| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: booger at unixclan.net (security snot) Subject: Is Marty Lying? I just finished reading Phrack 62's article on Sneeze, and some of the threads here concerning the matter, and I must admit that I am bothered by some of the responses. There is nothing I hate quite as much as vendors who lie to their customers, except perhaps vendors that are too stupid to realize what really happened. I guess Marty assumes that anyone dumb enough to buy the hype of signature-based IDS and to think products like Snort/OpenSnort have any value as a security mechanism, is going to be too stupid to think independantly to arrive to a conclusion to what most likely did happen with the Snort.org compromise. First, if you look at the output from 'w' (I read a great article by BMcW talking about the unix command 'w' being run on the ever-secure cvs.openbsd.org by a malicious intruder, thanks Brian!), you'll notice that users from the hacked box were logging in to www.sourcefire.com, and some nameservers. The compromise must definately have been limited to that single machine! No intruder would be smart enough to log authentication credentials on one hacked machine to get to anther! Second, Marty speaks about the machine being "removed" from the rest of their network so if it gets compromised, it doesn't actually affect the Snort/Sourcefire network's security. Yet being proactively secure, and assuming that a machine si going to get compromised, then logging into your corporate network from that machine doesn't seem like a very intelligent practice now, does it? Security is policy based, and these dopes can't understand that. Some good questions are: 1) If the intrusion were limited to a single "shellbox" then why did they need to audit the code in CVS to see if it was backdoored? 2) If the Snort developers cannot configure Snort to detect attacks on their own networks, why are you hiring Sourcefire to install said mechanisms on your network to protect you? 3) Why the fuck do people still thing signature-based IDS is worthwhile? Get a clue, everyone. Marty - I look forward to your reply here; we'll follow up with a critique of your incoherent coding practices.l - snot, the one and only infosec mucas ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - -----------------------------------------------------------
Powered by blists - more mailing lists