Pedro Venda wrote:
> On Sunday 15 May 2005 23:29, Nathan Pinkerton wrote:
>
>>On 5/15/05, Rui Pedro Figueira Covelo <rpfc@mega.ist.utl.pt> wrote:
>>
>>>Looks like an interesting way to gather information about how someone
>>>would try to crack a server. "Honey" anyone? ;)
>>
>>well, of course, those challenges always serve multiple purposes... a)
>>test the security on the server, and b) learn about techniques used
>>against the security so that you can see how well your security stands
>>up to those techniques, and to see if there are techniques that you
>>haven't thought of, and perhaps should work towards defending against.
>
>
> I've found somewhere on the 'net an interesting comment about security
> challenges. I think it applies well to this situation.
>
> http://www.privacy.nb.ca/cryptography/archives/cryptography/html/1998-12/0140.html
I like to remember that "Quoting ... out of context ... is an art."
Or, put another way, maybe you need to re-read Bruce's essay. Bruce
was talking about crypto challenges, and about how there's no mathematic
value to a crypto challenge--it doesn't prove cryptographic strength.
There's a related, but very different, issue involved in a "crack into
this box" challenge. The point to remember is that, in such challenges,
it's not really a test of that box's security. It's a test of how good
the attacker is. It's a well-known axiom of information security that
any system which can be used legitimately can also be used
illegitimately. This is a only question of time and resources. The
details of what resources, and how much time, is left as an exercise to
for the reader.
As a security tool, penetration testing can be valuable when you have
good rules of engagement. There are no clear rules of engagement here,
making it very difficult to assess whether the security environment
meets your goals at an appropriate price and effort point to be
desirable. People who focus on being "impervious to attack"
misunderstand that security--in the real world--is undertaken for
economic reasons, rather than technical ones. It's a common
misunderstanding to see in technical security people, though... I think
it may be a feature of inexperience, perhaps not having roles carrying
responsibility for more than technical elegance.
This "crack me" challenge may be held out as a validation technique, but
that's not what it's doing. After seeing how the page worked, its
highest value seems to be to gather intelligence about potential
attackers and to learn more about attack techniques. It looks like a
nice way to pick up some exploit code for free.
Frankly, I think the more appropriate quote doesn't come from
Schneier... and it's nicely symmetrical for this message, since I quote
it far outside Nietzche's intended context.
"When you gaze long unto the abyss, the abyss gazes also unto you."
-Bill
--
William Yang
wyang@gcfn.net
--
gentoo-security@gentoo.org mailing list