Received: from falmail01.flexiplan.com ([203.103.92.171]) by exchange.flexiplan.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id HLS1981Q; Mon, 9 Apr 2001 10:44:00 +0800
Received: from spark.plug.linux.org.au (unverified [202.61.164.81]) by falmail01.flexiplan.com
 (Integralis SMTPRS 2.0.15) with SMTP id <B0000703574@falmail01.flexiplan.com> for <simon.scott@flexiplan.com>;
 Mon, 09 Apr 2001 10:41:09 +0800
Received: by spark.plug.linux.org.au (Postfix, from userid 38)
	id 5391B7CF9; Mon,  9 Apr 2001 10:33:20 +0800 (WST)
Old-Return-Path: <owner-plug@plug.linux.org.au>
Delivered-To: plug@plug.linux.org.au
Received: from staff.iinet.net.au (rave.iinet.net.au [203.59.130.251])
	by spark.plug.linux.org.au (Postfix) with SMTP id F06D07CF5
	for <plug@plug.linux.org.au>; Mon,  9 Apr 2001 10:33:18 +0800 (WST)
Received: (qmail 20632 invoked by uid 32098); 9 Apr 2001 02:35:39 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 9 Apr 2001 02:35:39 -0000
Date: Mon, 9 Apr 2001 10:35:39 +0800 (WST)
From: Travis Read <travisr@rave.iinet.net.au>
To: plug@plug.linux.org.au
Subject: Re: [plug] Fw: I am so sorry!Your hosts was hacked!
In-Reply-To: <B0000703521@falmail01.flexiplan.com>
Message-Id: <Pine.LNX.4.21.0104091034570.20138-100000@rave.iinet.net.au>
MIME-Version: 1.0
Resent-Message-Id: <e1wa8.A.heF.v9R06@spark>
Resent-From: plug@plug.linux.org.au
X-Mailing-List: <plug@plug.linux.org.au> archive/latest/9586
X-Loop: plug@plug.linux.org.au
Reply-To: plug@plug.linux.org.au
Precedence: list
Resent-Sender: plug-request@plug.linux.org.au
Resent-Date: Mon,  9 Apr 2001 10:33:20 +0800 (WST)
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE


Correct me if I'm wrong, if you use ipchains and block all external direct
connectionts to your gateway than chances are, your safe?=20

Trav

On Mon, 9 Apr 2001, Simon Scott wrote:

> =09Given enough time, any machine on the net could be compromised.
>=20
> =09Just how many machines do these people need? How likely is it that
> if your box is compromised that it would be used for anything at all?
>=20
> =09Its a game for most hackers, just to see if they can... the result
> of compromising your box is that they move on and try to compromise the
> next. Mostly they do no damage, and if they do, it is a simple case of
> ghosting your 'known-good' root image, restoring /home from tape and
> upgrading the offending service. Then sit around waiting for the next hol=
e
> to be found.
>=20
> =09And if they were really serious about using your box, would they
> alert you to the fact that its been compromised? Most peoples reaction wo=
uld
> be to drop the box off the breeze and reinstall with something newer. Wha=
t
> does this achieve? They lose access, until they compromise it next time.
> Hell, Im at work most of the day and some days I dont even go downstairs =
to
> use my boxen. My server could be compromised and used in a DOS attack in
> between me being there. Does that make me liable? If I spend 24x7 trying =
to
> maintain security and my box is still used for something sinister, am I
> still liable? Is my liability level a direct relation to the versions of
> stuff I had install at the time?
>=20
> =09I get 3-4 attacks on my machine a week, mostly an obvious buffer
> overflow attempt on identd or some other service.
>=20
> =09I retain my stance of 10 years ago - if its important, it shouldnt
> be on the net. There is no guarantee of security, and if nothing sensitiv=
e
> is on the net then it doesnt matter if my box is compromised or not. Why =
do
> NASA have anything on the net that may be sensitive? You are NEVER going =
to
> be 100% secure. Someone will ALWAYS be able to compromise your box. So wh=
y
> play the game?
>=20
> =09To me it is a bigger social issue of why these 14 yr olds have
> nothing else to do with their time. One benefit I suppose is that they
> probably get good training in unix/networking along the way. The bad
> side-effect is that most people have an irrational over-reaction about
> securing the magnetic bits on their harddrives. People are wasting their
> lives staring at errata sites waiting for some security issue or another,
> trying to stay ahead of the competition. SOOO much time is wasted that wo=
uld
> be better used constructively. So I refuse.
>=20
> =09Most people today, even experienced admins, dont have a clue about
> security. Especially in MS circles, security is sold as a product (Firewa=
ll
> XYZ) but in reality it is a long and hard process of trying to keep
> up-to-date. And even then there are no guarantees. I would hazard a guess
> that most sites on the net are run by some buffoon without a clue, and ar=
e
> just waiting to be compromised.
>=20
> =09So why should I care about my little p100 sitting on an adsl link?
>=20
>=20
>=20
>=20
>=20
>=20
> =09From:=09Matt Kemner <zombie@wasp.net.au> on 09-04-2001 09:54 AM
> =09Please respond to plug@plug.linux.org.au@SMTP@Exchange
> =09To:=09plug@plug.linux.org.au@SMTP@Exchange
> =09cc:=09=20
>=20
> =09Subject:=09Re: [plug] Fw: I am so sorry!Your hosts was hacked!
>=20
> =09On Mon, 9 Apr 2001, Simon Scott wrote:
>=20
> =09> =09Ask yourself 1 question..... do you really care?
>=20
> =09Simon, you had better care.
> =09The main reason for someone wanting to crack your box, no matter how
> =09pitiful it is, is to use it as a launchpad to either break into
> somewhere
> =09else, or flood someone else's network (Denial of Service)
>=20
> =09You are responsible for anything that comes from a machine that is
> =09supposed to be under your control, so it is you that will be talking
> to
> =09the authorities if it happens.
>=20
> =09Just a few days ago I got a notice from one of my suppliers saying
> that
> =09someone on IP address such and such at such and such time attempted
> to
> =09crack one of NASA's sites, and would I be so kind as to terminate
> the
> =09customer's account immediately, but to keep their details and await
> to be
> =09contacted by the appropriate authorities.
>=20
> =09As it was, I happen to know said customer really well, and I knew
> there
> =09was no chance of them being responsible - and I also knew they were
> using
> =09a very old version of RedHat on their gateway (not installed by me)
> =09and that the chances are very high it was broken into and use by
> someone
> =09else - and my supplier was happy with my assurance that said machine
> would
> =09be taken off-line immediately and formatted/installed an up-to-date
> =09version of Linux before being put back online.
>=20
> =09If I hadn't known the customer that well, they would have found
> themselves
> =09without Internet access and with a whole lot of explaining to do.
> =09=20
> =09Anyway, sorry for the rant, don't take it too personally, I'm just
> =09concerned that so many people are blas=E9 about the whole security
> thing
> =09when it should be a top priority for everyone.
>=20
> =09 - Matt
>=20
>=20
>=20
>=20
> **********************************************************************
> This email and any files transmitted with it are confidential and=20
> intended solely for the use of the individual or entity to whom they  =20
> are addressed. If you have received this email in error please notify=20
> the system manager.
>=20
> This footnote also confirms that this email message has been swept by=20
> MIMEsweeper for the presence of computer viruses.
>=20
> www.mimesweeper.com
> **********************************************************************
>=20

--=20
Kind regards,

Travis Read

iiNet Senior Support            | Ph +61 8 9214 2222 Fx +61 8 9214 2211
travisr@corporate.iinet.net.au  | 250 St Georges Terrace, Perth WA 6000

" there is a war going on, it's not about who has the most bullets,
         it's about who controls the information " - SNEAKERS