Re: Is Marty Lying?

[daniel uriah clemens <daniel_clemens () autism birmingham-infragard org>]

Dear security snot,

> I just finished reading Phrack 62's article on Sneeze, and some of the
> threads here concerning the matter, and I must admit that I am bothered by
> some of the responses.  There is nothing I hate quite as much as vendors
> who lie to their customers, except perhaps vendors that are too stupid to
> realize what really happened.  I guess Marty assumes that anyone dumb
> enough to buy the hype of signature-based IDS and to think products like
> Snort/OpenSnort have any value as a security mechanism, is going to be too
> stupid to think independantly to arrive to a conclusion to what most
> likely did happen with the Snort.org compromise.


Could you possibly direct everyone on this list to a good alternative or a
better solution to the problem you can so clearly see!

Please provide solutions following your self righteous claims instead of
just making statements.

> First, if you look at the output from 'w' (I read a great article by BMcW
> talking about the unix command 'w' being run on the ever-secure
> cvs.openbsd.org by a malicious intruder, thanks Brian!), you'll notice
> that users from the hacked box were logging in to www.sourcefire.com, and
> some nameservers.  The compromise must definately have been limited to
> that single machine!  No intruder would be smart enough to log
> authentication credentials on one hacked machine to get to anther!

Once again, if you could provide us with some hard cold facts on this,
this is simply hear-say.

> Second, Marty speaks about the machine being "removed" from the rest of
> their network so if it gets compromised, it doesn't actually affect the
> Snort/Sourcefire network's security.  Yet being proactively secure, and
> assuming that a machine si going to get compromised, then logging into
> your corporate network from that machine doesn't seem like a very
> intelligent practice now, does it?  Security is policy based, and these
> dopes can't understand that.

Hrm. , yet they write ids policies for most of the world?


> Some good questions are:
> 1) If the intrusion were limited to a single "shellbox" then why did they
> need to audit the code in CVS to see if it was backdoored?


Good question, but why not audit everything after one box is compromised?

> 2) If the Snort developers cannot configure Snort to detect attacks on
> their own networks, why are you hiring Sourcefire to install said
> mechanisms on your network to protect you?
>
> 3) Why the fuck do people still thing signature-based IDS is worthwhile?

Give us another solution. Are you saying anomoly based ids signatures are
_worthwhile_?

Either way, whatever ids solution you end up turning to it will in the end
look for some sort of pattern and or hueristic. Every security product
looks for some type of signature. Please tell us what we are all missing
by looking for clues and drawing up strange hueristics for certain types
of activity.

> Get a clue, everyone.

Give solutions instead of self righteous statements filled with not
content.

> Marty - I look forward to your reply here; we'll follow up with a critique
> of your incoherent coding practices.l

-Daniel Uriah Clemens

Esse quam videra
     (to be, rather than to appear)
                     -Moments of Sorrow are Moments of Sobriety
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html