lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1989F6F0D512A7428593D724A81986F0239143@waprdms01.gsm1900.org>
From: Michael.Schmidt at T-Mobile.com (Schmidt, Michael R.)
Subject: Calcuating Loss

-----Original Message-----
From: Michael Gargiullo [mailto:mgargiullo@...pdrive.net]
Sent: Wednesday, May 12, 2004 10:53 AM
To: Schmidt, Michael R.
Cc: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Calcuating Loss

On Wed, 2004-05-12 at 11:56, Schmidt, Michael R. wrote:
> Well one of the biggest issues that allows people to remain anonymous is DHCP. 
I Disagree. That's traceable, ask the RIAA or MPAA.
Those idiots should have burned their hard drives that would be hard to trace.  Content saved to hard drives can almost always be rebuilt.


> If everyone on the internet was required to get a static IP address, or to log which IP they were using - using a secure technology then everyone could be tracked, sure a few "super" hackers could still manage to escape detection I am sure, but there is nothing that is the equivalent of a drivers license on the internet.
The Internet is just that, the inter-connection of different networks.
Each network is owned by someone. If you happen to run a network of 5
computer's and have an internet connection, your network is part of the
internet.
Yes, I own my home network.  My children are allowed to get on the Internet.  Just found a bunch of malware on my sons computer.  His privileges have been revoked.  But you can't fire your kids.  You can however educate them.  What I found was that even though he had been "educated" (Don't click pop ups - even ones that say they are going to help you), he was clicking every freaking thing that popped up.  Now don't get me wrong, he is a brilliant kid, a tad unmotivated, but he was unwittingly allowing malware to be installed on his computer.  Now I have pop up blockers installed on his computer.  But he can still turn them off.  Users can be stupid, even when they share our own DNA

>
> Sure there would still be criminals using stolen credentials, but IPs are handed out based on location or where you dialed in from.

Ip addresses are handed out from your ISP.  Once your network is large
enough, you can ask for your own block of IP addresses that your
upstream provider (Internet Provider) will route and announce for you.
I have a static IP.


>  Dialing in can be traced using caller ID, wireless by IP and base station proximity, so just like today, people would have a alibi for the time and place the criminal used their identity.
Why, are you actively online 24/7 ? So for the 5 minutes you spend in
the restroom, I can pull up outside, grab a signal from your AP, and
launch the next Bagel.zzz worm, then leave before your back at your
desk. I used your internet connection to launch it... Your alibi... you
were in the restroom, it couldn't be your fault.  Please. you want to
stop this mess... protect your own network.
You could.  So far my wireless connection is only wep protected, but I will add radius authentication next, and it is in the dmz

>
> What we need is something that you have to log into (securely) or your DHCP is revoked immediately.

I'll break this down into two parts.  A DHCP address is not revokable.
If your dhcp server gives out 24 hour leases, 12 hours from now, the
computer will check in with the dhcp server.  You may have some luck
then revoking the IP.
With current technology. You could also actively block it at the router when it was discovered to be an invalid user.  I do know a bit about technology.  Every time someone tells me I cant do something or that something cant be done I know it will be only a short bit of time till it is.


>   And of course static IPs are well, static and since they are routed, routes can be logged and therefore trackable.

All IP addresses are routable (Maybe not on the internet), it's how the
client gets the IP address that you've commented on.  Set good policies
on your firewall, and have a lot of storage space for log files.
>
> So again it is anonymity that causes most of the grief. 
Not entirely.
That's why hackers hide - its anonymous
If the walked into a starbucks and announced that they were actively logging all wireless network activity how long do you think people would stay logged on or allow them to log said activity


> If all code had to be signed, then you'd know who wrote it, and running unsigned code would be your own stupid fault.

Are you Steve Ballmer?  Are you talking about Palladium?

So if I write a 5 line perl / C++ / vbs script for some system
administration task, you'd have me spend $$ to have the code signed (By
a recognized CA, like SSL certs) to be able to run and share it.  Ah and
if I just ask people to trust my code and run it...  we're back at
square one.
No, What I said was if you run unprotected code it is your fault.  Not mine, not the computer manufacturers, not mircosofts, not lindows, not redhats, not scos, not freebsd, not anyone but your own.


Do you remember when it wasn't safe to "Trust all content from
Microsoft" yet it was signed by them.

>
> If you replace a part on some new cars with a non-manufacturers part, you void the warranty.

Not always, check your warranty
I said some


>  But when you run unsigned downloaded for free or sent through email code on your dell, who do you call and expect to fix it when it stops working?
you do the same thing you do when your car breaks down, take it to
someone who can fix it, and pay them to do it.  There's a whole market
based on this principal.
Of course, but most people call the manufacturer because their computer didn't cost them 20 - 50k and they don't want to *pay* to have it fixed

>   The end user is the moron, we require no test to get on the internet and yet we let more people anonymously sign on the net everyday.

Again, let *darwinism take it's course, and protect yourself.
But in the real world when someone breaks into my house I can protect myself with whatever means I deem necessary.  In cyberspace it is a damn near impossibility.  In real life it is a quick trip to "bubbas gun shop" a seven-day wait and I have my protection.  In the real world locks work good enough for me to hear the break in and get bubba.  In the real world no one is going to enlist 5000 cars (or more) to all be remotely controlled to crash into my house or business.  But in cyberspace it isn't that hard to create a robot army ready to deny service to any entity I like.


*Where I work you get 1 shot. you get infected the first time, you get a
warning, after that you get a fine. The way our network is setup, a user
has to work at it to get infected.
Again I cant fire my children, and again, I have a simple 7 computer network, and this is turning into a full time job.

Maybe it is simply the job of the ISP to block all traffic on all ports except what the end user needs, as new needs arise, the end user calls in and gets those port unblocked.


<snip>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ