Joshua Chamas wrote:
> I am new to sysadmin & security, and with a www site soon to
> launch, I have found the mild scans that hit my subnet don't
> really have much meat to them. What I'm looking for in
> creating a contest to hack the site is in part a crash course
> in dealing with hackers trying to break into my system, so that
> when the real site is live I will be more seasoned. I would
rather
> not have my first experience in a successful intrusion when
> things matter.
Even better reason *NOT* to have a contest. You can have some penetration
testing done by a security professional in a *controlled* manner. That way
you can simulate an attack on your site. And not only portscanning and
script kiddie's attacks, but also the more sophisticated attacks. It is the
latter you probably won't see in a contest and you will not know how to
recognize one when the contest is done. So: get in a professional security
penetration service (or whatever...)!
(hmm.... I have to admit that nowadays a lot of such services are being
offered by "professionals" while in reality they are not much more than
script kiddies themselves....But that's the universal problem of "seperating
the wheat from the chaff" and is another discussion....)
> I am not looking to "prove" the security of the site to myself
> or others. I understand that if someone where good enough
> and spent enough time, he or she _would_ break in. I don't
> think that ours is a site that will ever be interesting enough
> to warrant that kind of attention, so it will not matter
> that we don't get the best of the best trying to break in, from
> a little contest with a pitance for a reward.
Maybe not, but don't underestimate it.... Many times it's not a matter of a
site being interested enough, but a site just being there....
> There is also the argument that a contest will never be as
> thorough as a good audit. While I agree, we don't really
> have the budget to get any more auditing than what I can
> do personally. This self provable security is inherently
> flawed... its like playing chess against yourself, never being
> more than one move ahead in the game, and ending in a draw.
Yep..... I must admit, audits can be expensive.... But there's a lot you can
do yourself: follow the (nt)bugtraq, get the tools, get the FAQs, etc.....
There's nothing mystical about security... It's common sense and know where
to get the right information....oh... and maybe more important: get to know
your systems! Do not just use default system parameters settings, do not
copy manual's examples settings, don't be afraid to get your hands dirty....
you can push the limits while playing chess against yourself ....
> If I can get just a couple ok hackers as the result of
> running a contest, even "script kids" if they have enough scripts,
> I might close a couple holes and have that much better
> security as a result. These are holes that I myself
> wouldn't find, since if I knew about them they wouldn't exist.
Maybe so..... but you said in your initial posting that you spend a lot of
time on system security, so if you spend your time well, I assume you have
closed the script-kiddie-vulnerabilities by now... Really, I don't think
such a contest has much added value...
Gr. Arjan
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
