On Monday 20 February 2006 22:39, Bigby Findrake wrote:
Perhaps this is beating a dead horse, but could someone explain to me why
the addition of a $50 computer found at a garage sale, a $10 NIC, and a
$20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for
this purpose? We're not trying to brute force 4 kilobit pgpkeys, we're
trying to present a host to attack. FreeBSD, NetBSD, OpenBSD, Linux...
all free operating systems. Isn't there an x86 version of solaris that's
free? $500 computers aren't needed for this testing. I suggest that the
necessity for more expensive hardware is the exception, and not the rule.
Bochs may not be speedy, but it works.
This is only OK for examining stuff you _can_ get your hands on.
I would also suggest that anyone who finds that money is an obstacle is
looking for excuses. I have often found ways to make outdated hardware
useful in a variety of situations.
Money can't buy you software an online content provider has made themselves. I
have discovered a vulnerability in an online public telephone directory once.
The vulnerability was definitely not discovered by accident. I had browsed
through their HTML sources and found a number of things suggesting the
completely braindead way to do security without any real checking of user
input. I have written an exploit, sent it to them, waited to no avail, and
then published it. I never let myself run that exploit, but somebody must
have, because after publication, the site was down for three full days, and
when it was back it wasn't vulnerable anymore.
Whoever fixed it was actually a good, security conscious programmer and I hope
he made a lot of money. I was trying to protect subscriber customers whose
accounts were trivial to compromise (and this was already happening on a
regular basis) to gain access to their own personal address books.
If the service provider couldn't provide the security, the customers had no
choice (since there is only one telephone services provider in the entire
country) and there is no way to tell the provider that they have a problem
without getting busted, well, what do you suggest?
I think it's not a case of "breaking and entering", but rather a case of "your
windowsill flowerpot is about to fall on one of your customers, and I'm going
to move it". I make no mistake that this is in fact illegal tampering with
someone else's property, but I can tell it's quite ethical to politely force
the provider in question to fix their security, because security experts'
responsibility lies with everyone adversely affected by a particular problem,
not just the owner of a service.
I think this is a good example of when you just can't do a wholly responsible
thing. Walking away is not an option because users are at risk. Talking to
the provider is only an option when they talk back. Proof of concept is,
unfortunately, one of the few options left open. I would like to hear from
anyone who can tell me another, less invasive, and if possible less illegal
way of dealing with this.
Regards,
--
Jure Koren, n.i.
pgpOyt0EvFrBG.pgp
Description: PGP signature
