lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040710010823.GA7928@comcast.net>
From: st3ng4h at comcast.net (st3ng4h)
Subject: No shell => secure?

On Fri, Jul 09, 2004 at 10:41:59PM +0200, Matthias Benkmann wrote:
> Since everybody seems to insist on misunderstanding me
[snip]

I think people are understanding you perfectly well. Your approach
and your reasoning is the main cause of friction, because they are 
both somewhat flawed and lack perspective. The assumption you hold 
that 'I have no enemies, therefore I needn't worry about any attacks
that require modification or extra effort to compromise my system' 
is, sorry to say, naive, and ideas of putting /bin/sh in goofy 
places and dealing with the implications of doing so, in order to 
guard against a tiny subset of possible attacks, is 
counterproductive.

Regardless of whether you want to believe it or not, what you 
propose is security through obscurity (or, breaking the system 
outright), and if it is your first or only line of defense, you're
caught with your pants down when the first skilled attacker 
becomes interested in your system. What's more, the improvement in 
security is infinitesimal in relation to the amount of effort 
required to get it working properly, or at all.

If you really want to go through the horrendous contortions
necessary to get it working, your ideas can be effective in 
deterring automated attacks and the most dimwitted/lazy of 
attackers. But if these threats are the only ones you are willing 
to take into consideration in securing your system, you're in 
trouble.

> So I have one example to back up my claim. Now it's your turn. Give me a
> worm that my scheme would not have protected me against. That's all you
> need to do to convince me. Easy, isn't it? No need to give me lengthy
> lectures. Just give me one URL. If you can't do that, don't bother
> replying. You're wasting your time, because you're telling me things I
> already know.

I know this game, it's called "Waste Everyone's Time".

Why should anyone play it when your attitude conveys that you will
refuse to understand why your idea is half-baked to begin with,
even if they showed you evidence to the contrary?

st3ng4h


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ