...it's easier to know how to break into a system/box/whatever, than it is to learn exactly what happened and take measures to prevent it.
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
To paraphase Gene Spafford when he talked about the idea of hiring hackers as security experts, an arsonist isn't necessarily well-qualified to be on a fire department.
An arsonist just pours some gas and lights a match. That's more like what a script kiddie does. They just throw some exploits at random machines and try to install subseven. Obviously they don't know jack about security. A skilled hacker is more like an experienced thief. They use complex techiques to avoid detection, make surgical strikes at predetermined targets, and learn about their targets' security measures to more effectively neutralize them. Those people make good security experts.
One real security problem is that the complexity of attacks is increased, but the difficulty of launching them has decreased. The more skilled hackers create scripts or point-and-click tools, and the script kiddies can use them without having to know much about what they're doing. One book had a transcript of a conversation from an irc hacking channel, and some of the "hackers" seemed to be lacking in basic knowledge. For example, one of them wasn't too sure how to mount a second hard drive in Linux.
It's usually to encourage people to patch their systems or to make it easier on themselves to use the exploits. If there are 4 blackhats who know how to break into my system and there never will be others, I'm not too likely to care. If there are 6,302,466 script kiddies who know how to break into my system, more are on the way, and they are choosing systems at random, I'm going to be frickin scared and patch my system as soon as possible.
Also, if I'm a blackhat, and I'm ticked off at some message board o
It's hard to swallow the idea that blackhats are only concerned about encouraging admins to patch their systems. It's like vandalizing someone's property and then claming that you were only trying to motivate them to improve their security. I mean, how heartwarming.
As far as the message board exploit, sure, most people would prefer the path of least resistance. However, not everyone has the skill to write customized exploits - it sounds like most script kiddies don't. The prepackaged scripts and blac
I guess you're right about blackhats' altruism, so scratch that argument. Howver, I think most blackhats make the simple exploits for their own use and publish them to gain notoriety. What's the point of writing a brilliant piece of code if nobody knows it? Besides, maybe someone else will find a problem with it and ix it, and it'll work even better! Yay!
I'm doubting that it would be the folks who've been caught cheating, but I've been wrong before. It sounds like the Nevada Gaming Commission regulates gaming employees. http://gaming.nv.gov/ [nv.gov]
<corleone name='michael'>Senator, you can have my answer now if you like. My offer is this: nothing. Not even the fee for the gaming license, which I'd appreciate if you would put up personally.</corleone>
Oh, I wasn't denying that Vegas (at least at one time) had a mob presence.:) I just meant that the Gaming Commission apparently excluded the two-bit operators who'd been caught cheating (which I thought might correspond to the script kiddies).
"Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported."
These have a name. They are called 0 day exploits. This sort of thing is what the Mozilla Foundation is trying to prevent with their bounty program: Find a bug, and instead of saving it for later you get enough money for your new video card for Doom 3. Easy choice. Other systems of tr
Yep, they're zero-day exploits, but I was thinking of folks who, instead of holding it in their back pocket, offer the use of that vulnerability for sale... and for a lot more cash than the MSRP of a new video card.
In Mozilla's case, it would be possible to track an exploit and write your own patch, thanks to F/OSS.
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
It depends on the vulnerability, now, doesn't it? For example, If you knew about a problem with a particular library that, for example, handled PNG files, and you were using any software whether open or closed with no patch in the forseable future, you can do things like have your web proxies drop PNG images.
Just one thing that very few learn... (Score:5, Interesting)
Sure, some items are fairly obvious, but I'm willing to wager that there are a lot of exploits that even dedicated security officials aren't aware of, simply because the exploit was found and put to use, but never reported.
As it applies to 9/11, I'm fairly certain that OBL and his boys are more willing to shell out the cash for the folks who can find undiscovered vulns than for scripters who get their rocks off by passing around " 'sploits".
Given this, I doubt there is too awful much one can learn about securing the network completely against future attacks.
Re:Just one thing that very few learn... (Score:5, Insightful)
Re:Just one thing that very few learn... (Score:3, Insightful)
Re:Just one thing that very few learn... (Score:3, Insightful)
I'
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:1)
As far as the message board exploit, sure, most people would prefer the path of least resistance. However, not everyone has the skill to write customized exploits - it sounds like most script kiddies don't. The prepackaged scripts and blac
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:1)
NGC (Score:1)
Re:NGC (Score:1)
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:2)
Re:Just one thing that very few learn... (Score:1)
Re:Just one thing that very few learn... (Score:2)
In Mozilla's case, it would be possible to track an exploit and write your own patch, thanks to F/OSS.
Open source brings up another point - how can an agency prepare for an attack, even knowing how they'll get attacked, if the OS/proggie vendor hasn't a patch out for it yet...
Re:Just one thing that very few learn... (Score:1)
It depends on the vulnerability, now, doesn't it? For example, If you knew about a problem with a particular library that, for example, handled PNG files, and you were using any software whether open or closed with no patch in the forseable future, you can do things like have your web proxies drop PNG images.
There are often ways o