Full Disclosure mailing list archives
Re: Is Marty Lying?
From: David Hoelzer <dhoelzer () cyber-defense org>
Date: Tue, 23 Sep 2003 00:42:35 -0400
Dude... Reading your inane posts helps me to better understand why you feel that sticking an "A+" cert in your signature will make us think you have a clue. On 9/22/03 10:04 AM, " security snot" <booger () unixclan net> wrote:
I just finished reading Phrack 62's article on Sneeze, and some of the threads here concerning the matter, and I must admit that I am bothered by some of the responses. There is nothing I hate quite as much as vendors who lie to their customers, except perhaps vendors that are too stupid to realize what really happened. I guess Marty assumes that anyone dumb enough to buy the hype of signature-based IDS and to think products like Snort/OpenSnort have any value as a security mechanism, is going to be too stupid to think independantly to arrive to a conclusion to what most likely did happen with the Snort.org compromise. First, if you look at the output from 'w' (I read a great article by BMcW talking about the unix command 'w' being run on the ever-secure cvs.openbsd.org by a malicious intruder, thanks Brian!), you'll notice that users from the hacked box were logging in to www.sourcefire.com, and some nameservers. The compromise must definately have been limited to that single machine! No intruder would be smart enough to log authentication credentials on one hacked machine to get to anther! Second, Marty speaks about the machine being "removed" from the rest of their network so if it gets compromised, it doesn't actually affect the Snort/Sourcefire network's security. Yet being proactively secure, and assuming that a machine si going to get compromised, then logging into your corporate network from that machine doesn't seem like a very intelligent practice now, does it? Security is policy based, and these dopes can't understand that. Some good questions are: 1) If the intrusion were limited to a single "shellbox" then why did they need to audit the code in CVS to see if it was backdoored? 2) If the Snort developers cannot configure Snort to detect attacks on their own networks, why are you hiring Sourcefire to install said mechanisms on your network to protect you? 3) Why the fuck do people still thing signature-based IDS is worthwhile? Get a clue, everyone. Marty - I look forward to your reply here; we'll follow up with a critique of your incoherent coding practices.l - snot, the one and only infosec mucas ----------------------------------------------------------- "Whitehat by day, booger at night - I'm the security snot." - CISSP / CCNA / A+ Certified - www.unixclan.net/~booger/ - ----------------------------------------------------------- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Is Marty Lying?, (continued)
- Re: Is Marty Lying? Florin Andrei (Sep 22)
- Re: Is Marty Lying? Justin (Sep 23)
- Re: Is Marty Lying? Paul Schmehl (Sep 22)
- Re: Is Marty Lying? Valdis . Kletnieks (Sep 22)
- The usefullness of IDSes (Was: Re: Is Marty Lying?) Peter Busser (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Philippe Bogaerts (Sep 23)
- RE: The usefullness of IDSes (Was: Re: Is Marty Lying?) Cedric Blancher (Sep 23)
- Re: Is Marty Lying? Peter Busser (Sep 22)
- Re: Is Marty Lying? Shawn McMahon (Sep 22)
- Re: Is Marty Lying? Frank Knobbe (Sep 22)