On Monday 20 February 2006 22:39, Bigby Findrake wrote: > Perhaps this is beating a dead horse, but could someone explain to me why > the addition of a $50 computer found at a garage sale, a $10 NIC, and a > $20 switch or hub to any would-be-infosec's arsenal wouldn't suffice for > this purpose? We're not trying to brute force 4 kilobit pgpkeys, we're > trying to present a host to attack. FreeBSD, NetBSD, OpenBSD, Linux... > all free operating systems. Isn't there an x86 version of solaris that's > free? $500 computers aren't needed for this testing. I suggest that the > necessity for more expensive hardware is the exception, and not the rule. > Bochs may not be speedy, but it works. This is only OK for examining stuff you _can_ get your hands on. > I would also suggest that anyone who finds that money is an obstacle is > looking for excuses. I have often found ways to make outdated hardware > useful in a variety of situations. Money can't buy you software an online content provider has made themselves. I have discovered a vulnerability in an online public telephone directory once. The vulnerability was definitely not discovered by accident. I had browsed through their HTML sources and found a number of things suggesting the completely braindead way to do security without any real checking of user input. I have written an exploit, sent it to them, waited to no avail, and then published it. I never let myself run that exploit, but somebody must have, because after publication, the site was down for three full days, and when it was back it wasn't vulnerable anymore. Whoever fixed it was actually a good, security conscious programmer and I hope he made a lot of money. I was trying to protect subscriber customers whose accounts were trivial to compromise (and this was already happening on a regular basis) to gain access to their own personal address books. If the service provider couldn't provide the security, the customers had no choice (since there is only one telephone services provider in the entire country) and there is no way to tell the provider that they have a problem without getting busted, well, what do you suggest? I think it's not a case of "breaking and entering", but rather a case of "your windowsill flowerpot is about to fall on one of your customers, and I'm going to move it". I make no mistake that this is in fact illegal tampering with someone else's property, but I can tell it's quite ethical to politely force the provider in question to fix their security, because security experts' responsibility lies with everyone adversely affected by a particular problem, not just the owner of a service. I think this is a good example of when you just can't do a wholly responsible thing. Walking away is not an option because users are at risk. Talking to the provider is only an option when they talk back. Proof of concept is, unfortunately, one of the few options left open. I would like to hear from anyone who can tell me another, less invasive, and if possible less illegal way of dealing with this. Regards, -- Jure Koren, n.i.
Attachment:
pgpRiSC1iPJhb.pgp
Description: PGP signature