Well Kathee, I don't normally join in on non-technical discussions, and my one-liner response was not intended to provide a podium for your extensive opinions. But, given that you began the the discussion, debate rules allow me another response.
First of all, to the issue of my comment being "unfair". Perhaps so, here's why: To me the term "script kiddie" doesn't mean someone who won't try to get answers on their own. I think of a script kiddie as a less-technical hacker/cracker. Someone who can use tools to exploit a system, but may not understand how the tool works and cannot write or create such a tool. I guess my definition is wrong. But in the context of Nessus scanning through a firewall, I read your comment to suggest that I was helping someone find compromisable systems for the purpose of exploitation. Hence my response that security through obscurity is the wrong approach. That said, as has already been mentioned, there are plenty of good reasons why people post questions that they might eventually answer through other means. I don't judge someone harshly for asking a question, however simple. In fact, I applaud anyone who looks to their peers or superiors instead of un-productively spinning their wheels. Meanwhile, you are just off-base for criticizing a correct answer to a posted question. Would this list be better off with more questions going unanswered? I think not. I don't know how long you've been a member of the list, but I did check the archives and it seems going back to Sept 1 you have not posted before. For someone so resourceful and talented, it's a shame your first (or rare) posts are of trivial content. Perhaps in the future you can contribute to the greater good of the list rather than the greater noise level. I apologize to the rest of the list for also enhancing the noise level with this post. Other than to answer direct questions, or correct mis-stated facts, I won't be responding on-list to further debate on this topic. Carl -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of kathee Sent: Saturday, October 12, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Security by obscurity (was RE: How do you run nessus against anetwork you can't ping?) Hello, Actually this is an unfair statement (from your email below). I have learned everything I know about security (and nessus) by playing. I never once asked how to compile or run a test. I learned by examining everything there was to know about how it worked. There is enough online and builtin help to provide this. I have *never* been *for* security-by-obscurity, I simply disagree with script-kiddies and people who claim they are security people and yet can not read online help. Or worse, they try to run a tool like nessus and really don't understand how to work with TCP/IP and networking in general. They simply want to be the first at their "school" to break into something. I have met and worked with "wanna-be" security people. They want everything provided to them on a silver platter. If it is not as clear as black and white, then they go no further and assume it does not work. They don't want to know HOW something works (the mind of a hacker is that we want to know HOW it all works), they want someone else to do the work and they then use the tool for whatever. A simple example -- for lots of $$ you can purchase a lock-pic gun, which can pick many types of locks with a simple (not quite that easy, but ...) pull of a trigger. However, a real pro, who uses a tension bar and and actual pick set is more of an artist and can open almost anything. They know when to walk away (medico locks for example) or when to try another technique (break a window). Someone with a "gun" however, justs keeps trying until someone tells them that they are doing it wrong and shows them how to do it. They have learned nothing. Or better yet, when I was 13 years old, I took my father's stereo apart because I "wanted to know where the sound came from..." Rather than getting mad, he simply said, "It better work when you put it back together." and left me to do so. I learned that "learning" (figuring it out) was more than half the fun!!! And yes it did work when I put it back together. Security by obscurity is bad, but so is "spoon feeding". Learn for the sake of learning -- gather knowledge and improve yourself. If you run into a brick wall, try and chisel through it before asking someone else to do it for you. Oh well.. just my opinion and I am sure I will be blasted for it, for one simple reason -- it goes against what the script-kiddies believe. They use the "security by obscurity" as a smoke screen to blame us, instead of themselves... ciao Kat On Sat, 2002-10-12 at 12:57, Carl Houseman wrote: > Why do we cling to security through obscurity?? *sigh* > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of kathee > Sent: Saturday, October 12, 2002 12:55 AM > To: [EMAIL PROTECTED] > Subject: RE: How do you run nessus against a network you can't ping? > > > Why do we teach people how to be "script kiddies"?? *sigh* > > > On Fri, 2002-10-11 at 15:00, Carl Houseman wrote: > > Under "Ping the remote host", configure TCP Ping with the ports that are open to >hosts inside the firewall. > > > > Carl > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Friday, October 11, 2002 12:49 PM > > To: [EMAIL PROTECTED] > > Subject: How do you run nessus against a network you can't ping? > > > > > > The default configuration for nessus fails against > > networks with firewalls that do not admit inbound > > pings. We learned this last night. > > > > Is there a way around this? > > - > [EMAIL PROTECTED]: general discussions about Nessus. > * To unsubscribe, send a mail to [EMAIL PROTECTED] with > "unsubscribe nessus" in the body. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body. - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
