[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BB95477B.6A06%dhoelzer@cyber-defense.org>
From: dhoelzer at cyber-defense.org (David Hoelzer)
Subject: Is Marty Lying?
Dude... Reading your inane posts helps me to better understand why you feel
that sticking an "A+" cert in your signature will make us think you have a
clue.
On 9/22/03 10:04 AM, " security snot" <booger@...xclan.net> wrote:
> I just finished reading Phrack 62's article on Sneeze, and some of the
> threads here concerning the matter, and I must admit that I am bothered by
> some of the responses. There is nothing I hate quite as much as vendors
> who lie to their customers, except perhaps vendors that are too stupid to
> realize what really happened. I guess Marty assumes that anyone dumb
> enough to buy the hype of signature-based IDS and to think products like
> Snort/OpenSnort have any value as a security mechanism, is going to be too
> stupid to think independantly to arrive to a conclusion to what most
> likely did happen with the Snort.org compromise.
>
> First, if you look at the output from 'w' (I read a great article by BMcW
> talking about the unix command 'w' being run on the ever-secure
> cvs.openbsd.org by a malicious intruder, thanks Brian!), you'll notice
> that users from the hacked box were logging in to www.sourcefire.com, and
> some nameservers. The compromise must definately have been limited to
> that single machine! No intruder would be smart enough to log
> authentication credentials on one hacked machine to get to anther!
>
> Second, Marty speaks about the machine being "removed" from the rest of
> their network so if it gets compromised, it doesn't actually affect the
> Snort/Sourcefire network's security. Yet being proactively secure, and
> assuming that a machine si going to get compromised, then logging into
> your corporate network from that machine doesn't seem like a very
> intelligent practice now, does it? Security is policy based, and these
> dopes can't understand that.
>
> Some good questions are:
> 1) If the intrusion were limited to a single "shellbox" then why did they
> need to audit the code in CVS to see if it was backdoored?
>
> 2) If the Snort developers cannot configure Snort to detect attacks on
> their own networks, why are you hiring Sourcefire to install said
> mechanisms on your network to protect you?
>
> 3) Why the fuck do people still thing signature-based IDS is worthwhile?
>
> Get a clue, everyone.
>
>
> Marty - I look forward to your reply here; we'll follow up with a critique
> of your incoherent coding practices.l
>
> - snot, the one and only infosec mucas
>
> -----------------------------------------------------------
> "Whitehat by day, booger at night - I'm the security snot."
> - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ -
> -----------------------------------------------------------
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists