Another reason not to use sudo?

Thu Nov 25 01:19:28 UTC 2004

Hudson Delbert J Contr 61 CS/SCBN wrote:
> john,
> 
> knowing the vulnerabilities and mitigating the asociated risk with
> same vulnerabilities on one's own network IS THE province of the 
> network or system admin. closing those holes or at least make those

There are lots of small organisations that don't (maybe can't afford) a 
good sysadmin.

There are lots of Linux (and BSD and probably OS X) people out there who 
think they can do it themselves. Maybe they can, maybe they can't, but 
they gotta learn. And, there's no better teacher than experience.

> holes known to the powers that be and explaining risk associated
> with stated vulnerabilities is your job if you are tasked w/the security
> of the network. information assurance is not a set-it and forget-it 

That sort of assumes a largish organisation; maybe hundreds (thousands) 
of employees rather than tens.

> proposition at best. not to be snippy but if the scenario described
> below would penetrate your nets you got much bigger problems than simple
> dict attacks. w/out knowing much about your topology, it appears that
> some ingress and egress filtering of services are waaaaaaaaay too light

I'm not going into the details of _my_ networks, but the fact is there 
are lots of networks that are vulnerable to these attacks. However 
secure _my_ networks are, it doesn't change the fact that there's a lot 
that aren't secure.

Some owned by big companies. Remember Microsoft?

The requirements for security for small organisations are quite low in 
comparison to what _you_ in the military would require. Crackers 
approaching my networks have no cause to try very hard to get in; the 
value of having done so is very small.

In contrast, the military (and US military in particular) would attract 
an entirely different class of attack. You will be attacked by a group 
of professionals interested in stealing secrets and maybe corrupting 
your records. Probably they won't even bother with a dictionary attack; 
instead they will glean information about the software you use and 
direct attacks against that.

They'll test your wireless communication, whether you've applied your 
latest security updates, and "God's eye view" of the world.

> and monitoring appears sketchy if ssh probes and the like could go
> undetectable on your network.  spotting scans like these are trivial and
> can help to discern what 'knob-twisting' and are easily detected by a 
> plethora of tools. rsvp offlist if you'd like?

We'll benefit others better by staying in the open.

> 
> use a bit more intuitive thinking also (i.e.) 
> using animal names or names of specific types of items that occu in nature
> such as aetna and vesuvius indicate using mountain ranges for a naming
> theme.
> 
> using the types of dogs or other species would lead one to 'hunch'
> that ceratin emails might use that same model like 
> collie, spaniel.....dingo and such provide a large crack base

That will get you far here:-)

> 
> because i like most people disobey a lot of tenets of securing access
> like do nopt use dictionary words or items that can be associated with
> a specific item like your email name indicates a affinity for things of
> an australian nature and we'd proceed from there.
> 
> wallabee, sydney, et al...

It's true I use Australian animal names for host names. Passwords, with 
one exception, are a little more obscure. Here are some obsolete ones:
redhatspam et3tUfGd samanth ROOS1ANNE lutibase q64bxjdc  '2gcCr0Vh Qj0TyzI6

The more memorable were for unimportant website access.

Mostly now I use APG or similar to create passwords now.