I agree. The fact that this kid so arrogantly made this "wager" highly
suggests to me that the idjit had access to a machine, installed something
ala Back Orifice and is thinking he's oh-so-clever and this'll be an easy 2
grand. Judging by the poster's statement that he had no web or programming
exp., this would most likely be the case (in my experience).
-R
> -----Original Message-----
> From: Dave Watts [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, April 04, 2000 10:09 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: Security holes revisited -- reward offered
>
>
> > I disagree (somewhat). While I think the boss is throwing
> > money away if he paid before success, lots of highly successful
> > companies pay "Tiger Teams" to break into their networks. It's
> > a VERY lucrative talent if you can do it.
>
> While it's true that there are network security consultants who will break
> in to demonstrate security flaws, this isn't what's being done here. There
> are several serious issues being ignored when you make this comparison.
>
> If you hire a company to test your security, and they're
> qualified, you and
> they will have lots of legal hurdles to cross. For example, you probably
> wouldn't want to test your production system directly - there might be
> accidental damage, or a service outage as a result. You'd need
> full logging
> of everything they tried. You'd need them to sign non-disclosure
> agreements,
> and they'd need you to sign theirs as well. You'd want background on their
> employees. In short, there are lots of i's to dot and t's to cross. A
> security audit is a non-trivial process, and an on-going one -
> it's not done
> when the server is compromised and the problem is fixed.
>
> In this case, some guy is going to find some other guy to hack
> the site. Who
> knows what this other guy is going to do? Will he leave a message on it
> saying it's "owned"? While it's running and presumably fulfilling some
> important business function? Will this other guy leave a rootkit on it, so
> that when this is all over, he can stash a couple hundred Mbs of porn and
> warez there without your knowledge, or use it as a platform to
> attack other
> machines? Will other parts of the network be compromised? Who will pay for
> the outage when he causes a buffer overflow to crash a service and execute
> his little code snippet, and the machine doesn't restart? There are many
> more problems than these.
>
> If I were put in the position that Nick's boss put him in, I'd
> give the boss
> this full warning. If the boss wants a security audit, hire the pros, and
> don't get the boss's girlfriend's boyfriend's college buddy to try first.
>
> > What's worse is these teams usually get in. Many sites are built on
> > servers that aren't properly secured. Whether it's because they were
> > in a hurry or just learned HTML and now CFML and don't have time to
> > learn system security, the doors are there. You'll also be amazed how
> > many employees will actually give things out over the phone. It's scary.
>
> These teams will always "usually get in". It is practically impossible to
> completely secure a computer on a network. Given enough time,
> resources, and
> patience, any server is vulnerable. The only secure computer is the one
> that's turned off, put into a big iron box, and dropped to the
> bottom of the
> ocean.
>
> Dave Watts, CTO, Fig Leaf Software
> http://www.figleaf.com/
> voice: (202) 797-5496
> fax: (202) 797-5444
>
> ------------------------------------------------------------------
> ------------
> Archives: http://www.eGroups.com/list/cf-talk
> To Unsubscribe visit
> http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf
_talk or send a message to [EMAIL PROTECTED] with
'unsubscribe' in the body.
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
