Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 6 Nov 2001 10:58:35 +0100
From:      "Anthony Atkielski" <anthony@atkielski.com>
To:        "Ted Mittelstaedt" <tedm@toybox.placo.com>, "FreeBSD Questions" <freebsd-questions@freebsd.org>
Subject:   Re: Lockdown of FreeBSD machine directly on Net
Message-ID:  <001401c166a9$9b976120$0a00000a@atkielski.com>
References:  <000201c166a2$d2ed80c0$1401a8c0@tedm.placo.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Ted writes:

> I don't care how much money you throw at a security
> crack, what counts is the persistence.

In the world of IT, it is possible to apply perfect solutions to security holes.
In other words, it is possible to build perfectly secure systems.  It's
expensive and requires people who are truly dedicated to making a system secure,
but it is quite possible.  And systems secured in this way cannot be cracked by
any amount of persistence.

Example:  Telnet passwords.  To log in with Telnet, you must provide the
password of the account you wish to log into.  No password, no access.  No
amount of persistence will force Telnet to let you in without the correct
password.  This protocol is thus completely secure.

> And this is something that money can't buy, and it's
> something that amateur crackers can get, if they are
> self-disciplined.

It is useless to them.  I suppose it dissipates their nervous energy, but unless
they find someone who is running a system in an insecure way, they are wasting
their time.

> You simply cannot buy that kind of persistence
> for any amount of money.

Sure you can.  The criminals who steal cellphones are persistent because it
_pays_ to be persistent; they aren't doing it for fun.

> You can't get that kind of dedication from a professional,
> it simply isn't there.

Anyone who steals things in order to make a living for himself is a
professional.

> It only comes from those 1-in-1000 amateurs, like
> your "script kiddies"

There must be a lot of amateurs in the world, if only one in a thousand has the
persistence to steal your cellphone, and yet dozens of them pass your car each
night.

> The crackers that an organization has to really
> fear aren't the governmentally funded professionals
> that have million dollar budgets, like your implying.

Most people have no reason to _fear_ the government.  I was just pointing out
that it is very expensive to secure a system against an opponent with the
resources of a government.  It's much easier to defend against the kiddies.

> I mean, it's laughable to think that the professional
> crackers are really any good - if they were then the
> US Government would have killed bin Laden years ago.

Why?  No cracking is necessary in bin Laden's case, since he generally has not
used much in the way of security to begin with (at least from an IT standpoint).

> The crackers that an organization really has to fear
> are those one-in-one thousand amateur "script kiddies"
> that get a bug up their assholes and spend their lifetime
> attempting to gun you.

They are no more common or dangerous than serial murderers.

> Those are the folks that simply will try attempt after
> attempt, no matter how futile it is, for years and
> years and years and years, every single day and every
> single hour of their lives.

As long as it's futile, who cares?

> Ultimately they will get you because normal people cannot
> be 100% viligant all the time, and one day the target is
> going to make a mistake, and when that happens the fanatic
> cracker is going to be right there and make his kill.

You don't have to be 100% vigilant; you only have to be more vigilant than your
opponent.  And even the most obsessed kiddie isn't going to have any miraculous
powers; you can secure your system against him ... if you really want to.

> someone screwed up and they were right there at
> the hole, exploiting it.

What hole?  They didn't compromise any security system that I'm aware of.

> But that's assuming that those "really secure systems"
> stay really secure forever ...

It will, if you have competent people running it.

> All systems wear out and get replaced.  Software all
> gets upgraded.

That doesn't make the systems insecure.

> People quit and are replaced by new inexperienced hires
> that don't completely understand protocols.

Hire experienced people.

> People get in a hurry and skip security steps.

Hire people that don't get in a hurry and don't skip security steps.

> Things _always_ change and people _always_ make mistakes.

Including the script kiddies.  All you have to do is be smarter than they are
... which isn't saying much ... and you're safe.

> If that system has a fanatic who has devoted his life
> to gunning it, then at that time, the system will be
> cracked, simple as that.  It doesen't take a million
> dollars.  All it takes is persistence.

So you reformat the disks and restore from a backup, and you're back in
business, and your fanatic can spend another twenty years trying to compromise
the system for a few hours again.

> Well, for starters the drag racing community is set
> up to keep those people from ever getting anywhere
> for good reason.

So?  You've just spent a great deal of text telling me how persistence is all
that is required.  If persistence is all you need to break into a computer
system, then it's all you need to drag race, no matter how dangerous or
unqualified you are.  The drag-racing community is no more adept at security
than the IT community.

> It's extremely dangerous to get in a drag racer ...

It's extremely dangerous to break into a classified computer system, too, but
some people try it, anyway.

> Your wasting your time if you think that they are
> going to let you bring a piece of junk with
> shit falling off it onto a drag track.

Why?  All I need is persistence ... right?

You are contradicting yourself in your post.  Persistence works when you want it
to, but is useless when you don't want it to.  It cannot be both ways, so which
is it?

> Hotheaded young males with tempers and dysfunctional
> personalities can't spend their lives tinkering with
> junk they collect for nothing because they are shortly
> banned from all the tracks in the area.

That's what happens when they spend their time trying to compromise computer
systems, too.

> Anyway, the moral to be learned here is that the second
> you start going down the "cost benefit" reasoning when
> it comes to security, your wasting your time.

On the contrary, it's the correct way to manage a system.  For example, if it
costs more to secure a system against intrusion than it does to just restore
from backup if an intrusion occurs, then you can afford to be a little more
casual about security, and if someone breaks in, well, you just restore
everything and you're back in business.

> It's the same logic that the airlines used when they
> ran out and hired all those security scanners at
> minimum wage, and the results are no different than
> if they simply didn't bother having security scanners
> at all.

What's wrong with hiring minimum-wage security scanners?  All they need is
persistence, not competence ... right?


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001401c166a9$9b976120$0a00000a>