Disqus - Latest Comments for jonessm

Re: Challenged

jonessm — Thu, 14 Aug 2008 11:29:11 -0000

Where the FUCK did wishful thinking enter into this discussion? Did
you read a God-damned thing anyone else wrote here?
You can't HOPE that somebody who breaks in only does X, instead of X,
Y, and Z. Explain what the hell you were thinking and how this
applies to security. I'll be kind, even the loosest interpretation
of the word "security" will do. Or, PISS OFF.

Re: Challenged

jonessm — Sat, 09 Aug 2008 16:28:05 -0000

>On corporate networks it doesn't really make a difference what
system there is to keep data in and bad guys out.
I agree, but I don't see where this is going. I'm not necessarily
saying that *nix or MS security is wrong, just that it all tends to
fall apart as you scale out.

>There's also not really something like "a regular user's account on
a server"
There are though, most admins log in with one. The original point I
was trying to make was just that a compromised user account can be a
very big deal. There seems to be some myth that a Linux virus can
only rm -rf ~, and flash "nyah nyah nyah" on the screen. As you seem
to imply, corporate networks are very complex and hard to keep track
of, a malicious program anywhere in it could end up being a huge
ordeal. Even a bugged account on a home system could be huge. Very
few people pay close enough attention to the depths of their
filesystems to notice anything was wrong. Why break in, destroy
everything and leave? Why break in, steal everything and leave? Why
leave or ever give away your presence at all? "I'll only lose my
home dir" is bogus, that's what I'm saying.

>A 4000-employee with a dozen locations (a rather small corporation)
can easily have 50 servers spread over the globe.
I would imagine VERY many more than 50. Security is hard :\

Re: Challenged

jonessm — Fri, 08 Aug 2008 12:25:10 -0000

What are we talking about, personal f'ing desktops? And then you're
going to make assumptions about all the other pathetic Linux desktop
users in the world?
Sure, _you_ can lock down any one machine like Fort Knox, can you do
that to a whole network? How many users do you suppose do this,
taking into consideration the level of difficulty and inconveniences
it poses?
/etc/password, WTF dude, who doesn't use centralized authentication
today?

Look dude, this isn't exactly the direction I wanted this to go. I'm
a UNIX admin on a smallish/medium sized network.
We all know that with a lot of elbow grease you can build little
secure silos out of ANY OS, it just doesn't scale, and isn't very
practical.

>>This could only occur with social engineering and a great way to
make enemies out of someone.
LOL, I'm sure con artists, and criminals give a flying piss what
society thinks of them.

Going back to my original point, "IF I'm infected, then I'll only
lose my home directory" is BS. - Just as short sighted as "If
someone breaks into my home I'll just lose some stuff"
"I COULD build a high tech, super secure castle of a PC" is BS. - I
COULD also put up an electric fence, razor wire, and moat full of
alligators around my house. I could be a big asshole and say
everyone else should to do it too. This is a very impractical way of
improving national security.
"Social engineering doesn't count" is TOTAL BS. - Think VERY hard
how differently all your whole system could behave if social
engineering wasn't considered a serious attack vector. Internet
security is still largely built on trust, part of implementing good
security is eliminating any blind trust. How about enforcing SSL
certs or any method of preventing forged email delivery? Were those
implemented just on a whim?

We can do better, just need to wake up and think real hard about
TODAY's security.
... or go back to what, ~20 year old models that our current security
is based on... big, trusted, centralized systems in large
universities, corporations and government?

Re: Challenged

jonessm — Fri, 08 Aug 2008 11:37:07 -0000

You're thinking too small. On a corporate network, there is probably
nothing of value inside a regular user's account on a *nix server (a
samba server might be different story). Maybe your shell history
file to help figure out the rest of the network. Compromise the
server, and the attacker could hide his tracks and snoop on ALL
admins that pass through. Don't know about you, but one infiltrated
corporate network is worth a whole lot more than some dolt's PC.
What are you going to do? Look for credit card info, try guessing
the CVV? Hope to find some moron who's kept all of his social,
account numbers, PINs in cleartext on his PC? Sell _one_ dude's
info? OK, I think you can see how a corporate network would be worth
more.

Lets all stop pretending the the wonderful design of UNIX's fortress-
like security means squat on today's distributed systems with our
current security practices.

Also... if someone has taken control of your system, they can
perpetually steal your data and anyone else's on that machine at the
very least, how in the hell does what you say make any sense?

Re: Challenged

jonessm — Thu, 07 Aug 2008 13:28:31 -0000

You freetards act like having your user account compromised is guaranteed to be easily detectable and obvious. BS!

This goes for Windows, Linux, and most UNIX systems... if your user account is compromised, you probably will not notice, and backups wont save you. On a Windows machine, something could have been started at login, taking advantage of any network wide privileges you may have. On UNIX-like systems, your profile might be modified to add a path to your home directory, which includes trojaned binaries. How long until something you execute with elevated privileges calls one of those in turn?

Claiming that the design of UNIX somehow saves you on modern Linux desktops & servers is utter BULLSHIT.
The superior design you talk of might have been worth something back in the days of big multi-user systems, with full privileges being obtained solely through logging in as a separate user, root.
Linux fanbois take heed, if your user account is capable of elevating privileges, you had better treat your home dir, and anything you can touch as if it was root's. This should account for 99.9% of user accounts on any modern system, including most servers. Might as well take a piss on UNIX fundamentals while your at it.