BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Frackin script kiddies!!

Subject: Frackin script kiddies!!
From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
Date: Wed, 4 Aug 2010 20:36:08 -0400
In-reply-to: <84BA9712-1583-45C6-84E0-80243CE91539-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
References: <4C5767A7.6080001@thekramers.net> <20100803022023.GD5048@tao.merseine.nu> <4C578362.8010707@mattgillen.net> <AANLkTim_2wRoHTWeBm9G8337SL8rJoyq8wabkFhPNmar@mail.gmail.com> <514C3E6E-C395-4A53-8E2E-3728164267E4@gmail.com> <AANLkTinOMOtvtiJnrOgdFMwPYsu96x+F+2MauCq0th90@mail.gmail.com> <4C579F3B.3090209@thekramers.net> <AANLkTikyHu_4KAYLvd=Gfffe1G1wt4_p=seQOn7htXvW@mail.gmail.com> <FC36122B-4585-4C09-B7E5-46EEA0A57A05@gmail.com> <AANLkTi=-8ToLzcgMS_tndME_tFv7CbX7YdEsz9pOMyCJ@mail.gmail.com> <5976D96A-1CAE-4982-9F7B-BA4F7A2B2F9C@gmail.com> <AANLkTinsOb-R0fs91qwbazotezXd+ADPSZ88NfeL9bUB@mail.gmail.com> <7CF8EAC2-E933-4A1F-B42A-A113905E7270@gmail.com> <AANLkTi=vKcXQ0j0BvL62oiSi2GwCbZLbZoTDyN4cZF7b@mail.gmail.com> <EA7B70F7-D727-4414-A5D7-2F2F5BE36FCA@gmail.com> <AANLkTimfkfoP0SAm3OiizZqaOKEsFC4hKTnhR8GN6Geh@mail.gmail.com> <EF0EA966-DD59-410F-9E84-C56A09C82F00@gmail.com> <AANLkTimOZ72MmxQF0S1XH-SkJL3_b+1mBYXDdgnytFzh@mail.gmail.com> <84BA9712-1583-45C6-84E0-80243CE91539@gmail.com>

On Wed, Aug 4, 2010 at 11:08 AM, Richard Pieri <richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org> wrote:
> On Aug 4, 2010, at 12:04 AM, Jarod Wilson wrote:
>>
>> Sorry, why does where the data is stored matter? With the online
>> banking I've seen, you still connect to a site via ssl first. No
>> authentication yet. Then you authenticate. Then you can see all your
>> financial information. How is this ultimately any different that
>> having to authenticate and then seeing data that is on the same
>> machine? Only difference I see is that perhaps the bank is a bit
>
> Everything. ?Everything is different.

Take it a step at a time. Start with encryption. Then authentication.
Both cases (banking site and my mythweb deployment), encryption comes
before auth. *That* part is the same. And that's the same part you
insisted was weak. In both cases, if the authentication is defeated
(the attacker has your login info), they can see all the data. They
can see my television recordings and they can see my bank statements.
They can delete recordings, they can delete automated payments. They
can schedule new recordings, they can schedule new automated payments.
It really doesn't matter that the bank has a multi-tiered setup,
because they now trust the individual that has managed to get
themselves logged in to your account.

At this point, actually hacking into the system underlying the web app
hasn't even come into play at all yet. And even actually gaining
access to the system running the web server isn't particularly
different in either case -- very recent reports showed that the market
leader in web servers is apache running on CentOS. So its entirely
possible the *exact* same (theoretical) apache exploit could be used
to gain access to both my myth box and the bank's edge web server. Its
only *after* a successful hack that "Everything is different" really
starts to be valid.

> I've already explained it quite thoroughly but since that is insufficient to convince you. ?So, there's really no point in me wasting my time.

Yes, I still contend that you've left a lot of my questions without
any satisfactory answer. So no, I'm not convinced. Regardless, I've
actually enjoyed the discussion, and I apologize for wasting your
time. :)

-- 
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org

References:
- Frackin script kiddies!!
  - From: david-8uUts6sDVDvs2Lz0fTdYFQ at public.gmane.org (David Kramer)
- Frackin script kiddies!!
  - From: dsr-mzpnVDyJpH4k7aNtvndDlA at public.gmane.org (Dan Ritter)
- Frackin script kiddies!!
  - From: me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org (Matthew Gillen)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: david-8uUts6sDVDvs2Lz0fTdYFQ at public.gmane.org (David Kramer)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)
- Frackin script kiddies!!
  - From: jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org (Jarod Wilson)
- Frackin script kiddies!!
  - From: richard.pieri-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org (Richard Pieri)

Prev by Date: Frackin script kiddies!!
Next by Date: Android and Linux
Previous by thread: Frackin script kiddies!!
Next by thread: Frackin script kiddies!!
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org