Re: Is Marty Lying?

[Valdis.Kletnieks () vt edu]

On Mon, 22 Sep 2003 07:04:04 PDT, security snot <booger () unixclan net>  said:

> 1) If the intrusion were limited to a single "shellbox" then why did they
> need to audit the code in CVS to see if it was backdoored?

Would you rather they just said "Oh, since we *KNOW* the intrusion was
only on one shellbox we won't bother looking at anything else?"

It's through things like audits and system integrity checks that you establish
that in fact, the intrusion did appear to be limited to one box.

> 2) If the Snort developers cannot configure Snort to detect attacks on
> their own networks, why are you hiring Sourcefire to install said
> mechanisms on your network to protect you?

Snort is only designed to catch certain things.  As far as I can tell, at the
time of the intrusion, said attack wasn't recognized as being in the problem
space.

Maybe they're hiring Sourcefire because they recognize that even though neither
the people nor the product is perfect, having Sourcefire do it for them is still a better
bet than trying to get it right themselves.

The mechanic I take my car to isn't perfect, he admits it.  Had to take my car
back once because a bolt didn't get tightened down right.  On the other hand, I
still take my car to that shop, because it's (a) reasonably priced and (b) the guy
has a better chance of rebuilding the carburetor on an '87 Tercel than I do.

> 3) Why the fuck do people still thing signature-based IDS is worthwhile?

Just because a signature-based IDS doesn't catch 100% of anything doesn't
mean it's not worthwhile.

Why the fuck do people still think police are worthwhile, they only catch 95% of
the criminals?

Why the fuck do people still think having an independent accounting firm look
over the books is worthwhile, they only find the embezzlers 95% of the time?

Attachment: _bin
Description: