[Courses] [Security] Inside Attacks

Raven, corporate courtesan raven at oneeyedcrow.net
Tue Mar 26 18:38:51 EST 2002 

Heya --

Quoth jennyw (Mon, Mar 25, 2002 at 07:14:59PM -0800):
> Wow, great story about TDW. I can't believe their security people
> responded so slowly!

	That sort of approach is fairly common -- there are whole
communities online that share "ins" like that among each other.  The
problem with doing things like this is that sometimes the company
(stupidly, in my opinion, but hey) decides to sue the person warning
them about the hole rather than fixing it.

	<opinion-filled rant>  I completely fail to see the point of
this.  After all, the person who found the hole didn't have to notify
the company.  Most of them won't.  If someone wrote me with a "hey, look
at this" about my company, I'd be really grateful that I was made aware
of the problem (and then, really paranoid about how long it had been
there without me knowing).  You bet I'd be using Tripwire or something
to check the integrity of my data.  But I think killing the messenger is
self-defeating -- who's going to tell you about your problems then?  No
matter how good one sysadmin is, you can't find every hole or notice
every problem.  I think that a responsible method of disclosure should
be encouraged and rewarded, not punished. </opinion-filled rant>
 
> There are way to secure a machine that people have physical access to
> even without a physical lock.  For one thing, it really depends on what
> you're trying to secure. If your goal is to secret information, then you
> can use encryption. They can do damage to your system, but your files
> would still be safe. You can also have a BIOS password in addition to a
> screensaver. Of course, someone could remove the disk and stick it in
> another machine, but it'd be a real hassle for them to do that. There
> are probably other ways ... but hopefully you trust the people who have
> physical access to your computer!

	It depends on the usage.  For my home system, mostly.  For a
work system, t'ain't necessarily so.  There are lots of people that have
access to a co-location facility that you don't necessarily know or
trust.  It depends on how important it is to keep that data secured.
I'm sure the military has all sorts of physical security measures in
place -- biometrics, etc. to even get to the servers.

	Anyone had any experience with any of the encrypted filesystems?
That's another thing I keep meaning to eventually play with on a dev
box, and just haven't found the time for yet.

Cheers,
Raven
 
"Incoming packet over rabbit. SYN."
"Incoming packet over duck. quACK!"
  -- me and Tiff, flinging stuffed animals and tech humor

More information about the Courses mailing list