[plug] Trade [flame alert]

Christian christian at global.net.au
Tue Feb 29 09:34:03 WST 2000 

I'm sorry if I offended you but there was nothing personal about my
criticisms.  I disagree with the technique you suggest because I believe
it is ineffective and even sometimes dangerous so I was critical of this
approach but nothing personal was intended.

Jeremy Malcolm wrote:
> > > > Wow, what a deal...  How can anyone resist an offer like
> > that?  We/I get
> 
> Well excuse me, I thought this was a Linux user group mailing list,
> where we can all ask from and offer help to each other, without people
> criticizing us for not paying a professional to do the job.  Obviously
> I was incorrect.

I'm not criticising you for not paying a professional.  I'm merely
saying that your "hack challenge" will not tell you anything useful
about the security of your system.  My suggestion then was to either try
and break in yourself (Solution 1: if you don't want to spend any money
on it) or to pay for a professional to do a proper audit for you
(Solution 2: if you have money to spend on security).

> Mike wrote:
> 
> > > Easy on the sarcasm there Christian. I didnt see him asking for a
> > > professional like you. Plenty of kids with off-the-shelf hacking
> tools
> > > would enjoy the challenge. Or at least the chance to play with the
> tools
> > > risk-free and/or ethically. Lets assume Jeremy isnt expecting
> > experts, eh?
> 
> Exactly, I thought someone might appreciate my efforts to check their
> system's security in exchange for doing the same to mine, and I don't
> know what basis Christian thinks he has for implying that I would be
> slacker than they would.

There are several reasons why I would suggest that your reciprocal
efforts might be less effective than that of those who might attack your
systems.  Firstly there's the purely practical issue that if, say, three
people on this list try to penetrate your system then you would either
have to spend three times their individual efforts in attacking their
systems, or, more likely, each person would get 1/3 of the effort in
return which makes it a poor proposition.  Secondly (and this is the
entire point that I was trying to make), how on earth can we know how
much serious effort has gone into the attack?  And how can we even begin
to estimate its value?  The fact is, we cannot so there is very little
value there.

> Christian wrote:
> 
> > Then what is he asking for?  What is the value of that?  Why doesn't
> he
> > go and get these tools himself and test them out?
> 
> I have.  But I know my own passwords.  The first thing I would do if I
> was trying to hack into someone else's system would be to guess or
> sniff their passwords.

Would it?  To sniff the passwords you would need to a) compromise a
machine on the same physical network or b) compromise a router somewhere
between where someone logs into your systems remotely using a plaintext
password exchange (e.g., telnet).  If you successfully achieved (a) then
you would pretty much have been successful in the whole exercise.  If
you've already achieved (b) then I worry about you.  If you just wanted
to guess passwords remotely then, of what value is that?  If the
passwords are THAT bad then I shudder to think what the state of the
rest of the system is like and, if they are, then you could find that
out for yourself by running crack or john over your system!!! (Sound
familiar?  See what I wrote in my original email quoted above...)

Incidentally this confirms my earlier suspicion that there would be
little value in your reciprocal penetration attempt.

> > you have absolutely no idea how "thorough"
> > they are going to be and, if they were to compromise the system, how
> do
> > you know that they would tell you?
> 
> Logs will tell me how thorough they are.  If they were not very
> thorough, I would still thank them for trying, I wouldn't whinge about
> not getting "value" for the "exchange".  As for knowing that they
> would tell me if they succeeded, as indicated above, I had wrongly
> assumed that there was some still some spirit of mutual cooperation on
> this list that used to be traditional within the Linux community.
> Sorry for maintaining such an outdated attitude.

Logs *may* tell you how thorough they are in *some* ways but you get
roughly the same information information from the regularly attacks you
get each day.  How satisfying is that?  There is certainly a spirit of
mutual cooperation in the Linux community (why else would I bother
replying to your email and pointing out the flaws in your intended
approach?) but in the security community things often work a little
differently.

> > Furthermore, what protection would
> > you have against someone who took up the offer, thoroughly
> compromised
> > the system and stole/damaged sensitive data?  After all, you invited
> > them to break into your system...  (This is just an aside, not my
> real
> > point since I'm not a laywer and I think Jeremy is.)
> 
> Well I'd only have myself to blame.  But there is nothing stopping
> anyone anywhere from trying to hack into my system, *without* my
> permission (in fact I do get numerous hacking attempts every day, and
> I haven't been compromised yet).  If they seek my permission to begin
> with, I can probably assume they would have the basic decency to
> follow my ground rules.  If they don't, over 90% of the data on my
> system is mine so I'm happy to live with the risk.

You haven't been compromised yet [that you know about].  As for basic
decency, you're right that on this list that's probably a reasonably
safe assumption.  Should you give your offer to the wider world (which
could easily happen even just by posting to this list) then the
assumption flies out the window.  But, as I said, this is not really my
main point.

> > If you want to have *some* sort of guarantee of the security of your
> > system then hire a professional to do a proper security audit of it.
> 
> > Informal challenges for people to try and break in will almost
> certainly
> > tell you nothing about how secure you are.
> 
> I don't make enough money from it to start employing professionals
> (it's basically just a hobby, not my day-job unlike you).  Am I to be
> criticised for trying to trade security tips with another hobbyist
> without offering cash?  Next are you going to start criticising people
> on this list for being cheapskates by using a free operating system,
> instead of shelling out money for Solaris (or, for that matter,
> Windows NT)?

Actually, most of the security community exists by freely trading
information with other members so there is certainly no grounds for
criticism there.  However, you're not trading security tips at all. 
You're offering a challenge for someone to break into your system.  It
is generally well recognised that this approach won't be very successful
since the serious security people will ignore it (and devote their time
to more constructive, and sometimes profitable, pursuits) and only the
kiddies will bite which, in the end, gives you no guarantees about the
security of your system and severely limits the effectiveness of the
exercise.  I wouldn't criticise you for not wanting to spend money --
that's a concept I'm very familiar with! :-)  So, in this case, see
Solution 1 above.  Your comment about free operating systems is
obviously completely misguided since Linux is free in the speech sense
and only partially so in the beer sense: free software is not about the
absense of cost.

> PS. Offer stands, likewise with the secondary DNS trade.

What sort of link is the machine on?  What networks are immediately
upstream of it?  What are its uptime stats like?  How powerful is the
machine?

Regards,

Christian.

More information about the plug mailing list