From: Adrian Tymes (wingcat@pacbell.net)
Date: Fri May 23 2003 - 00:49:49 MDT
--- Harvey Newstrom <mail@HarveyNewstrom.com> wrote:
> Really, these methods are trivial to anybody who
> wants to learn them. Only
> people unfamiliar with this stuff doubt it exists.
Actually, I've heard about every single method you
listed. And I've built systems that guard against
'em.
(CGI scripts that *don't* validate input? My sysadmin
would have my job if I let one of those onto our
system, regardless of whether or not anyone's
exploited
it yet. And he checks.)
I will grant, those vulnerabilities exist in far more
places than most people realize. The problem is, the
vulnerabilities almost always turn up in trivial
systems: *unclassified* military systems (like a
public
Web server), *small* ecommerce systems (that haven't
processed more than a few $millions yet, and often
tend
to get exploited and their owners sued out of
existence before they grow large if their owners don't
take security seriously), et cetera and so forth.
This
is a function of the fact that, if it's on the public
'Net, it will be found and attacked eventually. Those
systems that survive are the ones that were and remain
secure. Natural selection in action. (That there are
still vulnerabilites stems in part from the perceived
lack of benefit for paying for proper security, among
the corporate managers who would have to budget for
it.)
To counter the meme that all systems are vulnerable,
how about this test: there is an Excel spreadsheet on
the desktop of the Windows computer I am typing this
email at. Try to break in and tell me what the
spreadsheet describes before Monday, 5/26/2003,
without
gaining physical access to the machine. Of course I
have a firewall and so on; the real kicker is that I
intend to leave my computer powered down this weekend
while I attend some real world functions.
Unfair? No, that's reality: anything that truly
matters tends to be secure. If you want a "fair"
challenge, go ahead and deface one of my Web sites
(http://www.wingedcat.org/)...and note how little that
really affects me. This is about the extent of the
damage that most cyberattacks really do. (Granted,
some - like those that steal CC numbers - actually do
a
modest amount of financial damage. But not that
much.)
To date, of the systems that I have personally
secured,
only one is known to have been compromised - by
myself,
at the request of those I built the system for when
they lost the admin password. (Fortunately, they only
wanted network security, not physical security, and I
had physical access when recovering the password.)
This archive was generated by hypermail 2.1.5 : Fri May 23 2003 - 01:00:55 MDT