[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <000c01c35ac9$e233d580$c5e0803e@martin>
From: memoxyde at monet.no (martin scherer)
Subject: SV: Re: Reacting to a server compromise
Don't get me wrong, I _just_ joined this list, and I'm nothing of a
security expert... I'm just someone who tries to learn this stuff by
watching others...
But come on, seriously...
You expect someone to cave in on a public list like this, even though
you can "tear apart what little bit of technical knowledge he might
have"?
We all know that isn't going to happen...
So I suggest (note: _suggest_...I have no authority here, thank god) you
settle this outside the mailing list, cause flaming each other in here,
where no one is about to cave in anytime soon, is pointless.
Then again, I'm just a newbie, with absolutely no clue about what 70% of
the discussions going on in here are about. So start the flaming.
-m
-----Opprinnelig melding-----
Fra: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] P? vegne av security
snot
Sendt: 4. august 2003 20:48
Til: Ron DuFresne
Kopi: Richard Stevens; full-disclosure@...ts.netsys.com
Emne: RE: [Full-Disclosure] Re: Reacting to a server compromise
Tina Bird isn't much of a security expert, she's a belly dancer. What
she
likes to do is read generated logs (ie syslog and whatnot) and pretend
that leaves sufficient information for a reliable audit trail.
Ron, I've been asked by the moderators of this list to stop engaging you
in conversation, but I can't help myself - please shut the fuck up you
no
skilled, self promoting moron. You don't even understand how worthless
any of Tina Bird's "contributions" to security have been, because she's
a
name you're familiar with you assume she must be worthwhile.
I try to read this list objectively and I frequently take the time to
assist users offlist to better understand certain matters. You however,
contribute absolutely nothing, in any way, and I'm tired of you posting
to
this list like you're some sort of authority.
You can take your years of experience in "home network security"
(admittedly installing Zonealarm-type products and nothing more
advanced)
and go look for attention somewhere else.
I expect you'll respond to this message with some insult about how I'm a
"child" that needs to respect those "elders in the community" (such as
you'd like to imply yourself being), and some other weak rhetoric. Keep
in mind that you've pissed me off enough that I'll be more than happy to
tear apart what little bit of technical knowledge you might have and
shame
you publically, here and in any other forum that I see fit.
So please, respond with some sort of insult to me, or some plea to Len
to
remove me from this list - there are a lot of people who would love to
see
how the Great Ron DuFresne of gForce Pakistan holds up to the booger
Challenge.
-----------------------------------------------------------
"Whitehat by day, booger at night - I'm the security snot."
- CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
-----------------------------------------------------------
On Mon, 4 Aug 2003, Ron DuFresne wrote:
>
> I believe the way to go to store a drive from a system is to make a dd
> copy to a new drive, remove the drive itself, and stoore it following
> proper chain of evidence proceedures, and do any forensics on the new
> drive. Now, if that's enough, perhaps not, in some instances the
machine
> itself might need to be tored in a full chain of evidence process
also.
>
> Tina Bird's sight might offer some infoo on this, she has popped up in
> many of these threads to clarify issues of such on the various lists
as
> some of us have pondered without knowledge. Tina, you have any words
on
> this to offer up?
>
> Thanks,
>
> Ron DuFresne
>
> On Mon, 4 Aug 2003, Richard Stevens wrote:
>
> > I'd be interested to know if a ghost image (or even hardware systems
> > like image-master) carrys over deleted files to the new image?.. as
> > these can usually be undeleted easily enough.
> >
> > anyone know?
> >
> > I'd guess the safest way is just to keep the orignal drive.. but if
it's
> > a nice big expensive scsi raid set I'd guess this probably isnt
> > practical.
> >
> >
> >
> > -----Original Message-----
> > From: Alexandre Dulaunoy [mailto:alexandre.dulaunoy@....be]
> > Sent: 03 August 2003 20:01
> > To: devnull@...imus.com.au
> > Cc: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Re: Reacting to a server compromise
> >
> >
> > On 03/Aug/03 12:33 +1000, devnull@...imus.com.au wrote:
> > > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
> > >
> > > > If this happens again, I would probably make a copy of the hard
> > drive,
> > > > or at the very least the log files since they can be entered as
> > > > evidence of a hacked box.
> > >
> > > Under most jurisdictions, an ordinary disk image produced by
Norton
> > Ghost etc
> > > using standard hardware is completely inadmissible in court, as it
is
> > > impossible to make one without possibly compromising the integrity
of
> > the
> > > evidence. The police etc use specialised hardware for making such
> > copies,
> > > which ensures that the disk can't have been altered.
> >
> > Getting evidence by reading (via any software or hardware
solution)
> > may compromise the integrity of the evidence. I would like to know
the
> > difference between for example a (s)dd and the specialised
hardware
> > that you talk about ? Do you have any references ?
> >
> > Preserving the scene integrity is really difficult. You have
to
> > minimize the intrusion to the scene. On computer hardware is
really
> > difficult... Using a hardware device that doesn't change too much
the
> > scene is difficult... (think of a compromised disk firmware).
> >
> > And the worst, sometimes we see something that doesn't exist
at
> > all. Forensic analysis is the land of illusion...
> >
> > just my .02 EUR.
> >
> > adulau
> >
> > --
> > -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
> > -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
> > -- "Knowledge can create problems, it is not through ignorance
> > -- that we can solve them" Isaac Asimov
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists