[plug] Fw: I am so sorry!Your hosts was hacked!

Simon Scott simon.scott at flexiplan.com
Mon Apr 9 15:14:48 WST 2001 







	On Mon, Apr 09, 2001 at 10:22:45AM +0800, Simon Scott wrote:
	>> 	Given enough time, any machine on the net could be
compromised.
	>
	>In theory, but if you make the machine as secure as you can then,
	>assuming you're competent, the machine will very likely remain safe
when
	>a) it has nothing of particular value, b) there are other easier
	>targets.

	Sure, if you are competent. I would hazard a guess that a large
fraction of sysadmins are not. Esp. with Linux's huge explosion in
popularity, I know several people building Linux servers for net usage who
barely know how to switch the box on. RedHat default is just fine thankyou.

	How does anyone know if my machine 'has nothing of particular value'
on it, before it is compromised? And there *are* easier targets. There
always will be. Thousands of them. My machine is insignificant (and probably
well secured) in comparison.


	>> 	Just how many machines do these people need? How likely is
it that
	>> if your box is compromised that it would be used for anything at
all?
	>
	>When you're after zombies for DDoS attacks?  As many as you can lay
your
	>hands on.

	Agreed. I agree with you that hackers need as many machines as they
can compromise. But my point is, the internet is now almost an infinite pool
of badly configured machines. If they want 1000 servers they will get 1000
servers, whether mine is included or not. So why waste my time when no
matter what I do someone elses lack of experience is gonna result in DDOS
attacks anyway?

	>> 	I retain my stance of 10 years ago - if its important, it
shouldnt
	>> be on the net. There is no guarantee of security, and if nothing
sensitive
	>> is on the net then it doesnt matter if my box is compromised or
not. Why do
	>> NASA have anything on the net that may be sensitive? You are
NEVER going to
	>> be 100% secure. Someone will ALWAYS be able to compromise your
box. So why
	>> play the game?
	>
	>This is a really stupid attitude.  Are you trying to tell all the
	>business people on this list (and throughout the rest of the world
in
	>general) that their businesses either a) aren't important or b)
	>shouldn't be on the Internet?  Businesses today *need* to be
connected
	>to the Internet.  They *need* to have machines holding sensitive,
	>business-critical data online.  They *need* some security.  And
they
	>don't need irresponsible people who can't be bothered looking after
	>their machines.

	Yes, that is exactly what Im saying. If you have 'business critical'
data connected to the internet, you are a fool. It will be compromised. This
is how people's CC details get stolen. It shouldnt happen. Anyone with half
a brain can setup a server so that no sensitive data is accessible. Im not
saying you cant do business on the net, but do not expect that you can wack
whatever you like on the server, setup IPCHAINS, and go to sleep. My point
is THIS IS WHAT PEOPLE DO. They are fools. The data is there for the taking.
I dont see how the security on my p100 makes them any more vulnerable,
especially when you consider my point above, in that the hackers will ALWAYS
have an almost infinite source of badly configured machines as a source for
DDOS. 

	Tell everyone else to spend the time securing my CC data ($1800 last
time I was ripped off) and maybe Ill sit down and worry a bit  more about my
server.

	And no, businesses do not *need* to be on the internet. Thats a lie
told to know-nothing techno-wannabees when you try to screw them for money
to setup up their e-commerce, b2b, buzzword-of-the-minute server for them.
What did they do before the internet? They *want* to be on the net, yes. But
this is mostly due to the apparent lack of ethics displayed by most
consultants, whereby they do not explain the inherent risks or probable low
return-on-investment to potential clients. People think theyll be the next
Amazon as soon as they wack a half-arsed webpage up. It just doesnt happen.
Modelling already shows that the internet might not be the wave of the
future as far as commerce is concerned. Internet buying is already levelling
off. 


	>> 	So why should I care about my little p100 sitting on an adsl
link?
	>
	>Matt has already explained why you should but you chose to put your
head
	>in the sand.  You demonstrate the classic antisocial irresponsible
	>attitude that plagues our society.  Why should I bother security my
	>machine?  There's no important data on them anyway. Why shouldn't I
keep
	>my guns in unlocked cabinets?  I'm not going to shoot myself by
	>accident.  Why shouldn't I drink and drive...?

	Almost a nice point, until reality sets in and you must realise that
nothing that happens online is going to cause the death of anyone. Its all
just bots whizzing around the globe. "Argh, I didnt secure my server, now my
wife is dead". Im socially responsible enough to say I dont own guns and I
dont drink. And if perchance someones life-support system is connected to
the internet, well, they wouldnt be around long enough for me to say 'I told
you so'.

	This isnt real life people. Its the internet. Go for a walk and
breathe.


	>Quite honestly, I wouldn't feel any pity for a second if your
machine
	>was broken into and then used in something serious.  A zombie
flooding
	>Amazon.com and costing them hundreds of thousands of US$'s in
revenue,
	>for example.  I wonder what legal implications your public
	>acknowledgement that you don't feel any responsibility to society
to
	>secure your machines would have when they sue you for negligence.

	See points above. It would happen whether my machine was as secure
as fort knox or wide open..... somewhere they would get the machines, and
they always will be able to. Why kill myself to *attempt* to remove 1
machine from their pool of millions? Does this make me negligent? If 99% of
servers are run by fools like me, what is the standard by which negligence
is measured? This is akin to a religious zealot telling me Im going to hell
cos I dont live their way. I dont buy it.

	This is the environment in which they must do business online. It
sucks, but thats the way it is. Kids will be kids. If they lose money due to
DDOS, dont do business on the internet. Im sure the positives outweigh the
negatives for them :) If a business has critical data on their firewall and
it is compromised and stolen, dont come crying to me. I dont even have my
resume on a machine tied to the internet.

	If your entire business plan is based on internet commerce, I'll
cash my shares now thankyou.

	Computer Security 101 - How do you secure a machine on the internet?
Answer: Remove it from the internet, put it in a bunker with armed military
personnel, turn it off, and cross your fingers there is no nuclear attack.

	Having said all this, I *have* some form of IPCHAINS based
firewalling, which basically blocks all ports 0-1024 unless I really need it
open. But I dont have the time nor the inclination to scan the errata lists
daily for possible sources of compromise. Im too busy with other stuff. My
firewall may be broken, I may be open to attack, but its a risk I can live
with.

	And dont worry, I wouldnt feel any pity for me either. It takes me
30 mins to rebuild my machine. Its better than days on end trying to evade
14 year olds with too much damn time on their hands.





**********************************************************************
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to whom they   
are addressed. If you have received this email in error please notify 
the system manager.

This footnote also confirms that this email message has been swept by 
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

More information about the plug mailing list