samhain (System cracked, a story)

Jerry Feldman gaf at blu.org
Wed May 28 14:42:41 EDT 2003 

On Wed, 28 May 2003 13:36:29 -0400 (EDT)
"Rich Braun" <richb at pioneer.ci.net> wrote:

> Tone it down a little, please.  I have worked in the industry and have
> been familiar with the issues since 1979, and admit full well where my
> weaknesses as well as strengths are.  I'm not as daft as you're making
> me out to be.
> 
> Would anyone other than Derek care to comment on this topic?
On Tue, 27 May 2003 15:33:10 -0400
Derek Martin <blu at sophic.org> wrote:

> Your argument is wrong.  Changing the model will only change the
> attackers' strategy.  Real crackers (those who write the scripts,
> rather than those who only use them) have proven to be exceedingly
> patient, and exceedingly resourceful.  Until software is bug free,
> there will always be exploits.

I both agree and disagree with this. First, I think that we do not have
the technology to create truly bug-free software. (I once worked on a
system that claimed "provably correct software", and we can discuss this
in another subject). I've seen software that contained latent bugs for
many years. A bug can be a coding error or an error in the design. And
bugs frequently show up when a system is modified for some reason. 

However, many of our systems are not designed with security in mind.
Windows 9x is an excellent example of that. However, one can design an
architecture with security being one of the design goals. By changing
the architecture we will change the attackers' strategy. But, in doing
so, we can make it more difficult for them, but they will find a way. 

The ultimate bottom line is "there will always be exploits". Just as
there is no such thing as an escape-proof prison, there is no such thing
as an attack-proof system. 
-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org PGP key id:C5061EA9
PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20030528/e1e1f525/attachment.sig>

More information about the Discuss mailing list