SA Security Bloggers
SensePost
Junaid LoonatPopular Entries
Articles
Vulnerability Life Cycle - threat modelling
Web Hacking 2.0
Why Exploit Markets are Bad
Ettercap-NG Workings and Defence
The Zotob Summary
How-To's
Linux SSH Jail with pam_chroot
Firefox Privacy & Security Extensions
Papers
Managing Patching, my MSc Thesis
Risk Analysis of Monthly Patch Schedules
Tools
Automated Vodacom SMS (VodaSMS)
RSS 2 SMS
DShield Hack Detection
Neologisms
Encryption principles
Zoolander's Law
Syndicate This Blog
SSL
Certificate fingerprints:
SHA1: 61 13 45 4B 4C F9 89 9B B7 87 C8 78 F7 38 12 CB 07 E2 60 BF
MD5 : DA 53 7B 50 E4 3A 2C 6C A1 17 53 C1 A0 5E CB 89
HTTPS version.
You can find an explanation here.
License
Disclaimer
This blog and its contents are in no way affiliated with, or endorsed by my employer.
Random Entry: The disclosure argument (again and again)
< Damn fine Day | Guy Butler Awards Evening >
< Damn fine Day | Guy Butler Awards Evening >
Friday, October 8. 2004
Trust
I realise a while ago how important trust is in the computer security industry. If someone is tasking you with protecting their most important assets or any assets, it is presupposed that you have the ability to abuse that trust and therefore abuse those assets.
I have heard many times how it is important to trust the people you hire and this was only re-enforeced by Dana's post on hiring hackers. This was further reenforced by listening to (I can't find a link to the documentary) and reading interviewes with Captain Zap (famous for setting AT&T's clocks 12 hours off to charge people less for phonecalls). Captain Zap now a 'reformed hacker' and head of his own security business, made my skin crawl and is definately not someone I would trust with my assets.
Now recently I wanted to demonstrate that my local computer society's machine was quite vulnerable to attack due to the carelessness of some of the sysadmins. This wasn't an intentional caelessness but rather one due to a lack of understanding. To do this I walked into one of the sysadmin's room, put my ssh key in his authorized_keys, wrote a simple su script which pretended to reject the password but silently logged it to a file in /tmp. I then used another sysadmin's machine which he has left unlocked (see baggy) to su to root in the presence of another syadmin.
My intention was to increase the security of the machine, but I managed to piss a few people off. First off I made some sysadmins look a bit silly, something I didn't intend to do. Second I left the root password lying around in a world readable file in /tmp for just under an hour and third because I actually rooted the box.
One of the sysadmins pointed out I should have just echoed a prompt saying this is your root password or used an md5sum. I agree with this and I am not quite sure why I went to the level of rooting the box (albeit in front of a sysadmin). I think I felt it would have more of an impact. Also I am a long time user of the machine and a personal friend of most of the sysadmins.
Either way this raises trust issues. Can the sysadmins trust me as a user, even though I am a 'trusted' friend, can they trust me enough to make me a sysadmin?
These are things I need to take into consideration in future. Even though I would never backdoor the machine, read personal files or do anything else unethical, am I responsible enough to admin the machine?
I personally believe that once given responsibility I am responsible with it, but I also need to be responsible even when I don't have that responsibility or when I have it temporarily.
For this reason I would like to draft a code of ethics for our research group SNRG. I have a few references (well a lot) here, and will take a while to do it, but I want to have a reference I can refer to in times of doubt, more specific to my profession than the bible.
Ethical hacking sounds like a cop out to me, pen tests are necessary but there need to be very strict guides, and you need to be someone people can trust.
Now recently I wanted to demonstrate that my local computer society's machine was quite vulnerable to attack due to the carelessness of some of the sysadmins. This wasn't an intentional caelessness but rather one due to a lack of understanding. To do this I walked into one of the sysadmin's room, put my ssh key in his authorized_keys, wrote a simple su script which pretended to reject the password but silently logged it to a file in /tmp. I then used another sysadmin's machine which he has left unlocked (see baggy) to su to root in the presence of another syadmin.
My intention was to increase the security of the machine, but I managed to piss a few people off. First off I made some sysadmins look a bit silly, something I didn't intend to do. Second I left the root password lying around in a world readable file in /tmp for just under an hour and third because I actually rooted the box.
One of the sysadmins pointed out I should have just echoed a prompt saying this is your root password or used an md5sum. I agree with this and I am not quite sure why I went to the level of rooting the box (albeit in front of a sysadmin). I think I felt it would have more of an impact. Also I am a long time user of the machine and a personal friend of most of the sysadmins.
Either way this raises trust issues. Can the sysadmins trust me as a user, even though I am a 'trusted' friend, can they trust me enough to make me a sysadmin?
These are things I need to take into consideration in future. Even though I would never backdoor the machine, read personal files or do anything else unethical, am I responsible enough to admin the machine?
I personally believe that once given responsibility I am responsible with it, but I also need to be responsible even when I don't have that responsibility or when I have it temporarily.
For this reason I would like to draft a code of ethics for our research group SNRG. I have a few references (well a lot) here, and will take a while to do it, but I want to have a reference I can refer to in times of doubt, more specific to my profession than the bible.
Ethical hacking sounds like a cop out to me, pen tests are necessary but there need to be very strict guides, and you need to be someone people can trust.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Quicksearch
this blog:
Schneier on Security: Friday Squid Blogging: Squid Launcher from "Despicable Me"