Full Disclosure mailing list archives
Re: No shell => secure?
From: st3ng4h <st3ng4h () comcast net>
Date: Fri, 9 Jul 2004 20:08:23 -0500
On Fri, Jul 09, 2004 at 10:41:59PM +0200, Matthias Benkmann wrote:
Since everybody seems to insist on misunderstanding me
[snip] I think people are understanding you perfectly well. Your approach and your reasoning is the main cause of friction, because they are both somewhat flawed and lack perspective. The assumption you hold that 'I have no enemies, therefore I needn't worry about any attacks that require modification or extra effort to compromise my system' is, sorry to say, naive, and ideas of putting /bin/sh in goofy places and dealing with the implications of doing so, in order to guard against a tiny subset of possible attacks, is counterproductive. Regardless of whether you want to believe it or not, what you propose is security through obscurity (or, breaking the system outright), and if it is your first or only line of defense, you're caught with your pants down when the first skilled attacker becomes interested in your system. What's more, the improvement in security is infinitesimal in relation to the amount of effort required to get it working properly, or at all. If you really want to go through the horrendous contortions necessary to get it working, your ideas can be effective in deterring automated attacks and the most dimwitted/lazy of attackers. But if these threats are the only ones you are willing to take into consideration in securing your system, you're in trouble.
So I have one example to back up my claim. Now it's your turn. Give me a worm that my scheme would not have protected me against. That's all you need to do to convince me. Easy, isn't it? No need to give me lengthy lectures. Just give me one URL. If you can't do that, don't bother replying. You're wasting your time, because you're telling me things I already know.
I know this game, it's called "Waste Everyone's Time". Why should anyone play it when your attitude conveys that you will refuse to understand why your idea is half-baked to begin with, even if they showed you evidence to the contrary? st3ng4h _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: No shell => secure?, (continued)
- Re: No shell => secure? Ron DuFresne (Jul 09)
- Re: No shell => secure? Barry Fitzgerald (Jul 09)
- Re: No shell => secure? Vincent Archer (Jul 12)
- Re: No shell => secure? daniel uriah clemens (Jul 09)
- Re: No shell => secure? Nick FitzGerald (Jul 09)
- Re: No shell => secure? Ron DuFresne (Jul 09)
- Re: No shell => secure? Valdis . Kletnieks (Jul 09)
- Re: No shell => secure? Matthias Benkmann (Jul 09)
- Re: No shell => secure? Valdis . Kletnieks (Jul 09)
- Re: No shell => secure? hax (Jul 09)
- Re: No shell => secure? st3ng4h (Jul 09)
- Re: No shell => secure? hax (Jul 09)
- Re: No shell => secure? Matthias Benkmann (Jul 09)
- Re: No shell => secure? Kurt Seifried (Jul 09)
- Re: No shell => secure? Seth Alan Woolley (Jul 12)
- Re: No shell => secure? Wall, Kevin (Jul 09)
- Re: No shell => secure? Martin Fallon (Jul 09)
- RE: No shell => secure? Deckard, Jason (Jul 09)
- Re: No shell => secure? John Creegan (Jul 12)