[plug] Trade [flame alert]

Christian christian at global.net.au
Tue Feb 29 13:44:24 WST 2000 

"Anthony J. Breeds-Taurima" wrote:
> On Tue, 29 Feb 2000, Christian wrote:
> > Even if you pretend to be someone else, what admin is going to install
> > an arbitrary program received by email from a stranger?  The attack
> > won't work.
> 
> I've tried to stay out of this BUT .... What you should have said is "The
> attack wont work with a Sys Amdin thats doing his/her job properly".

I wouldn't say "properly".  Just to a reasonable standard -- the bare
minimum standard for which I would ever consider hiring somebody.

> Jeremy never said hed forge the email to be from a stranger .... he could
> send you an email from Oliver for instance.

Even when your friends send you email, you don't automatically install
what they send you.  Admin's certainly don't, even bad ones.

> I know, form experience,  that people try it.  If Jeremy is going to be
> exhaustive in his efforts to break into your machine then, by defintion, he
> should try all possible routes of system breach ... and this one is valid.

It's valid but it's one of the poorer options IMHO.

> > No admin in his right mind would use the same password.  This attack is
> > useless in the current context.
> 
> being exhaustive again .... and peole do .... I know some one that uses the
> same password for root on all thier boxes, user accounts (on thier own boxes),
> web based email (hotmail) and accounts one machines thet they have NO control
> over.

Notice I said, "in his right mind". ;-)

(Also, obviously this is a case of he/she...)

> I'm CERTAINLY not advocating this behaviour BUT Jeremy is meerly checking
> possibilities.  He never said this was his only form of "hack".

He said it was the first way he'd try and, to me, it feels like a last
resort.

> Right thats just my point of view.  Both of you are making vailid point your
> just taking it on from different levels.  Thats exactly WHY Jeremy wanted
> someone else to have a go at his box .... the way EVERYONE thinks is differnt
> and those differences will have differnt results.

Despite differing points of view, if Jeremy tried attacking his own
machine he'd probably gain a lot more useful insights than asking other
people to.  This point is still accurate.

Regards,

Christian.

More information about the plug mailing list