copied the designs? Would that have cost as much as securing the network
> environment?
Time to market is great. But again, what happens when you go to market
only to find another company has patented your product? But the
engineers will take responsibility for that. REALLY they will ;-)
> Or, on a personal note, how would any of you feel knowing that anyone in the
> entire company could read all your e-mail, incoming and outgoing, access all
> the files in your home directories without you knowing about it? Do you keep
> any personal information on you system you'd rather others not know about?
> Anyone have a Palm Pilot they sync with their system at work? It's simple for
> root to access those files, copy them somewhere else and install them on
> another pilot elsewhere. Hope you don't store any banking information on your
> pilot, or social security numbers. :)
Well, maybe Paul hopes that you don't keep social security numbers,
credit card info, or baking info on your computer, but the crackers hope
you do ;-)
> Hmm, not using ssh? tcpdump or ethereal on any Linux laptop is great for
> accessing passwords across the network.
Again, been there, done it. It's amazing how many people still use the
month and year as their password. Which is another point of security
contention. People complain that they don't want an 8 character password
that expires in 30 days and locks them out after 3 bad attempts because
it's inconvenient. Well, passwords in general are inconvenient. So,
since the argument is that not having root is inconvenient, therefore we
should give everyone root, I suppose we should do away with passwords
all together. Authentication is such a pesky waste of time.
> I'm not trying to be the BOFH, rather, I'm trying to point out that security
> does matter. Even if the likelihood of someone maliciously attacking your
> internal network may seem slim, there are those who are untrustworthy, and you
> never know who they are.
The chances may seem slim, but I will go on record as saying that the
chances are pretty good that your network will get cracked. Especially
since the majority of corporate espionage comes from the inside. Also,
just because no one defaced your website, it doesn't mean that you
haven't already been compromised. A good cracker won't make any noise.
They will simply ciphen money, information, or data out of the company
without a sound.
> By the way, we as sysadmins have a job to do too. And let me tell you,
> securing a network is a major P.I.T.A, and a huge inconvenience too, but we do
> it because it's the right thing to do and because we care more about the
> greater good than our own personal inconvenience.
Well, I've only had the title of "SysAdmin" for a few months now. Before
that I was a security analyst for a large financial company. It was my
job to make sure that our systems and networks were secure. And, just
let me say that it is no simple task to explain to a high-ranking
company officer why it is NOT ok to give out his password. Security
isn't easy. It's not even fun most of the time. Generally, the majority
of time is spent attempting to explain why something is for the good of
the company and the protection of the user. It's sort of like trying to
explain to a 3 year old why they can't drive the car.
Just my Loud Mouth Opinion,
Kenny
--
Kenny Lussier
Systems Administrator
Mission Critical Linux
***********************************************************
It is by Caffeine alone that I set my mind in motion-
It is by the beans of Java, that my thoughts acquire speed-
The hands acquire shakes; the shakes become a warning-
It is by Caffeine alone that I set my mind in motion..."
***********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
