[geeks] fw

Greg A. Woods woods at weird.com
Thu Jul 25 16:04:54 CDT 2002 

[ On Thursday, July 25, 2002 at 15:49:56 (-0400), mattyml at daemons.net wrote: ]
> Subject: Re: [geeks] fw
>
> I would have to disagree. You are using an OS and platform that is non
> standard, as far as readily available attack scripts go. How is this any
> different than running ssh on port 1001?

Yes, absolutely.  Let's just say I'm not hiding the OS type.  I also
know for a fact that it's immune to all known (err, OK, commonly known)
root kits.  I also know for a fact that a vast majority of those who
create and use 

Let's now say that I know I have nothing that any serious and capable
attacker would find valuable -- at least nothing more valuable than can
be more easily obtained from a dozen other systems.

That leaves the known and unkown threats being basically just the script
kiddies, and I know they can't crack my machine.

I suddenly don't have to work nearly so hard to protect it as I would if
it were commodity junk running a commodity OS.  (I.e. I'm not vulnerable
to day-one exploits and ongoing lamer attacks, so I can spend my security
"budget" far more sanely.)

> That is non standard also, and
> will break most of the available attack scripts. I still think you are
> trying to obscure your platform to achieve security.

Security by obscurity is also sometimes well within reason.  However you
won't know whether it is or not unless you do a proper risk analysis.

Nothing is ever 100% absolutely secure, not in computing and not in any field.

The day that a significant number of first-day exploits ship out of the
box with smart attack mechanisms that'll clobber the rare systems just
as quickly and easily as the common systems, then I'll re-evaluate my
own risk analysis.  Curiously even those exploits available today that
claim to be able to attack multiple platforms often fail on the less
"popular" platforms....

> From a "smart"
> attackers point of view, the OS and platform it resides on is irrelevant.

I don't need to protect against the smart attacker -- I make it plain to
them up front that I don't have anything they would risk attacking me to
get.  I don't claim I can stop a "smart" attacker so there's not even an
ego game to play:  (no fun) + (no profit) == (no attack).

> If I was looking to exploit NetBSD on a SPARC, I would look to inject
> sparc assembly instructions based on reconnaissance and probing. Not to
> say using a different OS and paltform is bad, *I* just feel it is
> obscuring things.

You might just know what you're doing (i.e. you might not be just some
"script kiddie" out to crack a zillion boxes), but even so if you can't
duplicate my platform and test your attack offline so that you get it
right the first time you try it against my systems then you might just
set off my alarms and not get a second chance.  :-)

Besides a "smart" attacker still has to have a motive to do a "smart"
attack.  Is he or she going to risk the chance that my system isn't a
honeypot?  I.e. is attacking my system really worth the risk of getting
caught?  For defense against a "smart" attacker I only have to be more
secure than the next guy -- a "smart" attacker will also do a back of
the envelope risk analysis and if he can get the same thing from some
lame un-patched Linux system running on WinTel hardware for which there
are dozens of known exploits then why would he attack my system?

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods at ieee.org>;           <woods at robohack.ca>
Planix, Inc. <woods at planix.com>; VE3TCP; Secrets of the Weird <woods at weird.com>

More information about the geeks mailing list