On Tue, Sep 17, 2002 at 02:58:09PM +0100, Simon Wistow wrote: > On Tue, Sep 17, 2002 at 02:03:49PM +0100, Lusercop said: > > I'm firmly supportive of the idea that someone who lets their box get > > r00ted is not competent to have root access themselves. > In a way I'm tempted to agree with but - having been r00ted myself > (*cough*) as have quite a few other sysadmins I know.
:-) > On the one hand you could claim that that makes me a net drain on the > community. On the other hand I think that I and the other people on the > server provide quite a lot which the community might otherwise miss out > on. Indeed. But they're not necessarily competent to run it. Leave running it to those who can, and leave producing the content on it, and the ideas for ways of doing things to those who can do that. This is, I think, more the argument I'm proposing. Having access to a root account on a machine has become somewhat of a "status symbol", but actually, it's more of a responsibility. That responsibility ought to be taken seriously, and often it isn't. I'm not at all saying that servers shouldn't provide useful content and services, they should. But herein lies the classic set of arguments between sysadmins and programmers. Listen to those sysadmins who question whether this is the only way of doing something, and whether or not there could be another way that doesn't need this privilege. Don't have services running that are not going to be useful except to allow an attacker an easy way in (*cough*NFS*cough*). > It's a tricky argument which I'm not entirely convinced by either way. Indeed. Part of me says "you'll never learn unless you've learnt the hard way", and I'm certainly not going to disagree with you on the value and utility of a lot of the services that a lot of machines provide. > One thought of mine was to turn the concept of security on its head and > instead assume that no system is secure (which is reasonable) and then > work so that the effects of getting compromised are minimized - all your > mail wiped out? The journaled file system retrieves it. Or the p2p > backup system does. This is all very well, but it can be a hell of a hassle. The difficulty comes, of course, when you need somewhere to store potentially valuable data (eg. a private key that identifies you to someone else's machines, or to someone else, credit card numbers). Often, you're right, the biggest damage is skr1pt k1dd135, and they'll just wipe out files or deface your homepage or install eggdrop. Nothing particularly bad. But what if they're cleverer, and install things like ttysnoop, or any number of other nasties to read things that they shouldn't have access to. > Somebody trying to DOS another machine? Limit that > some way. It is probably a good plan to try and do this anyway. > Of course you can combine the two but sometimes I think it > might be better, at the moment, to concentrate research on being > prescriptive rather than proactive. I like the model of security as onion-like. "break through one layer, and there's something else, based on different techniques waiting for you". I think that all of these need to be employed, I'd say you can't really pick and choose, and have one or the other. Have both. Then you have your security, and your damage-limitation. The risk to you has shrunk further. The point to bear in mind in all of this, however, is that "Security" in general is roughly synonymous with "Risk Management", so what measures you apply is going to be based on a) how much it costs you to apply them b) the value of the data/system/whatever they are protecting If you don't make that calculation to decide what to apply, then in general you're cheating yourself. > or something. > EStupidWithSleep. Go to bed! :-) I think the points you raise are entirely valid, however. I just think there are lessons that often need to be learnt, and it's generally better for everyone else if all the routers on the internet aren't switching 2002/udp or 25/tcp carrying ILOVEYOU/Melissa or 80/tcp carrying CodeRed and Nimda. -- Lusercop.net - LARTing Lusers everywhere since 2002
