From owner-freebsd-stable Tue May 29 16:38:52 2001 Delivered-To: freebsd-stable@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id A11EE37B43E for ; Tue, 29 May 2001 16:38:46 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.3/8.11.2) id f4TNciU32058; Tue, 29 May 2001 16:38:44 -0700 (PDT) (envelope-from dillon) Date: Tue, 29 May 2001 16:38:44 -0700 (PDT) From: Matt Dillon Message-Id: <200105292338.f4TNciU32058@earth.backplane.com> To: Robert Withrow Cc: Seth , Vivek Khera , stable@FreeBSD.ORG Subject: Re: adding "noschg" to ssh and friends References: <200105292324.TAA73334@ns1.rwwa.com> Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG : : :dillon@earth.backplane.com said: ::- Putting on my security hat... no. All you are doing is forcing ::- the hacker to use some more obscure and possibly less detectable way ::- to compromise the machine. So, in fact, you could be making the ::- problem *worse*. : :Maybe your security hat needs cleaning? The whole game is played by raising :the cost of hacking. Using your theory, we should eliminate all passwords. :*Then* we'd be pretty sure no hacker would trouble himself by using any :obscure hacking methods. (Of course, that would be like windows, wouldn't :it?) No, I didn't say that at all. Using my theory, you don't eliminate all passwords, you move them off the machine (e.g. move to NIS or something) so if a hacker breaks into your multi-user box with a compromised password, he has no way to get the *REST* of the passwords (crypted or not) and break them offline. So moving the passwords off the machine (or removing them) accomplishes something real. Setting schg on a file does not. You think this would slow a hacker down? You think it's raising the bar? It might raise the bar a millimeter or so if the hacker is even more stupid then your typical script kiddie. Otherwise, no. A prudent sysad implements security features that actually have a reasonable effect. Setting schg on a file doesn't. It might give you a false piece of mind, but it will have no positive effect and almost certainly have a major negative one. At BEST we monitored hackers all the time. Do you want to know what they did when they got frustrated? 'rm -rf /' is what they did... fortunately, at BEST, the only times they did that was when they couldn't break root so all they did was wipe the user's account. Once a hacker breaks root, all you can do is mitigate the damage... but before you can mitigate it, you have to *detect* that your machine has actually been compromised. The easiest way to detect 98% of compromised machines is to locate modified binaries or new suid binaries. Take that away and you've just blown 98% of the effectiveness of your security system. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message