samhain (System cracked, a story)

[Wizard]

> Unfortunately, I think this statement is also patently false.  It
> would likely be more accurate to say something like, "A sophisticated
> cracker could probably write a program to make deinstallation of
> samhain trivial for the next batch of script kiddies; and the effort
> to cover one's tracks is worth it to anyone who really doesn't want to
> get caught."

I have to say that this is not necessarily true. It has been my experience
that the more popular/common the system, the more likely that an
exploit/hacker tool exists. Tripwire is a popular/common system, and
therefore more likely to generate an exploit/crack than samhain (which I
honestly hadn't heard of until yesterday, but plan on testing today). That
is not to say that an exploit won't be created, only that it is less likely.
I have worked with SGI Irix for a while and have discovered that exploits
for these systems are far fewer than for the Solaris systems that I work on
(what idiot would really want to attack an SGI anyway ;-). The same appears
to be true of OSX, which I have also begun to work on in recent months.
    I do subscribe to CERT and regularly watch for stuff that applies to me
(including my home Win2k box), regularly apply patches and maintain my
firewall(s), but understand that if and when I get hacked, it will probably
be for something stupid, so I maintain regular offline backups of my root
drive (tapes at work, CDs at home). Also, as of this week, I will have
SSHV2-only access to my primary machine at work (thanks, everyone). I've
been reasonably diligent over the years (about 20), and honestly have no
stories to tell. Granted, I haven't worked anywhere that is overly
attractive to that crowd either (JPL never called back :-).
Grant M.